The Good | Authorities Jail WiFi Hacker, Seize €1.3B Crypto Mixer & Charge Two Malicious Insiders

An Australian national has received just over seven years in prison for running “evil twin” WiFi networks on various flights and airports to steal travelers’ data. Using a ‘WiFi Pineapple’ device as an access point, he cloned legitimate airport SSIDs. Users were then redirected to phishing sites where he harvested their credentials, which were exploited to access women’s accounts and obtain intimate content. Investigators found thousands of images, stolen credentials, and fraudulent WiFi pages. The individual has since pleaded guilty to multiple cybercrime, theft, and evidence-destruction charges.

In Europe, Swiss and German authorities have dismantled the Cryptomixer service, which allegedly laundered over €1.3 billion in Bitcoin since 2016. As part of Operation Olympia, officials seized three servers, 12 TB of data, Tor .onion domains, and €24 million in Bitcoin, with support from Europol and Eurojust. Cryptomixer, accessible on both the clear and dark web as a hybrid mixing service, obscured blockchain transactions for ransomware operators, dark markets, and a variety of criminal groups.

U.S. prosecutors have charged Virginia twin brothers for allegedly conspiring to steal sensitive government data and destroy databases after being fired as federal contractors. Previously sentenced in 2015 for unauthorized access to State Department systems, they returned to contracting roles before facing these latest indictments for fraud, identity theft, and record destruction. The Justice Department says one brother deleted 96 government databases in February 2025, stole IRS and EEOC data, and abused AI for guidance on how to hide evidence. Both men now face lengthy federal penalties if convicted.

The Bad | Investigation Exposes Contagious Interview Remote Worker & Identity Theft Scheme

In a collaborative investigation, researchers have exposed a persistent North Korean infiltration scheme linked to Operation Contagious Interview (aka UNC5267). The researchers observed in real time adversary operators using sandboxed laptops, revealing tactics designed to embed North Korean IT workers in Western companies, especially those within STEM and finance industries.

Livestreaming from a #Lazarus laptop farm.

For the first time ever, we recorded DPRK’s Famous Chollima full attack cycle: interviews, internal chats, every tool they use and every single click they made. Get ready for tons of raw footage.

Full article via ANYRUN. pic.twitter.com/2fyTn3zLI6

— Mauro Eldritch (@MauroEldritch) December 4, 2025

The operation began when a researcher posed as a U.S. developer targeted by a Contagious Interview recruiter. The attacker attempted to hire the fake developer, requesting full access to their SSN, ID, Gmail, LinkedIn, and 24/7 laptop availability. Virtual machines mimicking real developer laptops where deployed, allowing the researchers to monitor every action without alerting the operators.

The sandbox sessions showed a lightweight but effective toolkit focused on identity theft and remote access rather than malware deployment. Operators were also seen using AI-driven job tools to auto-fill applications and generate interview answers, browser-based OTP generators to bypass MFA, and Google Remote Desktop for persistent control. Reconnaissance commands validated the environment, while connections routed through Astrill VPN matched known Contagious Interview infrastructure. In one session, an operator explicitly requested ID, SSN, and banking details, confirming the goal of full identity and workstation takeover.

The investigation highlights remote hiring as a quiet yet reliable entry point for identity-based attacks. Once inside, attackers can access sensitive dashboards, critical business data, and manager-level accounts. Companies can reduce risk by raising internal awareness and providing safe channels for employees to report suspicious requests, helping prevent infiltration before it escalates into internal compromise.

The Ugly | Researchers Warn of Critical React2Shell RCE Vulnerability in React and Next.js

A critical remote code execution (RCE) vulnerability, dubbed ‘React2Shell’, affecting React Server Components (RSC) and Next.js, is allowing unauthenticated attackers to perform server-side code via malicious HTTP requests.

Discovered by Lachlan Davidson, the flaw stems from insecure deserialization in the RSC ‘Flight’ protocol and impacts packages including react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Versions affected include React 19.0 to 19.2.0 and Next.js experimental canary releases 14.3.0 to 16.x below patched versions. Exploitation is highly reliable, even in default deployments, and a single request can compromise the full Node.js process.

The flaw is being tracked as CVE-2025-55182. The technically correct CVE-2025-66478 has now been marked as a duplicate.

The vulnerability exists because RSC payloads are deserialized without proper validation, exposing server functions to attacker-controlled inputs. Modern frameworks often enable RSC by default, leaving developers unknowingly exposed. Fixes are available in React React 19.0, 19.1.0, 19.1.1, and 19.2.0, and Next.js 15.0.5–16.0.7. Administrators are urged to audit environments and update affected packages immediately.

Security researchers warn that cloud environments and server-side applications using default React or Next.js builds are particularly at risk. Exploitation could allow attackers to gain full control over servers, access sensitive data, and compromise application functionality. Reports have already emerged of China-nexus threat groups “racing to weaponize” the flaw.

China-nexus cyber threat groups rapidly exploit React2Shell vulnerability (CVE-2025-55182)
December 4, 2025, Amazon Web Services
aws.amazon.com/blogs/securi…
@awscloud.bsky.social

[image or embed]

— 780th Military Intelligence Brigade (Cyber) (@780thmibdecyber.bsky.social) 5 December 2025 at 11:32

Companies are advised to review deployments, restrict unnecessary server-side exposure, and monitor logs for anomalous RSC requests. Securing default configurations, validating deserialized input, and maintaining a regular patch management schedule can prevent attackers from exploiting framework-level vulnerabilities in production applications. SentinelOne’s blog post on the React2Shell RCE flaw can be found here.

The Good | Poland Detains Russian Hacker Amid Rising Moscow-Linked Sabotage

Poland’s Central Bureau for Combating Cybercrime (CBZC) has arrested a Russian national in Kraków on suspicion of breaching the IT systems of local companies, marking the latest incident tied to what Warsaw describes as Russia’s expanding sabotage and espionage campaign across Europe. According to Polish Interior Minister Marcin Kierwiński, the suspect allegedly compromised corporate-level security defenses to access and manipulate company databases in ways that could have disrupted operations and endangered customers.

Investigators say the man illegally entered Poland in 2022 and later obtained refugee status. He was detained on November 16 by Polish authorities and has since been interrogated, charged, and placed in three months of pre-trial custody. Authorities also believe he may be connected to additional cyberattacks affecting firms in Poland and other EU states, and they are still determining the full scope of the damage.

The arrest comes amid heightened concern over Russian hybrid warfare since Moscow’s invasion of Ukraine in 2022. Poland has linked recent incidents, including sabotage of a railway line and a fire at a major shopping mall, to Russian intelligence activities. The country has shut down all Russian consulates following the events.

EU officials warn that cyberattacks against regional companies and institutions have surged, with many attributed to GRU-backed actors. Other recent disruptions have included payment service outages and leaks of customer data from Polish firms. In response, Polish Digital Affairs Minister Krzysztof Gawkowski plans to invest a record €930 million on bolstering the county’s cybersecurity, underscoring what authorities describe as the urgent need for stronger corporate defenses and deeper international cooperation against increasingly aggressive cyber threats.

The Bad | FBI Warns of Banking Fraud & Account Takeover Schemes Ahead of Holidays

The FBI has issued a PSA about a sharp rise in account takeover (ATO) fraud, with cybercriminals impersonating financial institutions to steal more than $262 million since January 2025. The agency’s Internet Crime Complaint Center (IC3) has received over 5,100 reports this year from victims across individuals, businesses, and organizations across every sector.

The schemes start off with deceiving victims through texts, calls, and emails, posing as bank staff or customer support. They trick targets into revealing their login credentials, multi-factor authentication (MFA) codes, or one-time passcodes (OTPs). Criminals have also been luring victims onto phishing websites engineered to mimic legitimate banking or payroll sites, sometimes boosted through SEO poisoning to appear at the top of search results.

Once inside the victim’s account, fraudsters reset passwords, lock out the rightful owners, and quickly transfer funds into crypto-linked accounts, which makes recovery extremely difficult. Some victims report being manipulated with fabricated claims of fraudulent purchases, or even firearm transactions to incite panic, before being redirected to a second scammer impersonating law enforcement.

As we enter the holiday season, the FBI urges consumers and organizations to monitor their accounts closely, use strong unique passwords, enable MFA, verify URLs, and avoid visiting personal banking sites through search engine results. Victims should immediately contact their financial institutions to request recalls and provide indemnification documents, and then file detailed reports with IC3.

Officials and security experts stress that most ATO cases stem from compromised credentials. Stronger identity verification such as passwordless authentication and enabling manual verification steps remain basic security hygiene necessary for reducing these types of attacks.

The Ugly | OpenAI Alerts API Users After Mixpanel Breach Exposes Limited Data

OpenAI is alerting some ChatGPT API customers that limited personally identifiable information (PII) was exposed after its third-party analytics provider, Mixpanel, was breached. The compromise, stemming from an smishing campaign detected on November 8, affected “limited analytics data related to some users of the API”, but did not compromise ChatGPT or other OpenAI products.

While OpenAI confirmed that sensitive information such as credentials, API keys, requests, and usage data, payment and chat details, or government IDs remained secure, the exposed data may include usernames, email addresses, approximate user location, browser and operating system details, referring websites, and account or organization IDs.

OpenAI said users do not need to reset passwords or regenerate API keys. Some users have reported that CoinTracker, a cryptocurrency tracking platform, may also have been affected, with limited device metadata and transaction counts exposed.

Has @mixpanel not disclosed this breach? Sent from @CoinTracker. pic.twitter.com/xk9nmGVmfm

— Daniel Harrison (@danielh9277) November 27, 2025

OpenAI has begun an investigation, removed Mixpanel from production services, and is notifying affected users directly. The company warns that the leaked data could be used for phishing or social engineering attacks and advises users to verify any messages claiming to relate to the incident, enable MFA, and to never share account credentials via email, text, or chat.

Mixpanel, in turn, has responded to the incident by securing accounts, revoking active sessions, rotating compromised credentials, blocking the threat actor’s IPs, resetting employee passwords, and implementing new controls to prevent future incidents. The analytics firm also reached out to all impacted customers directly.

The incident highlights the risks posed by third-party service providers and the importance of awareness against phishing, even when no core systems or highly sensitive information are directly compromised.

The Good | Courts Prosecute DPRK Fraud, Ransomware Hosting & Crypto Mixer Ops

Five people have pleaded guilty to helping the DPRK run illicit revenue schemes involving remote IT worker fraud and cryptocurrency theft. The group enabled North Korean operatives to obtain U.S. jobs using false or stolen identities, generating over $2.2 million while impacting 136 companies. The DOJ is also seeking forfeiture of $15 million tied to APT38 cyber-heists. The defendants, Oleksandr Didenko, Erick Prince, Audricus Phagnasay, Jason Salazar, and Alexander Travis, admitted to stealing U.S. identities for overseas workers and laundering stolen funds.

In the U.S., U.K., and Australia, authorities have issued a coordinated sanction against Russian bulletproof hosting (BPH) providers that enable ransomware groups by leasing servers to support malware delivery, phishing attacks, and illicit content hosting. To help cybercriminals evade capture, BPH services ignore abuse reports and law enforcement takedowns. OFAC has sanctioned Media Land, its sister companies, and three executives all tied to LockBit, BlackSuit, Play, and other threat groups. Five Eyes agencies also released guidance to help ISPs detect and block malicious infrastructure used by BPH services.

Our joint guidance on bulletproof hosting providers highlights best practices to mitigate potential cybercriminal activity, including recommended actions that ISPs can implement to decrease the usefulness of BPH infrastructure. Learn more https://t.co/cGQpuLpBPP pic.twitter.com/tM55acfuQv

— CISA Cyber (@CISACyber) November 19, 2025

The founders of Samourai Wallet, a cryptocurrency mixing service, have been sentenced to prison for laundering over $237 million. Operating since 2015, Samourai used its ‘Whirlpool’ mixing system and ‘Ricochet’ multi-hop transactions to obscure Bitcoin flows. These features made tracing more difficult and enabled criminals involved in darknet markets, drug trafficking, and cybercrime to launder more than $2 billion. Authorities seized the platform, including its servers, domains, and mobile app, while the founders agreed to forfeit all traceable proceeds. CEO Keonne Rodriguez has received five years, while CTO William Lonergan Hill received four along with supervised release. The pair were ordered to pay fines of $250,000 each.

The Bad | DPRK Actors Build Fake Job Platform to Lure AI Talent & Push Malware

As part of their ongoing and evolving Contagious Interview campaign, DPRK-based threat actors have created a fake job platform designed to compromise legitimate job seekers, particularly in the AI research, software development, and cryptocurrency verticals. While earlier fraudulent IT-worker schemes relied on targeting individuals through phishing on social media platforms, the latest tactic weaponizes a fully functional hiring pipeline.

Researchers discovered the latest lure – a Next.js-based job portal hosted at lenvny[.]com, complete with dozens of fabricated AI and crypto-industry job listings. The listings mimic branding from major tech companies and feature a polished UI and full recruitment workflow that mirrors modern hiring systems, encouraging applicants to submit resumes and professional links before prompting them to record a video introduction.

This final step triggers the DPRK-favored ClickFix technique: When applicants copy the fake interview instructions, a hidden clipboard hijacker swaps their text with a multi-stage malware command. When pasted into a terminal, it downloads and executes staged payloads under the guise of a “driver update”, ultimately launching a VBScript-based loader. This design blends seamlessly with typical remote-work interview processes and dramatically increases the likelihood of accidental execution.

The platform also performs strategic filtering, attracting AI and crypto professionals specifically as their skills, network access, and workstation devices tend to align with DPRK’s intelligence and financial priorities including model-training infrastructure to crypto exchange systems. The campaign reflects significant maturation in DPRK social engineering tradecraft, pairing high-fidelity UI design with covert malware delivery. Job seekers are advised to verify domains, avoid off-platform hiring systems, and execute any requested code only in sandboxed environments.

The Ugly | Iran-Backed Actors Weaponize Cyber Recon to Power Real-World Attacks

Iranian-linked threat actors are using cyber operations to support real-world military activity, a pattern described by researchers as “cyber-enabled kinetic targeting”.

