Chinese-sponsored groups are using the popular Brickstorm backdoor to access and gain persistence in government and tech firm networks, part of the ongoing effort by the PRC to establish long-term footholds in agency and critical infrastructure IT environments, according to a report by U.S. and Canadian security offices.
The Department of Veterans Affairs is moving toward a more operational approach to cybersecurity.
This means VA is applying a deeper focus on protecting the attack surfaces and closing off threat vectors that put veteransβ data at risk.
Eddie Pool, the acting principal assistant secretary for information and technology and acting principal deputy chief information officer at VA, said the agency is changing its cybersecurity posture to reflect a cyber dominance approach.
Eddie Pool is the acting principal assistant secretary for information and technology and acting principal deputy chief information officer at the Department of Veterans Affairs.
βThatβs a move away from the traditional and an exclusively compliance based approach to cybersecurity, where we put a lot of our time resources investments in compliance based activities,β Pool said on Ask the CIO. βFor example, did someone check the box on a form? Did someone file something in the right place? Weβre really moving a lot of our focus over to the risk-based approach to security, pushing things like zero trust architecture, micro segmentation of our networks and really doing things that are more focused on the operational landscape. We are more focused on protecting those attack surfaces and closing off those threat vectors in the cyber space.β
A big part of this move to cyber dominance is applying the concepts that make up a zero trust architecture like micro segmentation and identity and access management.
Pool said as VA modernizes its underlying technology infrastructure, it will βbake inβ these zero trust capabilities.
βOver the next several years, youβre going to see that naturally evolve in terms of where we are in the maturity model path. Our approach here is not necessarily to try to map to a model. Itβs really to rationalize what are the highest value opportunities that those models bring, and then we prioritize on those activities first,β he said. βWeβre not pursuing it in a linear fashion. We are taking parts and pieces and what makes the most sense for the biggest thing for our buck right now, thatβs where weβre putting our energy and effort.β
One of those areas that VA is focused on is rationalizing the number of tools and technologies itβs using across the department. Pool said the goal is to get down to a specific set instead of having the β31 flavorsβ approach.
βWeβre going to try to make it where you can have any flavor you want so long as itβs chocolate. We are trying to get that standardized across the department,β he said. βThat gives us the opportunity from a sustainment perspective that we can focus the majority of our resources on those enterprise standardized capabilities. From a security perspective, itβs a far less threat landscape to have to worry about having 100 things versus having two or three things.β
The business process reengineering priority
Pool added that redundancy remains a key factor in the security and tool rationalization effort. He said VA will continue to have a diversity of products in its IT investment portfolios.
βWhere we are at is we are looking at how do we build that future state architecture, as elegantly and simplistically as possible so that we can manage it more effectively, they can protect it more securely,β he said.
In addition to standardizing on technology and cyber tools and technologies, Pool said VA is bringing the same approach to business processes for enterprisewide services.
He said over the years, VA has built up a laundry list of legacy technology all with different versions and requirements to maintain.
βWeβve done a lot over the years in the Office of Information and Technology to really standardize on our technology platforms. Now itβs time to leverage that, to really bring standard processes to the business,β he said. βWhat that does is that really does help us continue to put the veteran at the center of everything that we do, and it gives a very predictable, very repeatable process and expectation for veterans across the country, so that you donβt have different experiences based on where you live or where youβre getting your health care and from what part of the organization.β
Part of the standardization effort is that VA will expand its use of automation, particularly in processing of veterans claims.
Pool said the goal is to take more advantage of the agencyβs data and use artificial intelligence to accelerate claims processing.
βThe richness of the data and the standardization of our data that weβre looking at and how we can eliminate as many steps in these processes as we can, where we have data to make decisions, or we can automate a lot of things that would completely eliminate what would be a paper process that is our focus,β Pool said. βWeβre trying to streamline IT to the point that itβs as fast and as efficient, secure and accurate as possible from a VA processing perspective, and in turn, itβs going to bring a decision back to the veteran a lot faster, and a decision thatβs ready to go on to the next step in the process.β
Many of these updates already are having an impact on VAβs business processes. The agency said that it set a new record for the number of disability and pension claims processed in a single year, more than 3 million. That beat its record set in 2024 by more than 500,000.