In the past, conventional security models separated cyber and physical domains – delineations that are proving artificial in today’s socioeconomic and political climate. Now, these are not just cyber incidents that cause physical impact, but rather coordinated campaigns upon which digital operations are built to advance military objectives.

One example involves Crimson Sandstorm (aka Tortoiseshell and TA456), a group tied to Iran’s Islamic Revolutionary Guard Corps (IRGC). Between December 2021 and January 2024, the group probed a ship’s Automatic Identification System (AIS) before expanding their operations to other maritime platforms. On January 27, 2024, the group searched for AIS location data on one particular shipping vessel. Days later, that same ship was targeted in an unsuccessful missile strike by Iranian-backed Houthi forces, which have mounted repeated missile attacks on commercial shipping in the Red Sea amid the Israel–Hamas conflict.

A second case highlights Mango Sandstorm (aka Seedworm and TA450), a group affiliated with Iran’s Ministry of Intelligence and Security (MOIS). In May, the group set up infrastructure for cyber operations and gained access to compromised CCTV feeds in Jerusalem to gather real-time visual intelligence. Just a month later, the Israel National Cyber Directorate confirmed Iranian attempts to access cameras during large-scale attacks, reportedly to get feedback on where the missiles hit and improve precision. Both highlighted cases show the attackers’ reliance on routing traffic through anonymizing VPNs to prevent attribution.

The divide between digital intrusions and physical warfare continues to blur. With nation state groups leveraging cyber reconnaissance as a precursor for physical attacks, it is likely we will continue to see significant developments in this kind of hybrid warfare.

The Cipher Brief spoke with Dr. Neal Jetton, the Cybercrime Director of Interpol, to discuss how the world’s largest international police organization is taking on the threat. Speaking from last month’s Global Cybersecurity Forum in Riyadh, Saudi Arabia, Dr. Jetton said Interpol-driven efforts like information-sharing, cross-border cooperation and law enforcement training are critical in countering emboldened cybercriminals.

The Cipher Brief: Can you tell us what kind of buzz has been there? Have there been key themes or issues at this very point in time among the cyber experts that you've been talking to?

Dr. Jetton: I think you can't get away from AI here. Every panel, every discussion has an AI focus, and you think, "Ugh, more AI." But, it's here. It does impact probably everything. We have a lot of cyber threat intel companies here from the private sector who are working with it every day for their means.

And then from a law enforcement perspective, we look at it kind of as a double-edged sword. I'm from INTERPOL, so we look at how AI can benefit law enforcement in the long run. But as a cybercrime director, I also see how cyber criminals are also utilizing AI to enhance the effectiveness of their criminal activities.

The Cipher Brief: What can you tell us about the role that INTERPOL plays in countering these threats?

Dr. Jetton: So, just a little bit about INTERPOL because maybe there's some misconceptions about what it is. Even my neighbors sometimes think, "What do you actually do, Neal?" So in INTERPOL, there are 196 member countries. We are focused on law enforcement to law enforcement connections. So what we want to do in the Cybercrime Directorate is understand what our membership is suffering from as far as the type of crimes that they are seeing the most.

So we will send out yearly threat assessments because we think we might have a good idea of what a particular region is suffering from, but we need to hear it directly from the law enforcement officers and experts on the ground. We'll get that information, and then we'll turn that around and we'll try to base our training, our coordination meetings, and then our operations focused on the threats that they, our members, see most commonly.

Save your virtual seat now for The Cyber Initiatives Group Winter Summit on December 10 from 12p – 3p ET for more conversations on cyber, AI and the future of national security.

The Cipher Brief: When we talk about things like attribution, going after threat actors and bolstering cybersecurity, where do those rank on the priority scale for INTERPOL?

Dr. Jetton: Within the Cybercrime Directorate, we have three goals. I tell my team, what we want to do is we want to build up the capacity for our country. So we have to understand what they need, what they're lacking in terms of tools and training. We then want to provide accurate, useful intelligence to our member countries that they can use and turn into evidence that then helps drive their investigations to be more successful.

But my goal is to increase the capacity for our member countries, to provide relevant intelligence to them so that we have operational success, and we've done that. I think we've done more than 10 operations this year within the Cybercrime Directorate, both global and regional, focused on the threats that our members are seeing most.

What we will do is, in a lot of instances, we will bring the countries that are participating in our operations all together at one point. We'll then bring relevant private sector partners, many of them here at GCF, to come and provide training to them on the ground. We will do tabletop exercises, and then at the end of that week, it's usually a five-day process, we'll kick everybody out and we'll just focus on the operation at hand. We'll say, "We're going after this malware or these threats. These are the types of steps that we think you should take that would help you in your investigation."

So we really do want to benefit our members. I want to say though that the success that these operations have had—we've had some big wins recently—the lion's share of the success goes to our member countries, the law enforcement on the ground who are doing the actual investigations, who are going and making the arrests and seeing those things through. We've done several recently with great success.

The Cipher Brief: We asked Chris Inglis, who is the former National Security or Cybersecurity Director in the United States, about the connections between nation states and cyber criminal groups. How do you see INTERPOL playing a role in this area? Are there both challenges and opportunities when you're talking about cybercrime that may be backed by nation states?

Dr. Jetton: That's one of the misnomers with INTERPOL. The big thing with INTERPOL is neutrality. I came from a task force where we looked at nation state transnational cybercrime. But within INTERPOL, I just have to state that our constitution does not really allow us to focus on investigative matters of a religious, racial, political, or military nature. So we know that that limits the nation state actors, and I'm very aware of that. It's not like I'm naive to understand who's behind a lot of these cyber criminal activities. But to maintain that neutrality and trust with 196 members, there is a limit to what INTERPOL is allowed to do. Countries will reach out to you and they will say, "Hey, our government networks have been breached," and I know automatically this is not your usual financially motivated cyber criminals, there's something there. So I have to work hand in hand with my legal affairs team to say, "Where can we draw the line?" I don't just want to say, "No, we're not doing anything," but can we provide something, at least the starting point, but we don't want to provide attribution or state like, "Hey, it's this person.” But maybe give them a little bit of a head start and then hand off to the countries that provided the intel or are having the issues and then help them along the way.

So I just want to be clear. Nation state actors, there are a lot of organizations that are focused on that, including where I was previously. But INTERPOL, we are really focused on the financially motivated cyber criminals.

Sign up for the Cyber Initiatives Group Sunday newsletter, delivering expert-level insights on the cyber and tech stories of the day – directly to your inbox. Sign up for the CIG newsletter today.

The Cipher Brief: It's such an interesting patchwork of expertise that it is critical for collective defense. What vulnerabilities do you see from your perch at INTERPOL right now in cyberspace, and where do you think defenses are failing?

Dr. Jetton: For us, when we're asking countries, "What are the biggest issues that are preventing you from being more successful in combating cybercrime?" A lot of it is the tools and the training, just having insufficient funds to actually drive up their investigative know-how or expertise. But also I think between countries, it's just the rapid ability to share information.

There are what we call MLATS, Mutual Legal Assistance Treaties. A lot of times it just takes a long time to ask for information. And we know in cybercrime, we need instantaneous help. So I would always encourage countries to reach out to INTERPOL. We have a 24/7 network. That's why we're there. I can't promise we can do everything in every situation, but we will do our very best to make the connection between which countries you need or if you need a particular company. We can't compel, but we'd put you in touch and at least let you have that conversation.

The Cipher Brief: What are the trends you are seeing right now in cybercrime?

Dr. Jetton: What we're seeing primarily is the use of AI in increasing the efficiency, scope, and effectiveness of emails and the phishing scams. They're using this phishing as a platform. You can just blank X as a platform. So it's these tools that you didn't have to have a really sophisticated technical level of abilities, and you can have these tools that allow you to then go out and commit fraud at scale. And so we are seeing that.

Also, what we're seeing is a convergence of different crimes. So cyber is poly-criminal. I live in Singapore, and one of the big things in Southeast Asia are the cybercrime centers. You hear about that all the time. What happens is you have these organized crime groups that are using cybercrime as fraudulent job applications, the emails, things like that, recruiting, and then the human trafficking aspect of it, and then forcing the people to commit the cybercrime while they're there. So we see that as a huge issue, the poly-criminal aspect of cyberware. It doesn't matter if it's human trafficking, drugs, guns—there's going to be some sort of cyber element to all those crimes.

The Cipher Brief: What are some of the most interesting conversations that you've had on the sidelines there? Has there been anything that's surprised you from some of the other guests and speakers?

Dr. Jetton: We were talking about the use of AI and where we think it's going, whether it's kind of positive or negative. What I was surprised at was, I was on a panel and I was the only person that had the glass half empty. I realized that there are some obvious useful uses for AI, and it's a game changer already for law enforcement. But what I see is these technologies being utilized by criminals at a faster rate than what law enforcement can usually do. So I see it as somewhat of a negative knowing that we're going to have to catch up like with AI-produced malware. I think that will be an issue in the future.

Whereas my other panelists were all from the private sector, and they were all like, "No, no, AI is great. It's going to allow us to use it in these positive directions," which is true, but I'm the negative, the Grinch here talking about it from saying that. So I would say that that was probably the most surprising thing.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.

The Good | FBI and Europol Arrest Ransomware Broker and Dismantle Major Botnet

Russian national, Aleksey Olegovich Volkov, is set to plead guilty for acting as an initial access broker (IAB) for Yanluowang ransomware attacks targeting at least eight U.S. companies from July 2021 to November 2022.

Using aliases like “chubaka.kor” and “nets”, Volkov sold access to the ransomware group after breaching his victim’s corporate networks and demanding ransoms from $300,000 to $15 million in Bitcoin. FBI investigators traced Volkov through iCloud, cryptocurrency records, and social media, recovering chat logs, stolen credentials, and evidence of ransom negotiations, which all linked him to $1.5 million in collected payments.

His breaches affected companies across multiple states, including banks, engineering firms, and telecoms. Volkov faces up to 53 years in prison and over $9.1 million in restitution for charges including trafficking in access, identity theft, computer fraud, and money laundering.

Law enforcement agencies across several countries dismantled over 1000 servers linked to the Rhadamanthys infostealer, VenomRAT, and Elysium botnet as part of Operation Endgame, an international effort against cybercrime. Coordinated by Europol and Eurojust with support from private partners, the action consisted of searches at 11 locations in Germany, Greece, and the Netherlands, where officers seized 20 domains and arrested a key VenomRAT suspect.

The disrupted infrastructure involved hundreds of thousands of infected devices and millions of stolen credentials, including access to over 100,000 crypto wallets. Rhadamanthys, active since 2023, had seen rapid growth in late 2025, affecting thousands of IP addresses daily.

Authorities recommend checking systems for infection via politie.nl/checkyourhack and haveibeenpwned.com. Operation Endgame has previously disrupted numerous malware and ransomware networks, including Bumblebee, IcedID, Pikabot, Smokeloader, SystemBC, and Trickbot, highlighting ongoing international efforts to curb cybercrime.

The Bad | UNC6485 Exploits Triofox Vulnerability for Remote Code Execution

Threat actors have exploited a critical vulnerability in Gladinet’s Triofox file sharing and remote access platform, chaining it with the product’s built-in antivirus scanner to gain SYSTEM-level remote code execution (RCE).

The vulnerability, tracked as CVE-2025-12480, allows attackers to abuse an access control logic error that grants admin privileges when the request host equals ‘localhost’. By spoofing this value in the HTTP host header, an attacker can reach sensitive setup pages without credentials, especially on systems where the TrustedHostIp parameter was never configured.

Security researchers first discovered an intrusion in August targeting a Triofox instance running version 16.4.10317.56372. They later determined that the threat cluster UNC6485 used a malicious HTTP GET request containing a localhost header to access the AdminDatabase.aspx setup page.

Using this workflow, the attackers created a rogue administrator account called ‘Cluster Admin’, uploaded a malicious script, and configured Triofox to treat that script as the antivirus scanner path. Since the scanner inherits SYSTEM-level privileges from the parent process, this allowed the attackers to execute arbitrary code.

The payload then launches a PowerShell downloader to retrieve a Zoho UEMS installer, which subsequently deploys Zoho Assist and AnyDesk on the compromised host for remote access and lateral movement. The attackers were also observed using Plink and PuTTY to establish SSH tunnels and forward traffic to the compromised host’s RDP port.

Gladinet has since fixed CVE-2025-12480 in Triofox version 16.7.10368.56560, and administrators are urged to update to the latest release (16.10.10408.56683), review admin accounts, and ensure the antivirus engine is not configured to run unauthorized binaries.

The Ugly | Attackers Exploit Zero-Day to Steal Washington Post Employee Data

The Washington Post, one of the vendors impacted by a breach targeting Oracle software, is notifying nearly 10,000 current and former employees and contractors that their personal and financial information has been exposed in the data theft campaign.

The Post, one of the largest U.S. newspapers with 2.5 million digital subscribers, confirmed that attackers accessed parts of its network between July 10 and August 22 by exploiting a previously unknown zero-day vulnerability in Oracle E-Business Suite, the organization’s internal enterprise resource planning (ERP) system. The vulnerability is tracked as CVE-2025-61884.

According to the letter sent to affected individuals, the Post learned of the intrusion after a threat actor contacted the company on September 29 claiming access to its Oracle applications. Post-breach investigations identified the widespread flaw that allowed the attackers to access many Oracle customers’ applications. The attackers used this flaw to steal sensitive data and later attempted to extort the Post and other organizations breached in the same campaign.

Although the Post did not name the group responsible, the Cl0p ransomware operation is suspected to be behind the attacks. Other high-profile victims of the same Oracle zero-day include Harvard University, Envoy Air, and GlobalLogic, with additional impacted organizations listed on Cl0p’s leak site.

The Post’s investigation has determined that data belonging to 9,720 individuals was compromised. Exposed information includes full names, Social Security numbers, tax and ID numbers, and bank account and routing numbers. Impacted individuals have been offered 12 months of free identity protection through IDX and advised to place credit freezes on their accounts and fraud alerts for additional protection.

The Good | Authorities Crack Down on Ransomware, Crypto Fraud & DPRK Laundering Ops

Three ex-employees of cybersecurity firms DigitalMint and Sygnia have been indicted for participating in BlackCat (aka ALPHV) ransomware attacks on five U.S. companies between May and November 2023.

The defendants allegedly acted as BlackCat affiliates, breaching networks, stealing data, deploying encryption malware, and demanding cryptocurrency ransoms. Victims included medical, pharmaceutical, and engineering firms. Prosecutors say the ransom demands ranged from $300,000 to $10 million, with one company paying out $1.27 million. The trio faces up to 50 years each in prison if convicted.

Also this week, the U.S. Treasury sanctioned two North Korean financial institutions and eight individuals for laundering cryptocurrency stolen via fraudulent IT worker schemes. The designated include Ryujong Credit Bank and Korea Mangyongdae Computer Technology Company (KMCTC), along with executives and bankers responsible for managing funds linked to ransomware attacks and UN sanctions violations.

OFAC says that over the last 3 years DPRK-affiliated cybercriminals have stolen more than $3 billion in cryptocurrency using malware and social engineering. The sanctions freeze U.S. assets and warn that transactions with these entities risk secondary penalties.

In Europe, authorities have arrested nine suspects involved in a cryptocurrency fraud network responsible for stealing over €600 million ($689 million) across multiple countries. The criminals allegedly created fake crypto investment platforms that promised high returns and recruited victims through social media, cold calls, and fake endorsements from celebrity investors. Victims lost their funds while the suspects laundered the stolen assets using blockchain tools. In operations coordinated by Eurojust in Cyprus, Spain, and Germany, law enforcement seized cash, crypto, and bank accounts.

The Bad | SleepyDuck Trojan Exploits Ethereum Smart Contracts to Evade Takedown

A new remote access trojan (RAT) dubbed ‘SleepyDuck’ has been masquerading as a well-used Solidity extension on the Open VSX open-source registry, researchers say. The malware uses Ethereum smart contracts to manage its command and control (C2) communications, helping it to maintain persistence even if its main server is taken down.

Initially benign when published on October 31, the infected extension, juan-bianco.solidity-vlang, became malicious after an update made the following day, by which time it had already been downloaded 14,000 times. For now, the extension remains available on Open VSX with a public warning. In total, it has been downloaded over 53,000 times.

Security researchers report that SleepyDuck activates when the code editor starts, a Solidity file opens, or when a compile command runs. It disguises its malicious activity through a fake webpack.init() function from extension.js, while secretly executing payloads that collect system information such as hostnames, usernames, MAC addresses, and timezones.

After it is triggered, the trojan queries the Ethereum blockchain to find the fastest RPC provider, read its C2 details, and enter a polling loop for new instructions. This blockchain-based C2 redundancy means that even if the main C2 domain (sleepyduck[.]xyz) is disabled, the malware can still fetch updated addresses or commands from the blockchain, making takedown efforts much more difficult.

In response, Open VSX has introduced new security measures, including shorter token lifetimes, automated scans, revoking any leaked credentials, and working in coordination with VS Code to block emerging threats. Best practices for developers include verifying extension publishers and installing software only from trusted repositories to avoid supply-chain compromises.

The Ugly | Iran-Based Actors Target U.S. Policy Experts in New Espionage Campaign

Between June and August, a newly identified threat cluster dubbed ‘UNK_SmudgedSerpent’ launched a series of targeted cyberattacks against U.S.-based academics and foreign policy experts focused on the Middle East. The campaign, coinciding with rising Iran-Israel tensions, uses politically-themed lures related to Iranian domestic affairs and the militarization of the Islamic Revolutionary Guard Corps (IRGC).

Researchers say the threat actors behind the campaign initiated attacks with benign email exchanges before introducing phishing links impersonating prominent U.S. foreign policy figures and think tank institutions like the Brookings Institution and Washington Institute.

The targeted victims, over 20 U.S.-based experts on Iran-related policy, were enticed to open malicious meeting documents and login pages designed to harvest their Microsoft account credentials. In some attacks, the attackers sent URLs leading to fake MS Teams login pages but pivoted to spoofed OnlyOffice sites if the victim grew suspicious.

Clicking the links led to the download of malicious MSI installers disguised as Microsoft Teams, which then deployed legitimate remote monitoring and management (RMM) software like PDQ Connect. Subsequent activity suggests attackers manually installed additional tools such as ISL Online, indicating possible hands-on-keyboard intrusion.

Researchers note that the operation’s tactics mirror those of known Iranian cyberespionage groups such as TA455 (aka UNC1549, Smoke Sandstorm), TA453 (aka TunnelVision, APT 35, UNC788), and TA450 (aka TEMP.Zagros).

The researchers believe UNK_SmudgedSerpent’s campaigns are part of a broader collection effort by Iranian intelligence aimed at gathering insights from Western experts on regional policy, academic analyses, and strategic technologies.

EXPERT INTERVIEW — The last few months have seen a series of major cyber incidents which have frozen airports, crippled companies, compromised government systems, and stolen millions from unwitting victims. Cyber leaders are warning that the threat is being worsened as hackers leverage new technology like artificial intelligence for more potent attacks.

The Cipher Brief spoke with Robert Hannigan, who served as Director of GCHQ, the UK’s largest intelligence agency, which provides signals intelligence (SIGINT) and information assurance (IA), about the nature of the cyber threat, and why everything from supply chain security to cross-sector cooperation is needed for a strong defense. We caught up with him from Riyadh’s Global Cybersecurity Forum (GCF).

The Cipher Brief: I'm curious if you could tell us right off the top, with so many different countries represented, so many different areas of expertise, what is the buzz there, Robert? What are people really most concerned about?

Hannigan: I think the big cyber incidents happening in the Middle East and Europe in recent months, particularly ransomware as a service, so big names like Jaguar Land Rover and others, have kind of given this meeting an extra buzz just before we met. Quite a few people flew in from airports that have been affected by the supply chain attack on baggage handling software. So it was very relevant and topical.

I think that's touched on a broader theme for the last couple of days, which is about supply chain. This is a global supply chain in many cases. So how do we secure that? It's a challenge, but it's no longer enough for companies or governments to secure their own perimeters. They have to worry about the tens of thousands of suppliers and vendors attached to them, their ecosystem, if you like. So regulators are getting there, and the EU has already regulated this and said we're all responsible. Other countries like the UK are getting there. So I think supply chain has been a big theme.

Save your virtual seat now for The Cyber Initiatives Group Winter Summit on December 10 from 12p – 3p ET for more conversations on cyber, AI and the future of national security.

The Cipher Brief: Ransomware supply chain has been around forever. They're very difficult in their own right, but now we're looking at a world where AI is impacting everything. How concerned are you about that?

Hannigan: I'm really concerned that we don't repeat the mistakes of the past with AI. So as we rush to adopt AI and to use it in our applications across business and government, can we make sure we do it securely? We learned the lessons of cybersecurity because we're all paying the price in a way for 20, 30 years of building a digital economy on software, particularly, but also hardware that was not designed with security in mind. So again, regulators are getting there. They're mandating Secure by Design in most countries, but that's going to take years to follow through. So can we make sure that when we adopt AI, we're doing it safely and securely? And I think there are some big risks in AI, particularly in data poisoning.

The Cipher Brief: Sam Altman did an interview just recently saying the horse is out of the barn, so to speak. And he's not even sure where this is going when it comes to building in kind of more secure ethical processes into using AI.

You sat on a panel there talking about converging crises, the future of cyberspace and complex global dynamics. And boy, are they complex. I'm really curious to hear how all of these different countries are coming together to talk about working together in cyber when some of the countries have closer relationships to China than other countries do. How are you looking at that complex landscape for both risk and opportunity?

Hannigan: It’s a great question. I think the other theme of these last two days has been multilateralism under pressure. This is not a great time for cooperation between states. And that's a problem for cyber because as you know, from your background, cyber is a team sport. You can't do this within one country. And so we really need to approach this multilaterally. I think on our panel this morning, we weren't pessimistic. Yes, it's difficult in geopolitical terms, but actually it's in everyone's interests to try and secure cyberspace. And there are plenty of initiatives going across countries that are working. Secure by Design is one, trying to improve the standard of secure software development. Some of the security work on AI is going across countries. So I haven't given up hope on that working, but it's really essential and why it's great to have people from all over the world at this kind of meeting.

The Cipher Brief: One of the other things I always love to ask you about because it's always extremely relevant is the relationships with the private sector. As former head of GCHQ, this is something that you're very close to. You have a deep understanding of what needs to happen to make these work. How do you take private sector-government relationships in one country and then sort of scale that, if you will, with other trusted partners?

Hannigan: I think it's a great question. I think The Cipher Brief is a great example of an organization that's tried to bring together government and companies in a really effective way. I've just come from the UK where I've done lots of interviews on our recent big retail, ransomware attacks, Jaguar Land Rover and others. It's striking that people still expect government to be able to defend everybody. We all know that that's just not possible.

Government has very limited resources; it can advise, it can regulate. But actually it's up to the private sector companies to defend themselves and to prepare for resilience. And one of the frustrating things for me is that this is possible, this is an achievable goal. We hear about the failures, but actually there are thousands of companies protecting themselves very well and preparing for resilience in case there is an attack so they can contain it and get back up and running very quickly. So there are a lot of people doing the right thing, some people who aren't, and we need to help them get better.

The Cipher Brief: I think you're absolutely right in saying that some of these larger companies that really have the resources to put into cybersecurity and information sharing have a lot more responsibility on their shoulders than those medium and smaller companies which sort of have to wait to see what comes down to them.

Have you been involved in any conversations there that have surprised you or made you think differently about any part of what you focus on every day when it comes to cybersecurity and all of these complex issues?

Hannigan: I think we've had a really good conversation about the positive lessons coming out of Ukraine. And Chris Inglis, who you know very well, was talking about this on his panel. And I think it's a really good point that there are so many positive things coming out of that terrible situation in Ukraine on the cyber side. So why has Ukraine managed to keep going in cyberspace to resist this avalanche of attacks coming from Russia? It's because they've had a partnership with private sector companies, big tech and small companies, with allied countries, in Europe and the U.S. in particular, and there has been a coalition of defense. And there's something really interesting there about the model for how if you get together, private and public, across different allies, you really can defend. And as Chris and one or two others put it, defense is the new attack. It's really powerful when you do it properly.

The Cipher Brief: That was such an interesting time when the full scale invasion started because you did see it's a volunteer army of all of these companies. And the important thing I think to look at there is it was very values based. That landscape is also changing. Are you concerned at all about that in the future?

Hannigan: I think we're all concerned about polarization and some of those companies being torn between East and West and, as you say, closer to China or indeed closer to Russia. I think what's powerful though in Ukraine is they not only used companies and, as you say, volunteers, they also looked to their own citizens and they used very talented people, whatever their backgrounds, to get involved in this great effort to defend Ukraine. So you can achieve good things if you can organize people together. And it's amazing they're still up and running.

And it’s also a victory for cloud. I remember 10 years ago when governments were very nervous about putting anything in the cloud. Ukraine's a great example of where cloud has saved them essentially by putting stuff outside the country. They've managed to keep going and that's impressive and a great vote of confidence.

Are you Subscribed to The Cipher Brief’s Digital Channel on YouTube? There is no better place to get clear perspectives from deeply experienced national security experts.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief

DEEP DIVE — From stolen military credentials to AI-generated personas seamlessly breaching critical infrastructure, digital identity fraud is rapidly escalating into a frontline national security threat. This sophisticated form of deception allows adversaries to bypass traditional defenses, making it an increasingly potent weapon.

The 2025 Identity Breach Report, published by AI-driven identity risk firm Constella Intelligence, reveals a staggering increase in the circulation of stolen credentials and synthetic identities. The findings warn that this invisible epidemic, meaning it's harder to detect than traditional malware, or it blends in with legitimate activity, is no longer just a commercial concern—it now poses a serious threat to U.S. national security.

“Identity verification is the foundation of virtually all security systems, digital and physical, and AI is making it easier than ever to undermine this process,” Mike Sexton, a Senior Policy Advisor for AI & Digital Technology at national think tank Third Way, tells The Cipher Brief. “AI makes it easier for attackers to simulate real voices or hack and steal private credentials at unprecedented scale. This is poised to exacerbate the cyberthreats the United States faces broadly, especially civilians, underscoring the danger of Donald Trump’s sweeping job cuts at the Cybersecurity and Infrastructure Security Agency.”

The Trump administration’s proposed Fiscal Year 2026 budget would eliminate 1,083 positions at CISA, reducing staffing by nearly 30 percent from roughly 3,732 roles to around 2,649.

Save your virtual seat now for The Cyber Initiatives Group Winter Summit on December 10 from 12p – 3p ET for more conversations on cyber, AI and the future of national security.

The Industrialization of Identity Theft

The Constella report, based on analysis of 80 billion breached records from 2016 to 2024, highlights a growing reliance on synthetic identities—fake personas created from both real and fabricated data. Once limited to financial scams, these identities are now being used for far more dangerous purposes, including espionage, infrastructure sabotage, and disinformation campaigns.

State-backed actors and criminal groups are increasingly using identity fraud to bypass traditional cybersecurity defenses. In one case, hackers used stolen administrator credentials at an energy sector company to silently monitor internal communications for more than a year, mapping both its digital and physical operations.

“In 2024, identity moved further into the crosshairs of cybercriminal operations,” the report states. “From mass-scale infostealer infections to the recycling of decade-old credentials, attackers are industrializing identity compromise with unprecedented efficiency and reach. This year’s data exposes a machine-scale identity threat economy, where automation and near-zero cost tactics turn identities into the enterprise’s most targeted assets.”

Dave Chronister, CEO of Parameter Security and a prominent ethical hacker, links the rise in identity-based threats to broader social changes.

“Many companies operate with teams that have never met face-to-face. Business is conducted over LinkedIn, decisions authorized via messaging apps, and meetings are held on Zoom instead of in physical conference rooms,” he tells The Cipher Brief. “This has created an environment where identities are increasingly accepted at face value, and that’s exactly what adversaries are exploiting.”