βWeβre driving benefit outcomes. Weβre driving technology outcomes. From my perspective, everything that we do here, every product, service capability that the department provides the veteran community, itβs all enabled through technology. So technology is the underpinning infrastructure, backbone to make all things happen, or where all things can fail,β Pool said. βFirst, on the internal side, itβs about making sure that those infrastructure components are modernized. Everythingβs hardened. We have a reliable, highly available infrastructure to deliver those services. Then at the application level, at the actual point of delivery, IT is involved in every aspect of every challenge in the department, to again, bring the best technology experts to the table and look at how can we leverage the best technologies to simplify the business processes, whether thatβs claims automation, getting veterans their mileage reimbursement earlier or by automating processes to increase the efficacy of the outcomes that we deliver, and just simplify how the veterans consume the services of VA. Thatβs the only reason why we exist here, is to be that enabling partner to the business to make these things happen.β
Maximum Physical Privacy and Security as a Crypto Whale: OpSec Strategies Against Physical Threats &Β Scams
In recent years, physical attacks on cryptocurrency holders have surged dramatically. According to data tracked by Bitcoin security expert Jameson Lopp, reported physical attacks on Bitcoin and crypto holders increased by 169% in just six months in 2025, with dozens of violent incidents including kidnappings, home invasions, and armed robberies.
Lopp maintains a comprehensive list of over 200 known physical attacks since 2014, ranging from $5 wrench attacks (where attackers use physical coercion to force transfers) to organized kidnappings involving torture.
As a crypto whaleβββsomeone holding significant digital assetsβββyou are a high-value target. Criminals know crypto transfers are irreversible, making you more attractive than traditional wealthy individuals. Beyond digital hacks, threats now include real-world violence and sophisticated scams like pig butchering that can lead to doxxing, luring, or physical meetings.
This article focuses on physical OpSec (operational security) to maximize privacy and safety in everyday life, drawing from best practices recommended by experts like Lopp and securityΒ firms.
Adopt a Low-Profile Lifestyle: The Foundation of PhysicalΒ Privacy
The best defense is not being targeted in the firstΒ place.
Never discuss your crypto holdings publicly, at parties, or even with close friends unless absolutely necessary. Loose lips lead to targeting.
Avoid all visible signals of wealth or crypto involvement: No Bitcoin bumper stickers, conference lanyards, luxury watches/cars that stand out, or social media posts showing opulent lifestyles.
Dress modestly, drive common vehicles, and live in unassuming neighborhoods. Blend in completely.
Remove online traces: Scrub old posts, use pseudonyms, avoid linking real identity to wallets or addresses.
Fortify Your Home and Personal Environment
Your residence is the most likely attackΒ vector.
Install layered physical barriers: Reinforced doors with deadbolts, shatter-resistant window film, motion-activated floodlights, visible security cameras, and alarm systems monitored 24/7.
Create natural deterrents: Thorny bushes under windows, fenced property with locked gates, no easy climbingΒ points.
Build a safe room (panic room) with a solid-core door, independent communication (satellite phone or hardline), supplies, and a weapon if legal/trained.
Store seed phrases and hardware wallets in bolted safes or bank safety deposit boxesβββnever all in oneΒ place.
Consider professional security assessments or guarded communities if your holdings justifyΒ it.
Design Your Wallet Setup to Defensively Against the $5 WrenchΒ Attack
The classic $5 wrench attackβββwhere an attacker threatens violence until you hand over keysβββcannot be fully prevented, but it can be made impractical.
Use multisignature (multisig) wallets requiring multiple keys from geographically separated locations (e.g., different cities or countries). Even under duress, you physically cannot comply quickly, forcing attackers to keep you hostage longer and increasing theirΒ risk.
Distribute keys/backups across trusted family, institutions, or secure vaults in multiple jurisdictions.
Avoid βduress PINsβ or decoy walletsβββattackers may test them or continue violence if they suspect moreΒ funds.
Consider collaborative custody services (e.g., Casa, AnchorWatch) that add institutional keys and emergency lockdowns.
Daily Movement and TravelΒ OpSec
Vary routines: Routes to work, gym times, etc. Predictability enables ambushes.
Maintain situational awareness: Head on swivel, avoid phone distraction in public, note tailing vehicles/people.