When Identities Become Weapons

This threat isn’t hypothetical. In early July, a breach by the China-linked hacking group Volt Typhoon exposed Army National Guard network diagrams and administrative credentials. U.S. officials confirmed the hackers used stolen credentials and “living off the land” techniques—relying on legitimate admin tools to avoid detection.

In the context of cybersecurity, “living off the land” refers to attackers (like the China-linked hacking group Volt Typhoon) don't bring their own malicious software or tools into a compromised network. Instead, they use the legitimate software, tools, and functionalities that are already present on the victim's systems and within their network.

“It’s far more difficult to detect a fake worker or the misuse of legitimate credentials than to flag malware on a network,” Chronister explained.

Unlike traditional identity theft, which hijacks existing identities, synthetic identity fraud creates entirely new ones using a blend of real and fake data—such as Social Security numbers from minors or the deceased. These identities can be used to obtain official documents, government benefits, or even access secure networks while posing as real people.

“Insider threats, whether fully synthetic or stolen identities, are among the most dangerous types of attacks an organization can face, because they grant adversaries unfettered access to sensitive information and systems,” Chronister continued.

Insider threats involve attacks that come from individuals with legitimate access, such as employees or fake identities posing as trusted users, making them harder to detect and often more damaging.

Constella reports these identities are 20 times harder to detect than traditional fraud. Once established with a digital history, a synthetic identity can even appear more trustworthy than a real person with limited online presence.

“GenAI tools now enable foreign actors to communicate in pitch-perfect English while adopting realistic personas. Deepfake technology makes it possible to create convincing visual identities from just a single photo,” Chronister said. “When used together, these technologies blur the line between real and fake in ways that legacy security models were never designed to address.”

Washington Lags Behind

U.S. officials acknowledge that the country remains underprepared. Multiple recent hearings and reports from the Department of Homeland Security and the House Homeland Security Committee have flagged digital identity as a growing national security vulnerability—driven by threats from China, transnational cybercrime groups, and the rise of synthetic identities.

The committee has urged urgent reforms, including mandatory quarterly “identity hygiene” audits for organizations managing critical infrastructure, modernized authentication protocols, and stronger public-private intelligence sharing.

Meanwhile, the Defense Intelligence Agency’s 2025 Global Threat Assessment warns:

“Advanced technology is also enabling foreign intelligence services to target our personnel and activities in new ways. The rapid pace of innovation will only accelerate in the coming years, continually generating means for our adversaries to threaten U.S. interests.”

An intelligence official not authorized to speak publicly told The Cipher Brief that identity manipulation will increasingly serve as a primary attack vector to exploit political divisions, hijack supply chains, or infiltrate democratic processes.

Need a daily dose of reality on national and global security issues? Subscriber to The Cipher Brief’s Nightcap newsletter, delivering expert insights on today’s events – right to your inbox. Sign up for free today.

Private Sector on the Frontline

For now, much of the responsibility falls on private companies—especially those in banking, healthcare, and energy. According to Constella, nearly one in three breaches last year targeted sectors classified as critical infrastructure.

“It's never easy to replace a core technology, particularly in critical infrastructure sectors. That’s why these systems often stay in place for many years if not decades,” said Chronister.

Experts warn that reacting to threats after they’ve occurred is no longer sufficient. Companies must adopt proactive defenses, including constant identity verification, behavioral analytics, and zero-trust models that treat every user as untrusted by default.

However, technical upgrades aren’t enough. Sexton argues the United States needs a national digital identity framework that moves beyond outdated systems like Social Security numbers and weak passwords.

“The adherence to best-in-class identity management solutions is critical. In practice for the private sector, this means relying on trusted third parties like Google, Meta, Apple, and others for identity verification,” he explained. “For the U.S. government, these are systems like REAL ID, ID.me, and Login.gov. We must also be mindful that heavy reliance on these identity hubs creates concentration risk, making their security a critical national security chokepoint.”

Building a National Identity Defense

Some progress is underway. The federal Login.gov platform is expanding its fraud prevention capabilities, with plans to incorporate Mobile Driver’s Licenses and biometric logins by early 2026. But implementation remains limited in scale, and many agencies still rely on outdated systems that don’t support basic protections like multi-factor authentication.

“I would like to see the US government further develop and scale solutions like Login.gov and ID.me and then interoperate with credit agencies and law enforcement to respond to identity theft in real time,” Sexton said. “While securing those systems will always be a moving target, users’ data is ultimately safer in the hands of a well-resourced public entity than in those of private firms already struggling to defend their infrastructure.”

John Dwyer, Deputy CTO of Binary Defense and former Head of Research at IBM X-Force, agreed that a unified national system is needed.

“The United States needs a national digital identity framework—but one built with a balance of security, privacy, and interoperability,” Dwyer told The Cipher Brief. “As threat actors increasingly target digital identities to compromise critical infrastructure, the stakes for getting identity right have never been higher.”

He emphasized that any framework must be built on multi-factor authentication, phishing resistance, cryptographic proofs, and decentralized systems—not centralized databases.

“Public-private collaboration is crucial: government agencies can serve as trusted identity verification sources (e.g., DMV, passport authorities), while the private sector can drive innovation in delivery and authentication,” Dwyer added. “A governance board with cross-sector representation should oversee policy and trust models.”

Digital identities are no longer just a privacy concern—they’re weapons, vulnerabilities, and battlegrounds in 21st-century conflict. As foreign adversaries grow more sophisticated and U.S. defenses lag behind, the question is no longer if, but how fast America can respond.

The question now is whether the United States can shift fast enough to keep up.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.

OPINION -- I recently had a conversation with senior intelligence community leaders about their desire to build stronger partnerships with private-sector technology companies—the so-called “Silicon Valley” ecosystem. They were asking for advice on how to engage, build relationships, and ultimately establish strategic partnerships.

But the companies they were most interested in? They were largely consumer-facing platforms. Innovative, yes—but not mission-aligned. That conversation highlighted a broader, more fundamental gap I’ve been thinking about for a long time: Why are there no U.S. offensive cyber unicorns?

We certainly have defense contractors who do cyber work—on site, on contract, embedded with the government. And we have standout cybersecurity companies like CrowdStrike, Mandiant, and Dragos focused on detection, response, and resilience. But where are the startups building offensive cyber tools and platforms? Where’s the VC-backed innovation model we’ve seen in drones, hypersonics, and space?

Save your virtual seat now for The Cyber Initiatives Group Winter Summit on December 10 from 12p – 3p ET for more conversations on cyber, AI and the future of national security.

Companies like Anduril and SpaceX have proven that Silicon Valley-style innovation—product-focused, capital-efficient, fast-moving—can thrive in the national security space. So why hasn’t that approach been applied to offensive cyber? Yes, there are legal and secrecy constraints. But those same constraints haven’t stopped commercial companies from building weapons systems or highly classified ISR platforms.

Take a look at the NatSec100 - a curated list of top defense and national security startups. You’ll find companies working on AI, autonomy, sensing, and cybersecurity. But not a single one focused on offensive cyber. Why not?

Shouldn’t we want the best minds at CrowdStrike or Mandiant to spin off and build next-generation offensive platforms? Shouldn’t the DOD and IC be seeding these ideas and building an ecosystem that encourages this kind of innovation?

I believe we should.

Follow Bryan on LinkedIn or right here at The Cipher Brief.

The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.

Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.

Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief

The Good | Former GM of DoD Contractor Pleads Guilty to Selling U.S. Cyber Secrets

Peter Williams, a former general manager at U.S. defense contractor L3Harris Trenchant, has pleaded guilty in U.S. federal court to two counts of stealing and selling classified cybersecurity tools and trade secrets to a Russian exploit broker.

Between 2022 and 2025, Williams stole at least eight restricted cyber-exploit components that were developed for the U.S. government and select allied partners. The DoJ stated that these tools, valued at $35 million, were part of Trenchant’s sensitive research and were never intended for foreign sale. Williams sold them for at least $1.3 million in cryptocurrency, signing formal contracts with the Russian intermediary for the initial sale of the components as well as a promise to provide follow-on technical support. Williams used the illicit proceeds to purchase luxury items, according to court filings.

Trenchant, L3Harris Technologies’ cyber capabilities arm, develops advanced offensive and defensive tools used by government agencies within the Five Eyes intelligence alliance. According to the DoJ, Williams abused his privileged access at Trenchant Systems to siphon the data, giving various customers of the broker, including the Russian government and other foreign cyber threat actors, an edge in targeting U.S. citizens, businesses, and critical infrastructure.

While the court reports did not name the broker, prior reporting suggests it may be Operation Zero, a Russian platform known for buying and reselling zero-day exploits, often rewarding developers with large cryptocurrency payouts.

Williams now faces up to 10 years in prison and fines of $250,000 or twice the profit gained. As international cyber brokers expand in their roles as international arms dealers, law enforcement officials reaffirm their hard stance against malicious insiders abusing their positions of trust.

The Bad | New “Brash” Flaw Crashes Chromium Browsers with Timed Attacks

Security researcher Jose Pino has disclosed a severe vulnerability in Chromium’s Blink rendering engine that allows attackers to crash Chromium-based browsers within seconds. Pino has named the vulnerability “Brash” and attributes it to an architectural oversight that fails to rate-limit updates to the document.title API. Without the rate-limiting, an attacker can generate millions of document object model (DOM) mutations per second by repeatedly changing the page title, overwhelming the browser, and consuming CPU resources until the UI thread becomes unresponsive.

The Brash exploit occurs in three phases. First, the attacker prepares a hash seed by loading 100 unique 512-character hexadecimal strings into memory to vary title updates and maximize the impact of the attack. Then, the attacker launches burst injections that perform three consecutive document.title updates in a row, which in default test settings inject roughly 24 million updates per second using a burst size of 8,000 and a 1 ms interval. Lastly, the sustained stream of updates saturates the browser’s main thread, forcing both the tab and the browser to hang or crash and requiring forced termination.

Brash can be scheduled to run at precise moments, enabling a logic-bomb style attack that remains dormant until a timed trigger activates. This increases the danger since attackers can control when the large-scale disruption will occur. Hypothetically, a single click on a specially crafted URL can detonate the attack with millisecond accuracy and little initial indication.

The vulnerability affects Google Chrome and all Chromium-based browsers, including Microsoft Edge, Brave, Opera, Vivaldi, Arc, Dia, OpenAI ChatGPT Atlas, and Perplexity Comet. WebKit-based browsers such as Mozilla Firefox and Apple Safari are not vulnerable to Brash as well as any iOS third-party browsers.

The Ugly | Hacktivists Manipulate Canadian Industrial Systems, Triggering Safety Risks

The Canadian Centre for Cyber Security has issued a warning that hacktivists have breached multiple critical infrastructure systems across Canada, altering industrial controls in ways that could have created dangerous conditions. The alert highlights rising malicious activity that targets internet-exposed Industrial Control Systems (ICS) and urges firms to shore up their security measures to prevent such attacks.

The bulletin cites three recent incidents. In the first, a water treatment facility experienced tampering with water pressure controls, degrading service for the local community. Following that, a Canadian oil and gas company had its Automated Tank Gauge (ATG) manipulated, triggering false alarms. In a third breach, a grain drying silo on a farm had temperature and humidity settings altered, creating potentially unsafe conditions if the changes had gone undetected.

Authorities believe these attacks were opportunistic rather than being technically sophisticated, and intended to attract media attention, underme public trust, and harm the reputation of Canadian authorities. Hacktivists have been known to collaborate with advanced persistent threat (APT) groups to amplify the reach of disruptive acts and cause public unrest.

Although none of the targeted facilities suffered damage, the incidents underline inherent risks in poorly protected ICS, including programmable logic controllers (PLCs), supervisory control and data acquisition (SCADA) systems, human-machine interfaces (HMIs), and industrial IoT devices.

The Cyber Centre recommends that organizations inventory and secure internet-accessible ICS devices, remove direct internet exposure where possible, implement VPNs with multi-factor authentication (MFA), maintain regular firmware updates, and conduct regular penetration testing. Resources like the Cyber Security Readiness Goals (CRGs) can offer guidance for critical infrastructure firms and officials remind organizations that suspicious activity should be reported via My Cyber Portal or to local authorities to reduce risks of future compromise.

To prevail and prosper in this new geopolitical struggle, the U.S. must build and maintain networks of investors, customers, and collaborators among allies with common values and interests. By forging such networks, the U.S. can accelerate the technology innovation and implementation velocity crucial to outpacing its rivals and their formidable manufacturing capacity, human talent base, and financial resources.

Opportunities (and Risks) of Buyer Alliances

Much of Washington’s bipartisan consensus on the necessity of American technology leadership has rightly focused on the nation’s capacity to “build the future” at home, safely beyond China’s sphere of predation in East Asia, creating American jobs and national wealth, and on terms that ensure these technologies reflect American values.

National innovation initiatives, such as the CHIPS Act, support domestic production of advanced semiconductors, and the Trump and Biden Administrations have rightly advocated robust domestic AI innovation initiatives within our own borders.

But the other side of the 21st Century innovation race is a sprint to forge strong alliances abroad, with buyers who will accelerate domestic efforts by investing in, buying, deploying, and fine tuning U.S. innovations at a greater scale and profit than would ever be possible were U.S. builders limited to merely selling to U.S. government agencies and corporations at home.

Numerous U.S. allies and potential allies in Europe, Asia, the Middle East, and beyond share security concerns about aggressive states such as China, Russia, Iran, and North Korea, and many share U.S. concerns related to the economic, intelligence, and security implications of future dependence on technologies developed in China.

While Chinese-based technology builders such as Huawei and DeepSeek have potential to outpace U.S. competitors in the coming years, the Western innovation ecosystem continues to produce the finest and greatest variety of technology solutions. By leveraging allied investments in new digital infrastructure and national security, U.S.-based technology builders can assert their industrial advantages over Chinese competitors in quality, variety of options, and open standards to enable these states to implement the technologies they require to modernize, while protecting themselves from aggression and maintaining their digital sovereignty.

Should the U.S. fail to forge these essential partnerships, Chinese rivals will outflank America’s technology builders, penetrate and gain permanent footholds in foreign markets, and establish global technology hegemony over the world’s frontier technologies, and the future.

The Cipher Brief brings expert-level context to national and global security stories. It’s never been more important to understand what’s happening in the world. Upgrade your access to exclusive content by becoming a subscriber.

A Common Defense of Buyer Alliances Strengthens US National Security

These technology buyer partnerships are not merely about hardware and software sales, market penetration, technology jobs, and reinvestment of newly created wealth at home. By deploying U.S. national security technologies across a wide range of allies abroad, the cost of building, maintaining, and enhancing them at home will decline as their efficacy, lethality, and capacity to deter aggression will surge.

It was the open markets of globalization that enabled Chinese firms to build up tremendous commercial manufacturing capacity in everything from electric cars to computing and telecommunications systems, robotics, ships, pharmaceuticals, and drones. The CCP has leveraged this manufacturing capacity and technical expertise to build new military technology capabilities to threaten the U.S. and its allies. China’s dual-use manufacturing capacity is on vivid display in Ukraine, where the country’s warfighters favor inexpensive, highly-functional drones built with components manufactured in China.

U.S. cybersecurity, AI, and defense tech software technologies are only as impactful as their feedback loops—their capacity to ingest massive amounts of threat and performance data in order to learn and improve their defensive capabilities moving forward.

In the same way U.S. drone technologists are observing and learning how drones are performing (and under-performing) in contested Russia-Ukraine battlefield environments, deploying American security technologies along all fronts of geopolitical conflict will make U.S. defenses at home smarter, faster, more creative, more autonomous, and more lethal based on their ability to learn how our adversaries are operating and understanding the weapons and tactics they are likely to use against America’s military and homeland.

Finally, establishing U.S. technologies’ dominance in more countries ensures the U.S. will define technology standards as they are adopted more broadly. As they are adopted, the U.S. and its allies are in a better position to collaborate, surge resources as needed, and execute to resolve threats faster in times of tremendous crises.

The Race Ahead

We applaud the Trump Administration’s efforts to build on existing domestic “technology builder” initiatives by opening new markets for buyers of American frontier technologies. This “technology buyer” diplomacy was on display in April when President Trump, accompanied by leading technology executives from OpenAI, Nvidia, and others, visited members of the Gulf Cooperation Council (GCC) to establish substantial technology partnership deals. We strongly support the Administration’s efforts to negotiate sector-specific partnerships in AI, semiconductors, cybersecurity, and rare earths supply chains with NATO, the EU, Japan, South Korea, India, Taiwan, Ukraine, Australia, and others.

Winning the 21st Century innovation race will ensure America's long-term national security, economic prosperity, and freedom to determine its own destiny. Policymakers have achieved a rare consensus that existential geopolitical rivalries demand the US maximize the unique strengths of its private sector with public sector advocacy and investment at home. But because the geopolitical struggle with China and others is global and the stakes of the competition so high, America must forge partnerships that accelerate its investments and efforts at home to effectively meet the challenges confronting her abroad.

Sign up for the Cyber Initiatives Group Sunday newsletter, delivering expert-level insights on the cyber and tech stories of the day – directly to your inbox. Sign up for the CIG newsletter today.

The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.

Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.

Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief

The Good | Europol Dismantles Global SIM-Box Fraud Network

Europol has dismantled a major cybercrime-as-a-service (CaaS) operation, codenamed SIMCARTEL, that powered over 3,200 fraud cases and caused at least €4.5 million in damages. The network operated 1,200 SIM-box devices containing some 40,000 SIM cards, enabling criminals to rent phone numbers registered to individuals in more than 80 countries. These were then used to create 49 million fraudulent online accounts for crimes including phishing, investment fraud, extortion, impersonation, and migrant smuggling.

The illegal service, run through gogetsms.com and apisim.com, worked by selling access to “fast and secure temporary” phone numbers marketed for anonymous communication and account verification. GoGetSMS also offered users a way to monetize their own SIM cards. However, reviews suggested it was a front for large-scale identity fraud, now exposed as one of Europe’s most extensive SIM-box schemes to date. Europol said the infrastructure was “technically highly sophisticated”, which allowed perpetrators worldwide to hide their identities while conducting telecom-based fraud.

After running coordinated raids across Austria, Estonia, Finland, and Latvia, police arrested seven suspects in total. They also seized five servers, the two websites, hundreds of thousands of SIM cards, €431,000 deposited in bank accounts, €266,000 in crypto, and four luxury vehicles. Both domains have been taken down and now display official law enforcement banners.

So far, authorities have linked the network to 1,700 fraud cases in Austria and 1,500 in Latvia, with combined losses adding up to nearly €5 million. Europol’s forensic analysis of the seized servers aims to identify customers of the illegal service.

The Bad | Jingle Thief Exploits Cloud Identities for Large-Scale Gift Card Fraud

A new report from security researchers details the activities of ‘Jingle Thief’, a financially motivated threat group that operates almost entirely in cloud environments to conduct large-scale gift card fraud. Active since at least 2021, the group targets retail and consumer services organizations through phishing and smishing campaigns designed to steal Microsoft 365 credentials.

Once inside, the attackers exploit cloud-based infrastructure to impersonate legitimate users, gain unauthorized access to sensitive data, and manipulate gift card issuance systems. With their campaigns focusing on mapping cloud networks, attackers can move laterally across accounts and avoid detection through stealthy tactics such as creating inbox rules, forwarding emails, and registering rogue authenticator apps to bypass MFA in M365.

Unlike traditional malware-driven attacks, Jingle Thief relies heavily on identity misuse, choosing to leverage stolen credentials instead of deploying custom payloads to blend in with normal user activity. This approach allows them to maintain access for many months while issuing or selling unauthorized gift cards for profit on gray markets.

Researchers also observed a major wave of Jingle Thief activity between April and May 2025, during which the group compromised more than 60 user accounts within a single organization. The attackers conducted extensive reconnaissance in SharePoint and OneDrive, searching for financial workflows, IT documentation, and virtual machine configurations, all tied to gift card systems.

Exploiting cloud identities rather than endpoints furthers the trend of cloud-based cybercrime, where phished credentials and identity abuse enable financially motivated actors to scale operations while remaining under the radar. Jungle Thief’s campaign is a reminder to prioritize identity-based monitoring and cloud-native security measures that provide full visibility and real-time detection.

The Ugly | PhantomCaptcha Spearphishing Targets Ukraine’s Relief Networks

SentinelLABS, together with the Digital Security Lab of Ukraine, have uncovered ‘PhantomCaptcha’, a single-day spearphishing campaign that targeted Ukrainian regional government administrations and humanitarian organizations such as the International Red Cross, UNICEF, the Norwegian Refugee Council, and other NGOs linked to war relief efforts.

Launched on October 8, 2025, the operation began with an impersonation of the Ukrainian President’s Office, distributing weaponized PDF attachments that redirected victims to a fake Zoom site (zoomconference[.]app). There, a fake Cloudflare CAPTCHA lured users into copying and pasting malicious PowerShell commands – a ClickFix technique designed to bypass traditional endpoint controls by tricking victims into executing the malware themselves.

Once running, the script deployed a multi-stage PowerShell payload leading to a WebSocket remote access trojan (RAT) hosted on Russian-owned infrastructure. The RAT enables arbitrary command execution, data exfiltration, and the potential deployment of further malware through encrypted WebSocket communications. Although investigations show that the attackers spent six months preparing the campaign, it remained active for only 24 hours, pointing to an infrastructure that demonstrates sophisticated operational security and planning.

SentinelLABS linked the campaign to an additional Android-based espionage effort hosted on princess-mens[.]click, which distributes spyware-laden APKs disguised as adult entertainment or cloud storage apps designed to harvest contacts, media files, and geolocation data.

While attribution remains unconfirmed, technical overlaps, including the ClickFix lure and Russian-hosted C2s, suggest possible ties to COLDRIVER (aka UNC4057 or Star Blizzard), a threat group linked to Russia’s Federal Security Service (FSB). PhantomCaptcha is an example of a highly organized and adaptive adversary, able to blend social engineering, short-lived but highly compartmentalized infrastructure, and cross-platform espionage to target Ukraine’s humanitarian and government sectors.

OPINION — The use of artificial intelligence by adversaries has been the subject of exhaustive speculation. No one doubts that the technology will be abused by criminals and state actors, but it can be difficult to separate the hype from reality. Leveraging our unique visibility, Google Threat Intelligence Group (GTIG) has been able to track the use of AI by threat actors, but the pace of change has made it challenging to even forecast the near future. However, we are now seeing signs of new evolutions in adversary use, and hints at what may lie ahead in the near future. Most importantly though, there are opportunities for defensive AI to help us manage these future threats.

Evolution Thus Far

Over the course of the last eight years, GTIG has observed AI-enabled activity evolve from a novel party trick to a staple tool in threat actors’ toolbelts. In the early days, we detected malicious actors embracing the nascent technology to enhance their social engineering capabilities and uplift information operations campaigns. The ability to fabricate fake text, audio, and video was quickly abused by threat actors. For instance, several adversaries use GAN images of people that don’t exist to create fake personas online for social engineering or information operations campaigns (this negates the use of real photos in these operations, which could often be foiled when the photo was researched). A poor deepfake of Volodymyr Zelensky was created in an effort to convince Ukrainians that he had capitulated in the early hours of the full scale Russian invasion in 2022. Additionally, deepfakes have been reportedly used in state and criminal activity.

By investigating adversary use of Gemini we have some additional insight into how AI is being leveraged. We have observed threat actors using Gemini to help them with a variety of tasks like conducting research and writing code. Iranian actors have used it for help with error messages and creating python code for website scraping. They have also used it to research vulnerabilities as well as the military and government organizations they are targeting. North Korean actors have also tried to use Gemini for help with scripting, payload development, and evading defenses. Additionally, DPRK IT workers use AI to create resumes and fake identities.

One of the most interesting uses of Gemini by threat actors has been enabling deeper access during intrusions. In these cases, China-nexus cyber espionage actors appear to reach a certain juncture in an intrusion where they need technical advice on how best to execute the next step. To that end, they have sought guidance on problems like how to record passwords on the VMware vCenter or how to sign a plugin for Microsoft Outlook and silently deploy it from their position inside a network.

Gemini is not an ideal tool for threat actors, however, since guardrails are in place to prevent its abuse, foiling many of their use cases. Unfortunately, the criminal marketplace now offers their own models and related tools that are unhindered by guardrails and purpose-built for malicious activity. There are now several mature tools that offer help with tasks like malware development, phishing, and vulnerability exploitation. A common theme in these tools is the ability to boost the efforts of less technically skilled actors.

While some of these AI use cases are novel (like deepfakes) most were previously available through other means or could be obtained with sufficient resources. Pictures could be edited, social engineering emails could be translated, and skills could be learned the old fashioned way. Until recently, we had not seen many potentially game changing use cases.

While we had previously seen some experimental samples, AI-enhanced malware has only just begun to be adopted by threat actors, and there is some evidence it may be a useful means of avoiding detection. Nevertheless, there is also reason to be optimistic about the prospects of using AI to prevent this type of activity. This August, malware that leverages an LLM was used in Ukraine by the Russian cyber espionage actor APT28. It called out to an open source LLM through API to create commands on the fly and evade static detection. We saw a variation on this theme recently by another actor as part of the NPM supply chain incidents. That malware used LLM command line interfaces on the victims machine to stay beneath the radar. In the latter case, no security vendors flagged the malware as malicious in VirusTotal, but interestingly it was flagged as a “severe security threat” by VirusTotal’s Code Insight feature, an LLM capability itself. As AI-enhanced malware becomes more commonplace we will get a better understanding of what it takes to stop it and how relevant AI will be to addressing it.

The Cipher Brief brings expert-level context to national and global security stories. It’s never been more important to understand what’s happening in the world. Upgrade your access to exclusive content by becoming a subscriber.

Imminent Capabilities

In addition to AI-enhanced malware there are two additional AI use cases that we expect threat actors to adopt imminently: novel vulnerability discovery and automated intrusion activity. While there are still scant signs of adversary use of these capabilities, there are corresponding capabilities in use and under development by defenders that prove they are possible. Furthermore, we do not expect the use of these capabilities to be wholly transparent. Due to constraints, adversaries are unlikely to use mainstream public models for these purposes, denying us a means of observing their adoption.

AI’s ability to discover previously unknown vulnerabilities in software has now been well-established by several defensive efforts designed to identify these flaws before adversaries. Google’s own BigSleep, an AI agent purpose-built for this task, has uncovered over 20 vulnerabilities leading to pre-emptive patching. In two cases Big Sleep was used in conjunction with intelligence to uncover zero-day vulnerabilities as adversaries staged them for attacks.

Unfortunately BigSleep and similar efforts offer tangible proof of a capability that can and will almost certainly be abused by adversaries to discover and exploit zero-day vulnerabilities. Zero-days are a boon for threat actors who will target researchers, infiltrate tech companies, and spend lavishly to uncover them. The clear opportunity to use LLMs will not have been lost on state actors who have the resources to carry out research and development in this area.

Another prospective use of agentic AI is the automation of intrusion activity. This capability was presaged by the aforementioned China-nexus cyber espionage operators who asked Gemini during active intrusions for help. The application of agentic technology to this use case is somewhat obvious: an agent that can leverage this help automatically to transit targeted networks and accomplish the intrusion’s objectives without the operator’s direct intervention. There are already numerous efforts to build these capabilities for defense and at least one related open source effort has been the subject of discussion in the criminal underground.

These developments could radically change the challenge facing defenders. Without compensating with proactive use of AI to find vulnerabilities, we can expect the scale of the zero-day problem to grow significantly as adversaries adopt the technology for this purpose. Automated intrusion activity will likely affect the scale of activity defenders are facing as well, as humans are replaced by multiple agents. This activity will be faster as well. Agents will be able to react more quickly to zero-days or discover short-term weaknesses in defenses.

In both cases, AI offers the clearest solution for defenders. BigSleep and similar solutions will be necessary to uncover vulnerabilities faster than adversaries, seizing the initiative. In the same vein, Google has just released details of an agent called CodeMender that can automatically fix vulnerabilities and improve code security. Agentic solutions may also be the best solution to automated intrusion activity: without this technology we will struggle to move as quickly or handle the deluge of attacks.