Travel low-key: Use rideshares or rentals instead of personal luxury vehicles; fly commercial in economy if possible; never post travel plans in real-time.
For high-risk areas (e.g., certain countries with known crypto kidnappings), hire executive protection or avoid altogether.
Carry minimal identifying info; use burner phones for sensitive communications.
OpSec often comes into play in public settings. For example, if members of your team are discussing work-related matters at a nearby lunch spot, during a conference, or over a beer, odds are that someone could overhear. As they say, loose lips can sink ships, so make sure you donβt discuss any sensitive company information while out inΒ public.
A lot of OpSec missteps can be avoided by being more aware of your surroundings and the context in which you are speaking: what youβre saying, where you are, who youβre speaking to, and who might overhear. Itβs a good idea to go over the βno-noβsβ for your specific company during onboarding and to remind employees of them periodically.
Counter Social Engineering, Phone Scams, and Pig Butchering Schemes
Many physical attacks begin with doxxing viaΒ scams.
Phone scams / SIM swapping: Use authentication app 2FA (not SMS), put PINs/passwords on mobile accounts, screen unknown calls ruthlessly, never give out verification codes.
To lock down your SIM, contact your mobile phone carrier. That is a standard that has been tested by telecommunications operators in the US, the UK, Poland, and Chinaβββalso check out this tweet and this article. You just need to insist on it or visit the head office, and Iβm sure that the support manager on the phone maynβt know about it! Ask them to NEVER make changes to your phone number/SIM unless you physically show up to a specific store with at minimum two forms of identification. This (should) prevent hackers from calling up AT&T or T-Mobile or Vodafone, claiming to be you, and asking them to port your phone number to a newΒ phone.
Get countermeasures in place. The last step of operational security is to create and implement a plan to eliminate threats and mitigate risks. This could include updating your hardware, creating new policies regarding sensitive data, or training employees on sound security practices and company policies. Countermeasures should be straightforward andΒ simple.
Pig Butchering Schemes
These long-con scams build fake romantic or friendship relationships online, then push βlucrativeβ crypto investments on fake platforms.
Red flags: Unsolicited contact on dating/social apps, rapid affection, steering conversation to crypto, pushing specific (fake) platforms.
Rule: Never invest with or send crypto to anyone you met online. Period. If someone disappears when you refuse to invest, it confirms theΒ scam.
General rule: Any unsolicited investment βopportunity,β recovery scam, or urgency play isΒ fraud.
Additional Physical OpSec Tips for Crypto Whales (Updated for Late 2025Β Threats)
Weβre talking home invasions with intruders posing as delivery drivers (San Francisco $11M robbery on Nov 22), street kidnappings (Bangkok, Bali, Ukraine), carjackings forcing on-the-spot transfers (Oxford), and straight-up torture/murder when victims canβt or wonβt pay (Dubai double murder, multiple Russian cases). The pattern is clear: organized crews are now routinely use delivery disguises, follow targets from public places, grab people off the street, or hit homes with overwhelming force andΒ torture.
The threat model has upgraded from opportunistic thugs to professional kidnapping rings.
Delivery & PackageΒ Paranoia
2025βs #1 new vector is criminals posing as FedEx/Uber Eats/Amazon drivers.
Never accept unsolicited deliveries. Route all hardware wallets, seed backup plates, anything valuable to PO Boxes, private mailboxes (e.g., UPS Store), or secure coworking spaces, or lawyer/accountant offices.
Install a package locker or secure drop box outside your perimeter that doesnβt require you to open theΒ door.
Use doorbell cams + intercom. If a delivery person shows up you didnβt order, do not open the doorβββever. Tell them to leave it outside the gate or returnΒ later.
Bonus: Have mail forwarded through re-mailing services (e.g., Traveling Mailbox or Earth Class Mail) so your real address never appears on anything.
Thief posing as a delivery man steals $11mn in crypto from a man in San Francisco, after tying him up and pulling aΒ gun.
Data Broker Scrubbing + Digital Footprint Eradication
Most victims who got hit hard were doxxed through basicΒ OSINT.
Pay for professional deletion services (DeleteMe, Kanary, OneRep, or 360 Privacy)βββdo it quarterly. The average whale appears on 70β120 data broker sites with home address, phone, relatives, propertyΒ records.
Remove your home from Google Street View (request blur) and Zillow, Redfin,Β etc.