Implications

The pace of AI adoption by adversaries will be determined by resources at their disposal and the opportunity the technology enables. The most sophisticated actors will not dawdle in adopting these capabilities, but their activity, as always, will be the most difficult to observe. To prepare wisely we will have to anticipate their activity and begin taking action now. Cyberdefenders will have to reach the same conclusion that has already been reached in other fields of conflict: the solution to an AI-powered offense is an AI-powered defense.

Who’s Reading this? More than 500K of the most influential national security experts in the world. Need full access to what the Experts are reading?

The vast amounts of data collected from phones and other internet-connected devices—and traded globally through the multi-billion-dollar data brokerage industry—have rightly drawn growing concern from national security professionals. Yet the parallel surge in data collection through smart-city technologies has received far less attention. Around the world, cities are deploying advanced information and communications systems to optimize everything from energy use and traffic management to policing and environmental performance. The data emerging from these systems is qualitatively different: continuous, infrastructure-linked, and often directly tied to identifiable individuals and critical sites. Even without commercial resale, such data can easily flow—intentionally or inadvertently—into the hands of U.S. competitors and adversaries, posing a distinct national security risk.

While phone apps and advertising data are gathered at certain moments and often with delays, smart-city sensors capture information in real time, around the clock. This gives the data greater spatial precision, accurately mapping activity to specific roads, entrances, and choke points, whereas device-centric GPS or Wi-Fi signals from typical data-broker sources are noisier and less reliable. Moreover, smart-city data is tightly bound to real-world identities, linking information such as license plates, transit cards, vehicle identifiers, facial imagery, or utility meters directly to people and places. In contrast, data brokers typically rely on trackers and identifiers that require additional “enrichment” to infer who someone is. This makes smart-city data inherently more identifiable—and therefore more sensitive—from the moment it is collected.

Smart-city operations inherently generate vast datasets that reflect the rhythms of daily life. On a typical morning commute through a connected metropolis, an individual leaves behind a dense trail of digital traces detailed enough to reconstruct their routine. License plate readers track vehicle movements; traffic cameras and transit cards log each stop and transfer. Smart parking meters, toll sensors, and even networked streetlights record times and locations. By the time the commuter arrives at the office, building access systems, facial-recognition cameras, and smart elevators have verified and stored their presence—all producing data that may be processed, shared, and sold far beyond city borders.

What begins as an ordinary commute can pose risks. The same streams of data that keep cities running efficiently can compromise covert or clandestine urban infrastructure—such as safe houses. Even when an individual’s identity remains unknown, long-term data retention allows for after-action attribution. With sufficient archives, authorities—or anyone who gains access to the data—can retrospectively reconstruct vehicle routes, recurring digital patterns, and anomalies in utility use, effectively linking an individual to a dwelling that was invisible in real time. For the intelligence and special operations communities, this means that the longer a safe house remains active, the greater the chance that archived urban data will eventually reveal its connection to past activity.

In most smart cities, local governments team up with private tech companies to run the networks of sensors, cameras, and apps that keep the city smart. While municipal authorities collect data to improve services—like managing parking space—vendors often handle the technical side, storing and analyzing that information on their own systems. Along the way, some of this data is shared with third-party partners for analytics, advertising, or “service optimization”—a catch-all term for improving device performance and adjusting how services are delivered. From there, data can flow into the vast ecosystem of data brokers, who combine it with information from other sources and resell it on the open market. The result: data that began as part of a city service can eventually be bought across countries and jurisdictions with little trace of its public origins.

Even without commercial resale, smart-city data can find its way into the hands of U.S. competitors and adversaries. Take Chinese vendors, for example. Huawei and other companies have aggressively marketed smart-city technologies worldwide. According to a 2022 report by the Center for Strategic and International Studies, China’s Digital Silk Road has served as a major channel for exporting smart-city systems. The U.S.–China Economic and Security Review Commission has documented hundreds of such exports by Chinese firms across 106 countries. More recently, researchers have noted that through these projects, Beijing gains intimate knowledge of urban operations. This is because under China’s 2017 National Intelligence Law, Chinese companies are legally obligated to cooperate with state intelligence services. As a result, Beijing does not even need to purchase the information through data brokers. Ultimately, smart-city data can provide Chinese intelligence networks with tools to influence—or pressure—municipal authorities.

The Cipher Brief brings expert-level context to national and global security stories. It’s never been more important to understand what’s happening in the world. Upgrade your access to exclusive content by becoming a subscriber.

For an adversary, access to extensive smart-city data archives offers at least four key advantages: the ability to reconstruct patterns of life for U.S. intelligence and military personnel, map their organizational networks, trace and attribute past events, and shape narratives in information warfare. Consider the last one, for example. Extended retention periods of smart-city datasets act as a generally overlooked force multiplier for information operations. For example, the same repositories that enable urban planning can be weaponized to construct convincing deepfakes: By fusing authentic time and location data with fabricated content, an adversary can produce false narratives that appear highly credible.An adversary could depict military personnel or public officials at sensitive sites, discrediting leadership or triggering diplomatic crises.

Addressing the challenges of smart-city data may benefit from structured “red team” exercises. Such exercises could involve legally acquiring commercially available datasets that encompass embassies, military bases, or other national security installations, followed by analysis of what information can be inferred across different time windows. Where appropriate, host ministries and municipal authorities could be engaged to adopt protective measures. Supplementary agreements—such as annexes to the Status of Forces Agreement or local memoranda of understanding—might establish short retention periods for data collected in designated military-adjacent zones. Such agreements could also mandate signed deletion attestations and prohibit vendors from exporting copies without explicit government approval.

Smart-city data—and the duration for which it is retained—deserves strategic scrutiny, not just technical management. These municipal datasets are living maps of how nations decide, adapt, and function. They mark another intelligence frontier—one we have yet to secure.

Sign up for the Cyber Initiatives Group Sunday newsletter, delivering expert-level insights on the cyber and tech stories of the day – directly to your inbox. Sign up for the CIG newsletter today.

Are you Subscribed to The Cipher Brief’s Digital Channel on YouTube? There is no better place to get clear perspectives from deeply experienced national security experts.

The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.

Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.

Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief

The Good | DOJ Seizes $15B in Crypto, Targets Global Scam Ring & PowerSchool Hacker

The U.S. Department of Justice has seized $15 billion in bitcoin from the Prince Group, a vast criminal syndicate behind cryptocurrency scams known as romance baiting. Led by fugitive Chen Zhi (aka Vincent), the group defrauded billions from victims through fake investment schemes disguised as romantic or business opportunities. Operating across 30+ countries, Prince Group forced trafficked workers into Cambodian compounds to run these scams under threat of violence.

The organization laundered illicit gains through complex crypto transfers before converting them into cash for luxury assets, including yachts, jets, and even a Picasso painting. In coordination with the U.K., the U.S. Treasury has sanctioned Zhi and 146 of his associates. Authorities, on the whole, estimate that Americans lost $16.6 billion to such scams last year, with Southeast Asian-based operations driving most of this increase. As global authorities intensify crackdowns on large-scale fraud and cybercrime operations, U.S. law enforcement continues to pursue domestic offenders exploiting digital platforms for profit.

Matthew D. Lane, a 19-year-old from Massachusetts, was sentenced to four years in prison and ordered to pay $14 million in restitution for orchestrating a severe cyberattack on PowerSchool, a leading K–12 software provider serving over 60 million students worldwide. Lane and his accomplices used stolen subcontractor credentials to breach PowerSchool’s systems, stealing data on 9.5 million teachers and 62.4 million students, including social security numbers and medical records. They demanded $2.85 million in Bitcoin under the alias “Shiny Hunters”.

Despite PowerSchool paying an undisclosed ransom to prevent a data leak, the group continued additional extortion attempts on several affected school districts. Lane pleaded guilty to multiple federal cybercrime charges in May.

The Bad | North Korean Hackers Deploy EtherHiding to Steal Cryptocurrency

North Korean state-sponsored hackers have begun using a novel malware-hosting method called “EtherHiding” to steal cryptocurrency, marking the first time a nation-state actor has employed this blockchain-based technique. Researchers attribute the activity to the DPRK-linked cluster UNC5342, which has been deploying EtherHiding since February 2025 as part of its ongoing “Contagious Interview” campaign. The group uses fake job offers to lure software developers, posing as recruiters from fake companies. During technical assessments, victims are tricked into running malicious code, initiating the multi-stage infection chains.

EtherHiding embeds malicious payloads within smart contracts on public blockchains, including Ethereum and Binance Smart Chain, allowing attackers to fetch the malware via read-only calls that leave no trace of the transaction. This method provides anonymity, is resilient to takedowns, and provides the flexibility to update payloads at minimal cost, an average of $1.37 USD per update. The payloads include JADESNOW, a JavaScript downloader, and InvisibleFerret, a backdoor for credential theft, remote control, and exfiltration of cryptocurrency wallet data and browser-stored passwords.

Researchers note that the threat actor’s use of multiple blockchains suggests operational compartmentalization and makes forensic analysis more difficult. The approach demonstrates a shift toward bulletproof hosting, using blockchain technology to create takedown-resistant, flexible malware distribution.

Users should exercise caution with job-related downloads and adopt best practices such as testing files in isolated environments, restricting executable file types, and enforcing strict browser policies to block script auto-execution.

The Ugly | Flaws in Microsoft Defender Could Lead to Theft of Data

Researchers have reported unpatched vulnerabilities in Microsoft Defender for Endpoint (DFE) that could enable attackers to bypass authentication, spoof data, exfiltrate sensitive information, and inject malicious files into forensic evidence collections used by security analysts.

Reported to Microsoft’s Security Response Center in July 2025, the issues were categorized as low severity, with no confirmed fixes as of this writing. Researchers tracking the flaws focused on how the agent communicated with cloud backends, using tools like Burp Suite and WinDbg memory patches to bypass certificate pinning in MsSense.exe and SenseIR.exe, allowing plaintext interception of HTTPS traffic, including Azure Blob uploads.

The core problem lies in DFE requests to endpoints such as /edr/commands/cnc and /senseir/v1/actions/, where Authorization tokens and headers are ignored. Low-privileged users can obtain machine and tenant IDs from the registry to impersonate the agent, intercept commands, or spoof responses such as faking an “already isolated” status while leaving devices exposed. Similarly, CloudLR tokens for Live Response and Automated Investigations are ignored, allowing payload manipulation and uploads to Azure Blob URIs.

In addition, attackers can access 8MB configuration dumps without credentials, revealing detection logic like RegistryMonitoringConfiguration and ASR rules, while investigation packages on disk can be tampered with, embedding malicious files disguised as legitimate artifacts.

Despite responsible disclosure by the researchers concerned, it remains unknown whether Microsoft will patch the flaws any time soon.

The Good | Teens Arrested in Nursery Doxing Case as OpenAI Disrupts Cybercrime Clusters

U.K. police have arrested two 17-year-olds in Hertfordshire for allegedly doxing children following a ransomware attack on London-based Kido nurseries. The Radiant Group claimed responsibility, saying they stole sensitive data and photos of over 8000 children and leaked some online to extort Kido. Later, the files were removed after the groups’ threats to both Kido and parents of the affected children failed to make headway. Kido, supporting over 15,000 families in the U.K, U.S, China, and India, confirmed the breached data was hosted by Famly, a nursery software platform, which said its systems were not compromised.

The UK’s NCSC called the attack on children “particularly egregious” and the Met Police emphasized their commitment to bringing the perpetrators to justice. The arrests reflect a wider trend of teenagers involved in major U.K. cyberattacks, with recent cases linked to Marks & Spencer, Co-op, Harrods, and Transport for London.

Also this week, OpenAI said it disrupted three malicious activity clusters abusing ChatGPT for cybercrime and influence operations. The first involved Russian-speaking actors using multiple accounts to develop components of remote access trojans (RATs), credential stealers, and data exfiltration tools. The second, tied to North Korean actors, used ChatGPT to assist in malware, phishing, and C2 development – using the chatbot to draft copy, perform experiments, and explore new techniques. The third was linked to Chinese threat group ‘UNK_DropPitch’, which leveraged the tool to create multilingual phishing content and automate hacking tasks.

Beyond these, OpenAI also blocked networks from Cambodia, Myanmar, Nigeria, Russia, and China for using AI in scams, propaganda, and surveillance, though all mentioned actors tried to mask signs of their abuse of the tool to further their operations.

The Bad | Crimson Collective Group Breach Cloud Systems to Steal Data & Extort Victims

A threat group called ‘Crimson Collective’ has launched a series of targeted attacks on AWS cloud environments, stealing sensitive data and extorting victims through multi-stage intrusions. The group just recently exfiltrated 570 GB of data from thousands of private GitLab repositories before joining forces with Scattered Lapsus$ Hunters to intensify its extortion efforts.

Researchers explain how Crimson Collective’s operations begin with harvesting exposed long-term access credentials using open-source tools like TruffleHog. Once inside, they create new privileged accounts and escalate privileges by assigning administrative policies, effectively gaining complete control over the compromised environment. Here, the attackers enumerate users, databases, and storage systems in preparation of large-scale data theft.

The group’s exfiltration process involves modifying database master passwords, creating snapshots of databases before exporting them to S3 for transfer through API calls. EBS (Elastic Block Store) volumes are then launched and attached under permissive security groups to move data more freely. Victims typically receive ransom demands via in-platform email systems and external addresses once exfiltration is complete.

Investigations found that the group employs many IP addresses, some reused across different incidents, which allowed partial tracking of its operations. While Crimson Collective’s size and infrastructure remain unclear, its extortion tactics indicate an expanding threat to organizations relying on cloud-based infrastructure. Using short-term, least-privileged credentials and enforcing IAM policies can help mitigate the chance of breaches.

Researchers warn that leaked credentials and lax privilege management continue to be major enablers for these attacks, and urge companies to tighten access controls, limit credential lifespan, and regularly audit for exposed secrets using open-source scanning tools.