If youβre really paranoid (you should be), buy your next house through an anonymous land trust or Wyoming/LLC structure so your name isnβt on public propertyΒ records.
Duress Planning That ActuallyΒ Works
Decoy wallets are good, but pros now expect them and will keep torturing. Real solution:
Have a very believable βmainβ hot wallet with $50kβ$250k (enough to satisfy mostΒ crews).
Real stack in geo-distributed multisig that literally cannot be moved without keys in 2β3 different countries and a 7β30 day timelock on largeΒ amounts.
Practice your duress story: βThatβs everything, I promiseβββthe rest is in a multisig with my ex-wife in Canada and my lawyer in Switzerland. It takes weeks toΒ move.β
Safe room with ballistic blanket/door, satellite phone or VOIP line independent of home power, and a weapon if youβreΒ trained.
Family & Staff OpSec (The Weakest Link 90% of theΒ Time)
Most tortured victims in 2025 were attacked together with spouses/kids/parents because the attackers knew the whole family would beΒ home.
Your spouse and adult children must be fully understand OpSecβββno bragging, no crypto stickers, no βmy husband is loaded in Bitcoinβ comments at schoolΒ events.
Domestic staff (cleaners, nannies, gardeners) are the #1 leak vector. Vet them like youβre hiring a CIA assetβββbackground checks, NDAs, never let them go if they ever ask aboutΒ crypto.
Give family pre-agreed code words for phone calls (AI voice cloning + fake kidnapping calls are nowΒ common).
Bitcoin 2025 in Vegas and every major conference now has professional spotters.
Book flights/hotels under alias or corporate name.
Never post that youβre going until youβre alreadyΒ home.
Use cash or privacy.com virtual cards for everything on-site.
Travel with a βburnerβ phone and laptop that have zero access to realΒ keys.
If youβre a known whale, hire close protection for the durationβββitβs $2β4k/day and worth everyΒ penny.
The Nuclear Options (For 9-Figure+ Holders)
Relocate to a truly safe jurisdiction (UAE, Singapore, Switzerland, or certain gated compounds in Puerto Rico/Cayman).
Full-time executive protection team + armored vehicle withΒ driver.
Collaborative custody with institutions that have armed response protocols (e.g., AnchorWatch + private security integration).
During and After anΒ Incident
Life > Bitcoin. If attacked, comply as needed but use multisig delays to your advantage (βI need my partner in another countryβ).
Have emergency lockdown features enabled on wallets/apps.
Report incidents to authorities and communities (e.g., contribute to Loppβs list) to helpΒ others.
Have inheritance/dead-man-switch planning so funds arenβt lost if the worstΒ happens.
Final Thoughts
Bottom line for end of 2025: The game has permanently changed. The crews doing these hits are no longer random junkiesβββtheyβre transnational gangs who research targets for months, use fake delivery uniforms bought on Telegram, and are willing to waterboard you while your kids watch if they think you have more. Silence, geographic distribution of keys, and making yourself an annoyingly hard target are now non-negotiable if you want to keep both your bitcoin and your fingernails.
Maximum physical privacy as a crypto whale requires treating yourself like a high-net-worth individual in witness protectionβββconstant vigilance, multiple defense layers, and acceptance that perfect security doesnβt exist, only making attacks too costly or difficult. The combination of strict OpSec, physical fortifications, geographically distributed multisig, and scam paranoia has kept many whales safe despite risingΒ threats.
Implement these gradually, starting with the basics: shut up about your stack, secure your home, and your home, and distribute your keys. Your wealth is freedomβββdonβt let poor OpSec turn it into a liability. StayΒ safe!
If you want to support my work, please, consider donatingΒ me:
0x1191b7d163bde5f51d4d2c1ac969d514fb4f4c62 or officercia.ethβββall supported EVMΒ chains;
17Ydx9m7vrhnx4XjZPuGPMqrhw3sDviNTU or bc1q75zgp5jurtm96nltt9c9kzjnrt33uylr8uvddsβββBitcoin;
If you enjoy my content and want to help keep it ad-free, please consider supporting my work through donations. Your contributions will allow me to dedicate more time to crafting in-depth articles and sharing even more valuable insights.
For too long, security has been cast as a bottleneck β swooping in after developers build and engineers test to slow things down. The reality is blunt; if itβs bolted on, youβve already lost. The ones that win make security part of every decision, from the first line of code to the last boardroom conversation...
Chrome 143 fixes 13 security vulnerabilities, including four high-severity flaws, in a December desktop update rolling out to Windows, macOS, and Linux users.
There are reports of a public Proof of Concept (PoC), but the repository that has been linked explicitly calls out that it is not a true PoC, but merely research into how the vulnerability might work. As far as I can tell, there is not yet a public PoC, but reputable researchers have been able to reverse engineer the problem. This implies that mass exploitation attempts are not far off, if they havenβt already started.
Legal AI Breaks Attorney-Client Privilege
We often cover security flaws that are discovered by merely poking around the source of a web interface. [Alex Schapiro] went above and beyond the call of duty, manually looking through minified JS, to discover a major data leak in the Filevine legal AI. And the best part, the problem isnβt even in the AI agent this time.
The story starts with subdomain enumeration β the process of searching DNS records, Google results, and other sources for valid subdomains. That resulted in a valid subdomain and a not-quite-valid web endpoint. This is where [Alex] started digging though Javascript, and found an Amazon AWS endpoint, and a reference to BOX_SERVICE. Making requests against the listed endpoint resulted in both boxFolders and a boxToken in the response. What are those, and what is Box?
Box is a file sharing system, similar to a Google Drive or even Microsoft Sharepoint. And that boxToken was a valid admin-level token for a real law firm, containing plenty of confidential records. It was at this point that [Alex] stopped interacting with the Filevine endpoints, and contacted their security team. There was a reasonably quick turnaround, and when [Alex] re-tested the flaw a month later, it had been fixed.
JSON Formatting As A Service
The web is full of useful tools, and Iβm sure we all use them from time to time. Or maybe Iβm the only lazy one that types a math problem into Google instead of opening a dedicated calculator program. Iβm also guilty of pasting base64 data into a conversion web site instead of just piping it through base64 and xxd in the terminal. Watchtowr researchers are apparently familiar with such laziness efficiency, in the form of JSONformatter and CodeBeautify. Those two tools have an interesting feature: an online save function.
You may see where this is going. Many of us use Github Gists, which supports secret gists protected by long, random URLs. JSONformatter and CodeBeautify donβt. Those URLs are short enough to enumerate β not to mention there is a Recent Links page on both sites. Between the two sites, there are over 80,000 saved JSON snippets. What could possibly go wrong? Not all of that JSON was intended to be public. Itβs not hard to predict that JSON containing secrets were leaked through these sites.
And then on to the big question: Is anybody watching? Watchtowr researchers beautified a JSON containing a Canarytoken in the form of AWS credentials. The JSON was saved with the 24 hour timeout, and 48 hours later, the Canarytoken was triggered. That means that someone is watching and collecting those JSON snippets, and looking for secrets. The moral? Donβt upload your passwords to public sites.
Shai Hulud Rises Again
NPM continues to be a bit of a security train wreck, with the Shai Hulud worm making another appearance, with some upgraded smarts. This time around, the automated worm managed to infect 754 packages. It comes with a new trick: pushing the pilfered secrets directly to GitHub repositories, to overcome the rate limiting that effected this worm the first time around. There were over 33,000 unique credentials captured in this wave. When researchers at GitGuardian tested that list a couple days later, about 10% were still valid.
This wave was launched by a PostHog credential that allowed a malicious update to the PostHog NPM package. The nature of Node.js means that this worm was able to very quickly spread through packages where maintainers were using that package. Version 2.0 of Shai Hulud also includes another nasty surprise, in the form of a remote control mechanism stealthily installed on compromised machines. It implies that this is not the last time weβll see Shai Hulud causing problems.
Bits and Bytes
[Vortex] at ByteRay took a look at an industrial cellular router, and found a couple major issues. This ALLNET router has an RCE, due to CGI handling of unauthenticated HTTP requests. Itβs literally just /cgi-bin/popen.cgi?command=whoami to run code as root. Thatβs not the only issue here, as thereβs also a hardcoded username and password. [Vortex] was able to derive that backdoor account information and use hashcat to crack the password. I was unable to confirm whether patched firmware is available.