The Ugly | Attackers Breach Discord Ticketing Support, Exposing Data of 5.5M Users

Threat actors claiming to have breached Discord’s customer support systems are now threatening to leak data allegedly stolen from millions of users after the company refused to pay ransom demands. This latest threat follows reports that the attackers first gained access to a third-party support provider in late September, exfiltrating sensitive user information such as names, emails, government IDs, and partial payment details.

Discord confirmed that the compromise affected a vendor system used for customer service, not its internal infrastructure, and said around 70,000 users had their government ID photos exposed – far fewer than the 2.1 million claimed by the attackers. The company stressed that inflated figures and ransom demands were part of an extortion campaign and that it will not reward illegal actions.

According to the threat actors, they accessed Discord’s support platform for 58 hours through a compromised account belonging to an outsourced support agent. During this window, the scope of their claim includes 1.6 terabytes of data, including 8.4 million support tickets affecting 5.5 million users, with roughly 580,000 containing partial payment information. The attackers also said integrations between the support system and Discord’s internal database allowed them to run millions of API queries for additional user data.

The actors initially demanded $5 million, later reducing it to $3.5 million before Discord ended negotiations and went public with the breach. The group has since threatened to release the stolen data, marking one of the largest extortion-driven data thefts to hit a major communication platform in 2025.

OPINION — For most of modern history, asymmetric conflict conjured a familiar image: guerrillas in the hills, insurgents planting roadside bombs, or terrorists striking with crude weapons. The weak have traditionally offset the strong with mobility, surprise, and a willingness to take punishment.

That world is vanishing. A new age of synthetic asymmetry is emerging, one defined not by geography or ingenuity but by the convergence of technologies that enable small actors to wreak large-scale disruption. Unlike past asymmetry, which grew organically out of circumstance, this new form is engineered. It is synthetic, built from code, data, algorithms, satellites, and biotech labs. Here, “synthetic” carries a double meaning: it is both man-made and the product of synthesis, where disparate technologies combine to produce effects greater than the sum of their parts.

The implications for global security are profound. Power isn’t just about the size of an army or the depth of a treasury. It’s increasingly about who can combine technologies faster and more effectively.

A Brief History of Asymmetry

The weak finding ways to resist the strong is as old as conflict itself, but each era has defined asymmetry differently – shaped by the tools available and the political conditions of the time.

Nineteenth and 20th century resistance fighters, from Spain’s guerrilleros against Napoleon to Mao’s partisans in China, pioneered strategies that leveraged terrain, mobility, and popular support to frustrate superior armies. These methods set the template for Vietnam, where North Vietnamese and Viet Cong forces offset American firepower by blending into the population and stretching the war into a contest of political will.

The late 20th century brought new asymmetric forms. In Afghanistan, the mujahideen used Stinger missiles to neutralize Soviet air power. In Iraq, improvised explosive devices (IEDs) became the great equalizer, allowing insurgents to impose costs on heavily armored U.S. forces. Al-Qaeda and later ISIS demonstrated how transnational terrorist networks could project power globally with minimal resources, using ideology and spectacular violence to substitute for armies.

By the early 2000s, the cyber domain opened an entirely new front. The 2007 attacks on Estonia, widely attributed to Russian actors, showed that digital disruption could cripple a modern state without conventional force. Just three years later, the Stuxnet worm revealed how code could achieve effects once reserved for kinetic strikes, sabotaging Iranian nuclear centrifuges. These incidents marked the beginning of cyber as a core tool of asymmetric power.

The Arab Spring of 2011 revealed another evolution. Social media allowed activists to outmaneuver state censorship, coordinate mass mobilizations, and project their struggles globally. Authoritarian regimes learned just as quickly, harnessing the same tools for surveillance, propaganda, and repression. Asymmetric power was no longer only about insurgents with rifles; it could be exercised through smartphones and hashtags.

What began as the playbook of the weak has now been eagerly adapted by the strong. Russia weaponized social media to influence elections and deployed “little green men” in Crimea, deniable forces designed to blur the line between war and peace. Its use of mercenary groups like Wagner added a layer of plausible deniability, allowing Moscow to project power in Africa and the Middle East without formal commitments. China has fused state and private industry to pursue “civil-military fusion” in cyberspace, using intellectual property theft and digital influence campaigns to achieve strategic goals without firing a shot. Even the United States, though historically the target of asymmetric tactics, has employed them, using cyber operations like Stuxnet and financial sanctions as tools of coercion.

This adaptation by great powers underscores the shift: asymmetry is no longer just the recourse of the weak. It has become a strategic option for all actors, strong and weak alike. These episodes trace an arc: from guerrilla tactics shaped by terrain to a world where asymmetry is engineered by design.

The Cipher Brief brings expert-level context to national and global security stories. It’s never been more important to understand what’s happening in the world. Upgrade your access to exclusive content by becoming a subscriber.

Convergence as a Weapon

Synthetic asymmetry is not the product of a single breakthrough. It’s a result of technologies intertwining, with emergent results exceeding the sum of the parts.

● Artificial intelligence and autonomy turn cheap drones into swarming strike platforms and enable generative AI-fueled propaganda that is instantly localized, highly scalable, and adapts in real time.

● Biotechnology, leveraged by the democratization of tools like CRISPR and gene synthesis, opens doors to agricultural sabotage, engineered pathogens, or personalized biotargeting once confined to elite labs.

● Cyber and quantum computing erode modern infrastructure–today through leaked state tools in criminal hands, tomorrow through quantum’s threat to encryption.

● Commercial space assets put reconnaissance and global communications in reach of militias and small states.

● Cryptocurrencies and decentralized finance fund rogue actors and blunt the power of sanctions.

● Undersea infrastructure opens a highly asymmetric chokepoint, where low-cost submersibles or sabotage can sever global fiber-optic cables and energy pipelines, inflicting massive economic damage.

This is less about any one killer app than about convergence itself becoming a weapon.

Asymmetric warfare has always been about imbalance, but the shift to synthetic asymmetry is an exponential leap. A single phishing email can cripple a city’s infrastructure. Off-the-shelf drones can threaten billion-dollar ships. AI-powered disinformation efforts can destabilize national elections. This new ratio of effort to impact is more disproportionate than anything we’ve seen before.

Sign up for the Cyber Initiatives Group Sunday newsletter, delivering expert-level insights on the cyber and tech stories of the day – directly to your inbox. Sign up for the CIG newsletter today.

Where Synthetic Asymmetry Is Already Here

Ukraine's defense shows what convergence looks like in practice. Commercial drones retrofitted for combat, AI-assisted targeting, crypto-based crowdfunding, and open-source satellite intelligence have allowed a middle-sized country to hold its own against one of the world’s largest militaries. The drone is to the 21st century what the AK-47 was to the 20th: cheap, accessible, and transformative.

In Gaza, reports suggest AI-driven targeting systems have accelerated lethal decision-making. Proponents say they improved efficiency; critics warn they lowered thresholds for force and reduced accountability. Either way, the software changed the calculus of war. When algorithms operate at machine speed, traditional political checks on violence weaken.

Iran has demonstrated how low-cost drone technology can harass U.S. naval forces and regional shipping. These platforms cost a fraction of the vessels and missile defenses required to counter them. Combined with cyber probes against Gulf energy infrastructure, Iran illustrates how synthetic asymmetry allows a mid-tier state to impose global strategic costs.

China’s campaigns against Taiwan go beyond military intimidation. They include AI-generated disinformation, synthetic social media accounts, and coordinated influence operations designed to erode trust in democratic institutions. This is synthetic asymmetry in the cognitive domain, an attempt to shift political outcomes before shots are ever fired.

In parts of Africa, mercenary groups operate with funding streams routed through cryptocurrency wallets, supported by commercial satellite communications. These mercenaries operate in gray zones, blurring the line between private enterprise and state proxy. Accountability vanishes in a haze of digital anonymity. Ransomware gangs, meanwhile, already display near-peer disruptive power. They freeze hospitals and pipelines, extract ransoms, and launder funds through crypto markets. Add generative AI for phishing and deepfake voices for fraud, and these groups begin to resemble stateless proto-powers in the digital realm.

The Private Sector as a Geopolitical Actor

Synthetic asymmetry also elevates the role of private companies. Commercial satellite firms provided Ukraine with near-real-time battlefield imagery. SpaceX’s Starlink network became essential to Kyiv’s communications, until its corporate leadership balked at enabling certain military uses. Crypto exchanges, meanwhile, have been both conduits for sanctions evasion and partners in enforcement.

These examples reveal a new reality: private entities now hold levers of power once reserved for states. But their interests are not always aligned with national strategies. A tech CEO may prioritize shareholder value or brand reputation over geopolitical objectives. This creates a new layer of vulnerability—governments dependent on private infrastructure must negotiate, persuade, or regulate their own corporate champions to ensure strategic alignment. The private sector is becoming a semi-independent actor in world politics.

Need a daily dose of reality on national and global security issues? Subscriber to The Cipher Brief’s Nightcap newsletter, delivering expert insights on today’s events – right to your inbox. Sign up for free today.

The Cognitive and Economic Fronts

Perhaps the most destabilizing form of synthetic asymmetry lies in the cognitive domain. Deepfakes that impersonate leaders, AI-generated news outlets, and precision microtargeting of narratives can shape perceptions at scale. The cost of attack is negligible; the cost of defense is nothing less than the integrity of public discourse. For democracies, the danger is acute because open debate is their lifeblood.

Synthetic asymmetry also reshapes geopolitics through finance. North Korea has bankrolled its weapons programs through crypto theft. Russian oligarchs have sheltered assets in opaque digital networks. Decentralized finance platforms move billions across borders beyond the reach of traditional oversight. This financial shadow world undermines sanctions, once a cornerstone of Western statecraft, and allows actors to sustain pressure that would once have been crippling.

Why Democracies are Both Vulnerable and Strong

Herein lies the paradox: democracies are more exposed to synthetic asymmetry precisely because of their openness. Their media, economies, and political systems are target-rich. Legal and ethical constraints also slow the adoption of equivalent offensive tools.

Yet democracies hold underappreciated strengths: decentralized command cultures that empower rapid adaptation, innovation ecosystems that thrive on openness and collaboration, and alliances that allow for collective defense. The task is to recognize culture itself as a strategic asset and to organize defense not around any single domain, but across all of them.

Ethical and Legal Frameworks in Flux

The rise of synthetic asymmetry is colliding with international law and norms written for an earlier era. The legal status of cyber operations remains contested: is a crippling ransomware attack on a hospital an act of war, or a crime? The Tallinn Manual, NATO’s best attempt at clarifying how international law applies in cyberspace, remains largely aspirational.

AI-driven weapons systems pose even sharper dilemmas. Who is accountable when an algorithm selects a target in error? Should lethal decision-making be delegated to machines at all? The pace of technological change is outstripping the slow processes of treaty-making, leaving a widening gap between capability and governance, a gap where much of the risk resides.

Beyond Cold War Deterrence

Traditional deterrence, threatening massive retaliation, works poorly in a world of synthetic asymmetry. Many attackers are diffuse, deniable, or stateless. They thrive in gray zones where attribution is murky and escalation is uncertain.

What’s required is not just more technology, but a new doctrine for resilience: one that integrates cyber, cognitive, biological, economic, and space defenses as a single system. That doctrine has not yet been written, but its absence is already being exploited. At ISRS, we see this convergence daily, working with governments and institutions to adapt strategies for engineered asymmetric disruption.

We are at a hinge moment in strategic affairs. Just as the machine gun upended 19th-century doctrine and nuclear weapons reordered 20th-century geopolitics, the convergence of today’s technologies is reshaping the distribution of power. The future won’t be decided by who fields the biggest army. It will be decided by who can synthesize technologies into a disruptive force faster. That is the coming age of synthetic asymmetry. The question is whether democracies will recognize it and prepare before it fully arrives.

The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.

Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.

Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief

EXPERT PERSPECTIVE — The timing was no coincidence.

As the U.S. federal government ground to a halt at 12:01 a.m. EDT on October 1, 2025, a cybercriminal group calling itself the Crimson Collective chose that precise moment to publicly disclose one of the most significant supply chain compromises in recent memory. The breach of Red Hat's consulting division, affecting approximately 800 organizations, including critical defense contractors and government agencies, represents more than just another data breach; it demonstrates a sophisticated understanding of how to weaponize American politics for maximum strategic impact.

The stolen data from Red Hat’s repositories reads like a VIP list, including the Naval Surface Warfare Centers, SOCOM, DISA, Raytheon, NASA’s Jet Propulsion Laboratory, and even the House of Representatives. But what’s most concerning isn’t just who was targeted; it’s the precision of when the breach occurred.

With large portions of the federal workforce furloughed and key cybersecurity teams across the government operating with sharply reduced staffing, America’s cyber defense apparatus is running at a fraction of its normal capacity. The normal channels for incident response, DIBNet reporting, cross-agency coordination, and threat intelligence fusion have been significantly slowed.

According to the attackers, the breach itself occurred in mid-September. Yet they waited. They established their Telegram channel on September 24th, tested their capabilities with attacks on Nintendo and Claro Colombia, then synchronized their disclosure with the exact moment of maximum U.S. Government incapacity.

Customer Engagement Reports (CERs) are the crown jewels of consulting, providing detailed blueprints that contain network architectures, authentication tokens, API keys, and infrastructure configurations. Red Hat's consultants held the keys to the kingdom for hundreds of organizations. Now those keys are for sale, with an October 10 deadline that arrives while the government may remain partially paralyzed.

The Belgian Centre for Cybersecurity has already issued warnings about the "high risk" to organizations, but the real concern extends far beyond Belgium. The exposed data includes projects with cryptic references that represent not only a compromised project but also a potential entry point into critical defense systems.

What makes this particularly concerning is the nature of consulting engagements. Unlike product vulnerabilities that can be universally patched, consulting deliverables are custom configurations with unique implementations and specific architectural decisions. There's no single patch to fix this. Each affected organization must carry out its own forensic investigation and reestablish the integrity of its security architecture.

The involvement of ShinyHunters, operating their extortion-as-a-service platform, adds another dimension, making this a confederation of cybercriminal groups that share infrastructure, capabilities, and stolen data. The business model is evolving from ransomware-as-a-service to something more insidious: ecosystem exploitation-as-a-service.

ShinyHunters is simultaneously extorting companies and now joining forces with Crimson Collective to monetize the Red Hat breach. They're not attacking individual companies. They're targeting entire supply chains, betting that the interconnected nature of modern IT infrastructure expands their leverage.

The Cipher Brief brings expert-level context to national and global security stories. It’s never been more important to understand what’s happening in the world. Upgrade your access to exclusive content by becoming a subscriber.

For adversarial nation-states watching from Beijing, Moscow, Tehran, and Pyongyang, this incident provides a masterclass in asymmetric warfare. The shutdown didn't cause the breach, but it created the perfect conditions for maximum impact.

The timing also suggests potential nation-state involvement or direction, even if it is indirect through cutouts. The targets selected, from defense contractors, government agencies, and critical infrastructure, align too perfectly with strategic intelligence collection priorities. Whether Crimson Collective is a pure criminal enterprise or a deniable asset, the effect is the same: America's defense industrial base is exposed at a moment of maximum vulnerability.

The Red Hat breach isn’t a new kind of threat; it’s a familiar playbook executed through new modalities. Our adversaries have long understood how to exploit U.S. vulnerabilities. What’s changed is their precision and timing. They’ve learned to weaponize not only our technical gaps but also our political divisions, striking not when they’re strongest, but when we’re distracted, and increasingly, we’re signaling exactly when that will be.

The October 10 deadline isn't just about ransom payments. It’s about whether America can safeguard its critical infrastructure when government operations themselves are constrained. The answer to that question will extend well beyond Red Hat’s customer base, sending signals to allies and competitors alike about the resilience of America’s digital ecosystem.

Sign up for the Cyber Initiatives Group Sunday newsletter, delivering expert-level insights on the cyber and tech stories of the day – directly to your inbox. Sign up for the CIG newsletter today.

Are you Subscribed to The Cipher Brief’s Digital Channel on YouTube? There is no better place to get clear perspectives from deeply experienced national security experts.

Read more expert-driven national security insights, perspective and an

Even seemingly trivial posts can add to divisions already infecting the nation. Over the summer, a deepfake video depicting Rep. Alexandria Ocasio-Cortez (D-NY) discussing the perceived racist overtones of a jeans commercial went viral. At least one prominent news commentator was duped, sharing misinformation with his audience. While the origin of the fake is unknown, foreign adversaries, namely China, Russia, and Iran, often exploit domestic wedge issues to erode trust in elected officials.

Last year, Sen. Ben Cardin (D-MD) was deceived by a deepfake of Dmytro Kuleba, the former foreign minister of Ukraine, in an attempt to get the senator to reveal sensitive information about Ukrainian weaponry. People briefed on the FBI’s investigation into the incident suggest that the Russian government could be behind the deepfake, and that the Senator was being goaded into making statements that could be used for propaganda purposes.

In another incident, deepfake audio recordings of Secretary of State Marco Rubio deceived at least five government officials and three foreign ministers. The State Department diplomatic cable announcing the deepfake discovery also referenced an additional investigation into a Russia-linked cyber actor who had “posed as a fictitious department official.”

Meanwhile, researchers at Vanderbilt University’s Institute of National Security revealed that a Chinese company, GoLaxy, has used artificial intelligence to build psychological profiles of individuals including 117 members of Congress and 2,000 American thought leaders. Using these profiles, GoLaxy can tailor propaganda and target it with precision.

While the company denies that it — or its backers in the Chinese Communist Party — plan to use its advanced AI toolkit for influence operations against U.S. leaders, it allegedly has already done so in Hong Kong and Taiwan. Researchers say that in both places, GoLaxy profiled opposition voices and thought leaders and targeted them with curated messages on X (formerly Twitter), working to change their perception of events. The company also allegedly attempted to sway Hong Kongers’ views on a draconian 2020 national security law. That GoLaxy is now mapping America’s political leadership should be deeply concerning, but not surprising.

GoLaxy is far from the only actor reportedly using AI to influence public opinion. The same AI-enabled manipulation that now focuses on national leaders will inevitably be turned on mayors, school board members, journalists, CEOs — and eventually, anyone — deepening divisions in an already deeply divided nation.

Limiting the damage will require a coordinated response drawing on federal resources, private-sector innovation, and individual vigilance.

The Cipher Brief brings expert-level context to national and global security stories. It’s never been more important to understand what’s happening in the world. Upgrade your access to exclusive content by becoming a subscriber.

The White House has an AI Action Plan that lays out recommendations for how deepfake detection can be improved. It starts with turning the National Institute of Standards and Technology’s Guardians of Forensic Evidence deepfake evaluation program into formal guidelines. These guidelines would establish trusted standards that courts, media platforms, and consumer apps could use to evaluate deepfakes.

These standards are important because some AI-produced videos may be impossible to detect with the human eye. Instead, forensic tools can reveal deepfake giveaways. While far from perfect, this burgeoning deepfake detection field is adapting to rapidly evolving threats. Analyzing the distribution channels of deepfakes can also help determine their legitimacy, particularly for media outlets that want to investigate the authenticity of a video.

Washington must also coordinate with the tech industry, especially social media platforms, through the proposed AI Information Sharing and Analysis Center framework to build an early warning system to monitor, detect, and inform the public of influence operations exploiting AI-generated content.

The White House should also expand collaboration between the federal Cybersecurity and Infrastructure Security Agency, FBI, and the National Security Agency on deepfake responses. This combined team would work with Congress, agency leaders, and other prominent targets to minimize the spread of unauthorized synthetic content and debunk misleading information.

Lastly, public figures need to create rapid response communication playbooks to address the falsehoods head on and educate the public when deepfakes circulate. The United States can look to democratic allies like Taiwan for inspiration in how to deal with state-sponsored disinformation. The Taiwanese government has adopted the “222 policy” releasing 200 words and two photos within two hours of disinformation detection.

Deepfakes and AI-enabled influence campaigns represent a generational challenge to truth and trust. Combating this problem will be a cat-and-mouse game, with foreign adversaries constantly working to outmaneuver the safeguards meant to stop them. No individual solution will be enough to stop them, but by involving the government, the media, and individuals, it may be possible to limit their damage.

The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.

Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.

Have a perspective to share based on your experience in the national security field? Send it to Editor@thecipherbrief.com for publication consideration.

EXPERT INTERVIEW — Riyadh’s Global Cybersecurity Forum (GCF) in Saudi Arabia kicked off last week under the theme “Scaling Cohesive Advancement in Cyberspace.” The gathering came as researchers are increasingly discovering new malware and hacking campaigns, cybercrime is at an all-time high, and, in the U.S., critical cybersecurity legislation and authorities have been allowed to expire.

We caught up there with Chris Inglis, the first U.S. National Cyber Director, who says he sees reason for optimism. Inglis spoke on a cybercrime panel at the GCF and told us why he’s bullish on the prospect of cooperation and collaborative action to effectively counter cyber threats. Our conversation has been lightly edited for length and clarity.

The Cipher Brief: What is the real focus there right now as all of these cyber experts gather?

Inglis: There is a buzz to be sure, and I think that buzz kind of revolves around the use of the term in their title this year, which is to do “cohesive scaling.” Both of those attributes are important. Cohesive implies the notion not just of concurrent action, but collaborative action. And scale is what lies before us. So we must scale this effort because we're being crowdsourced by a vast array of actors, malign actors, holdings at risk through things like ransomware or insertions or critical infrastructure. So I think the buzz is what do we do together as opposed to the single point solutions that might be offered by the technologist alone.

The Cipher Brief: You're on a panel there talking about cybercrime and the global stakeholders associated with cybercrime. Can you give us a few highlights of some of the things that you're going to talk about in that session?

Inglis: I think that the reality of cybercrime is it's perhaps a more appealing, more transcendent issue to focus collective action on, because every citizen, regardless of what nation he or she might be from, cares about crime and wants to live in a world where they're not going to be thwarted or taken down by somebody that takes advantage of digital infrastructure that's not quite fit for purpose.

And so rather than talk about who those actors are that hold them at risk or talk about coalitions of one form or another that might take on coalitions of malign actors, let's talk about the needs of our citizens and that everyone wants to live in a crime-free world. That might sound like a bit of a panacea, but there's no one that would argue against that.

And I think the other thing about taking on the criminal elements is that there's so many of them, the cost of entry is still so low and the assets they might acquire still so high that we're never going to entirely remove them from the field. That might sound like I'm giving up before I even start, but it's going to focus us on this high-leverage proposition of, what if we just made it too hard for them to succeed? I then don't need to find each and every one of those that's transgressed and succeeded against me. I actually am in a better place because they decided today not to try or they failed in trying in the first place.

And so it focuses us, again, on resilience and robustness, not for its own sake, but so that we might have confidence in digital infrastructure. I think those are the highlights of this collective action and a focus on resilience.

The Cipher Brief: Oftentimes, criminal groups now are being backed by nation states. How is that being tackled at an international forum like this?

Inglis: We're being too kind. Sometimes, criminal enterprises are nation states, thinking about North Korea where it's a money-making proposition. It's an unholy alliance to be sure, and I think it gives them the kind of backing that we do not want to put into the hands of any single adversary. But we have the right on the defensive side to not simply collaborate, but to do so in the light of day. We don't have to skulk about in the dark or to accomplish these crowdsourcing activities on the dark web. We could do it in the light of day in a place like Riyadh, which is what's taking place here.

Talking about what our common aspirations are for our citizens, talking about what the common kind challenges are to those aspirations, and thinking about not just collective action, which might be a concurrent application of all this talent, but collaborative action with a degree of professional intimacy that we actually assist one another in ways that no one of us could succeed alone. So I'm bullish about what the defense can pull off if they follow the same tactics that the offense does, which is let's crowdsource the other side.

The Cipher Brief: While you're talking about collaboration in Riyadh, CISA 2015 expired here in the United States on September 30th, and that really has a lot of indicators in terms of information sharing between government and the private sector. How serious of an issue is this?

Inglis: Of course, I'm worried about the lack of the legal authority and the liability protections that are attendant to that. But if it was truly valuable in the first place, then I hope, imagine and am confident that that degree of sharing still goes on. That form should follow function.

We should get the law back in place as soon as possible. I've heard no one argue against the usefulness of that, and we're just caught in a time and place where we ran out of time. But behind the scenes, hopefully, and I'm more than hopeful, I'm confident there is a degree of collaboration going on. Why? Not because it's mandated, but because it's useful to all sides.

The Cipher Brief: President Trump was just in Saudi Arabia earlier this year where he announced a pretty incredible investment package. AI was a big focus of his trip there, and of those announcements that were made, I'm wondering how concerned you are about autonomous AI-driven cyber weapons escalating conflicts, and if there is a path toward international guardrails or norms here.

Inglis: I don't think anyone's actually talking about the literal kind of creation of autonomous AI driven systems. That term is sometimes not well-defined. Ask it this way, which is do we want weapon systems that can change sides in the middle of a war? Of course not. So we don't want autonomous weapon systems. But do we want highly capable weapon systems that augment human capacity, that can take a line of action from a human being who remains accountable, the human remains accountable, and execute that at scope and scale in ways that a human alone could not? Yes, of course we do, but we need a value scheme to go with that. And there's talk not just on the part of governments, but on the part of the private sector for the necessity of that.

If we went back 50, 60 years to the days of early robotics, Isaac Asimov would be advising us that we should have three rules for robots. One, it should never hurt a human being. Two, it should obey human beings. And three, it should protect itself. In that order. And it turns out there's an equivalent to those three simple rules for generative AI or agentic AI.

I'm not afraid of AI that achieves human-like capacities, but I am very nervous about having it be completely independent of human beings. And no one that I know is talking about having it be independent of human beings. Human accountability must and will remain on the loop, even though the speed of the human's ability to think through the complex problems AI can take on is going to be overmatched in a wondrous way by generative AI. We will remain accountable for it, and therefore the values that Asimov would recommend play through to this day. And I think that there's a version of that in every instance that I've seen of responsible parties talking about let's use this way in some different capacity.

Sign up for the Cyber Initiatives Group Sunday newsletter, delivering expert-level insights on the cyber and tech stories of the day – directly to your inbox. Sign up for the CIG newsletter today.

The Cipher Brief: How bullish are you on the idea of norms, particularly when we're seeing so many nation-states using cyber as a national security tool, an espionage tool, and cybercrime? How bullish are you on norms and the effectiveness of norms?

Ingli: I'm bullish on the utility of norms. I'm less bullish on the implementation of those kind of universally and kind of the same across all kind of players in this space. As we talked about earlier in this conversation, clearly there are some actors who are broadly ignoring those norms, and the answer to that is to not for ourselves to actually similarly violate those norms. Why? Because our people are then disadvantaged in that regard. They get caught in the churn. Our allies or those who would collaborate with us in this world will not then commit their full-time and attention to that in the absence of shared value, shared norms, shared aspirations, and so I think that norms still have their value, and it still tells us how we actually deliver on the human aspirations that ultimately have a foundation in values, not just technology.

The Cipher Brief: What are some of the most interesting conversations that you've had on the sidelines there in Riyadh?

Inglis: I think the most interesting conversations are about those who argue for collaboration as opposed to division of effort. And the pitch that they make is not one that's to their own advantage, it's to the collective advantage. Reminding us that we're not trying to solve similar problems. We're all trying to solve the same problem or deliver the same aspirations to our citizens. Those are the most compelling conversations that I've seen so far.

And the focus by the GCF, the Global Cyber Forum that's convened here by the Saudis, a focus on those things that every parent, every human being could find a noble aspiration for our children: child protection, elimination of ransomware that holds individuals and small businesses at risk. Those are, I think, the most meaningful discussions. The technology can follow, the doctrine can follow, but if we get those aspirations right, we're in a better place at the start.

Are you Subscribed to The Cipher Brief’s Digital Channel on YouTube? There is no better place to get clear perspectives from deeply experienced national security experts.

Read more expert-driven national security insights, perspective and analysis in The Cipher Brief because National Security is Everyone’s Business.