Google is tired of their users getting scammed by spam phone calls and texts. Their latest salvo in trying to defeat such scams is in-call scam protection. This essentially detects a banking app that is opened as a result of a phone call. When this scenario is detected, a warning dialogue is presented, that suggests the user hangs up the call, and forces a 30 second waiting period. While this may sound terrible for sophisticated users, it is likely to help prevent fraud against our collective parents and grandparents.
What seemed to be just an illegal gambling ring of web sites, now seems to be the front for an Advanced Persistent Threat (APT). That term, btw, usually refers to a government-sponsored hacking effort. In this case, instead of a gambling fraud targeting Indonesians, it appears to be targeting Western infrastructure. One of the strongest arguments for this claim is the fact that this network has been operating for over 14 years, and includes a mind-boggling 328,000 domains. Quite the odd one.
The dangerous ClayRat Android spyware has evolved, gaining the ability to steal PINs, record screens, and disable security by abusing Accessibility Services. Users must beware of fake apps spreading through phishing sites and Dropbox.
Cybercriminals continue to exploit USB drives as infection vectors, with recent campaigns delivering sophisticated CoinMiner malware that establishes persistent cryptocurrency-mining operations on compromised workstations. Security researchers have documented an evolving threat that leverages social engineering and evasion techniques to avoid detection while mining Monero cryptocurrency on infected systems. In February 2025, AhnLab Security Intelligence Center [β¦]
The MuddyWater threat group has escalated its cyber espionage operations by deploying UDPGangster, a sophisticated UDP-based backdoor designed to infiltrate Windows systems while systematically evading traditional network defenses. Recent intelligence gathered by FortiGuard Labs reveals coordinated campaigns targeting high-value victims across Turkey, Israel, and Azerbaijan, employing social engineering tactics paired with advanced anti-analysis techniques that [β¦]
A newly disclosed critical vulnerability inΒ Apache TikaΒ could allow attackers to compromise servers by simply uploading aΒ malicious PDF file, according to a security advisory published by Apache maintainers. Tracked asΒ CVE-2025-66516, the flaw affectsΒ Apache Tika core,Β Apache Tika parsers, and theΒ Apache Tika PDF parser module. CVE ID Severity Vulnerability Type Affected Component Affected Versions CVE-2025-66516 Critical XML External [β¦]
Chrome 143 fixes 13 security vulnerabilities, including four high-severity flaws, in a December desktop update rolling out to Windows, macOS, and Linux users.
The cybersecurity landscape continues to evolve as threat actors deploy increasingly sophisticated tools to compromise Windows-based infrastructure. CastleRAT, a Remote Access Trojan that emerged around March 2025, represents a significant addition to the malware arsenal that defenders must now contend with. This newly discovered threat demonstrates the convergence of multiple attack techniques, enabling attackers to [β¦]
Russian state-linked hackers are impersonating high-profile European security conferences to compromise cloud email and collaboration accounts at governments, think tanks, and policy organizations, according to new research from cybersecurity firm Volexity. The campaigns, active through late 2025, abuse legitimate Microsoft and Google authentication workflows and rely on painstaking social engineering to trick victims into effectively [β¦]
Russian intelligence-linked cyber threat actors have intensified their operations against NATO research organizations, Western defense contractors, and NGOs supporting Ukraine, employing sophisticated phishing and credential harvesting techniques. The Calisto intrusion set, attributed to Russiaβs FSB intelligence service, has escalated its spear-phishing campaigns throughout 2025, leveraging the ClickFix malicious code technique to target high-value entities across [β¦]
AΒ critical command injection vulnerabilityΒ in Array Networksβ ArrayOS AG systems has become the focus of active exploitation campaigns, with Japanese organizations experiencing confirmed attacks since August 2025. According to alerts from JPCERT/CC, threat actors are leveraged the vulnerability to install webshells and establish persistent network access, marking a significant escalation in targeting enterprise VPN infrastructure. The [β¦]
The UKβs National Cyber Security Centre (NCSC) has introduced a new initiative designed to protect organisations from cyber threats. Working alongside Netcraft, the NCSC has launched theΒ Proactive Notification Service, a groundbreaking program that identifies and alerts system owners about security vulnerabilities affecting their networks. How the Service Works The Proactive Notification Service operates by scanning [β¦]
Login
