| The Record from Recorded Future News
therecord.media
Martin Matishak
February 4th, 2026

The U.S. military digitally disrupted Iranian air missile defense systems during its operation last year against the country’s nuclear program, some of the most sophisticated action Cyber Command has taken to date against Iran.

Exclusive: US used cyber weapons to disrupt Iranian air defenses during 2025 strikes
The U.S. military last year digitally disrupted Iranian air missile defense systems as part of a coordinated operation to destroy the country’s nuclear program, according to several U.S. officials, another sign of America’s growing comfort with employing cyber weapons in warfare.

The strike on a separate military system connected to the nuclear sites at Fordo, Natanz and Isfahan helped to prevent Iran from launching surface-to-air missiles at American warplanes that had entered Iranian airspace, the officials said.

“Military systems often rely on a complex series of components, all working correctly. A vulnerability or weakness at any point can be used to disrupt the entire system,” according to one individual familiar with the matter who, like others, spoke on the condition of anonymity to discuss sensitive information.

In hitting a so-called “aim point” — a mapped node on a computer network, such as a router, a server or some other peripheral device — U.S. operators, enabled by intelligence from the National Security Agency, bypassed what would have been a more difficult task of breaking into a military system located at one, or all, of the fortified nuclear facilities.

“Going ‘upstream’ can be extraordinarily hard, especially against one of our big four adversaries,” another official said, referring to the quartet of Iran, China, Russia and North Korea.

“You need to find the Achilles heel.”

None of the officials would specify what kind of device was attacked. At the request of sources, Recorded Future News withheld certain details about the cyberattack due to national security concerns.

“U.S. Cyber Command was proud to support Operation Midnight Hammer and is fully equipped to execute the orders of the Commander-in-Chief and the Secretary of War at any time and in any place," a command spokesperson said in a statement, without elaborating.

The digital element of June’s Operation Midnight Hammer, which has not been previously reported, is some of the most sophisticated action Cyber Command has taken against Iran in its nearly 16-year history.

Since being granted authorities to augment its offensive capabilities during the first Trump administration, the command skirmished with the Islamic Revolutionary Guard Corps and Iranian hacker groups in the run-up to the 2020 presidential election and moved against government-aligned malicious actors before they could disrupt the 2022 midterms.

Gen. Dan Caine, the chairman of the Joint Chiefs of Staff, publicly lauded Cyber Command’s contribution during a Pentagon press conference after Midnight Hammer concluded, noting it had supported the “strike package” that saw all three nuclear sites hit in a span of less than a half-hour.

The command received similar kudos last month after it conducted cyber operations that officials say knocked out power to Venezuela's capital and disrupted air defense radar, as well as handheld radios, as part of the mission to capture President Nicolás Maduro.

Cyber Command and others “began layering different effects” on Venezuela as commandos approached in helicopters in order to “create a pathway” for them, Caine said during a press conference at Mar-a-Lago.

Little has been shared about the command’s role in the ouster of Maduro, however. And while lawmakers received classified briefings on both digital operations last month, they are seeking more information about the digital attacks on Iran and Venezuela, hoping some details will eventually be shared with the public.

Venezuela has “been in the news and a lot of discussion about the fact that this was a good example of what happens when you combine all of the joint forces, including cyber operations,” Sen. Mike Rounds (R-SD), the chair of the Senate Armed Services cyber subcommittee, said during a hearing with defense officials last week.

“I understand that this [setting] is unclassified but there's a lot of folks out there that might now have a curiosity about this, and they may very well want to be a part of a team in the future that you're going to have to try to recruit,” he added.

The officials, for their part, declined to offer any fresh details and instead touted the use of cyber capabilities.

“I would tell you not just [Operation] Absolute Resolve [in Venezuela] but Midnight Hammer, in a number of other operations, we've really graduated to the point where we’re treating a cyber capability just like we would a kinetic capability, not sprinkling cyber on,” Army Lt. Gen. William Hartman, the acting chief of the command and the NSA, told the subcommittee.

Air Force Brig. Gen. Ryan Messer, deputy director for global operations on the Joint Staff, noted that Caine has put an “emphasis on not just traditional kinetic effects, but the role non-kinetic effects play in all of our global operations, especially cyber.”

He said that over the last six months, the Joint Staff has developed a “non-kinetic effects cell” that is “designed to integrate, coordinate and synchronize all of our non-kinetics into the planning and then, of course, the execution of any operation globally.”

In military jargon, “non-kinetic effects” are produced through capabilities like cyber tools, while “kinetic” generally refers to striking targets with missiles or by other physical means.

“The reality is that we’ve now pulled cyber operators to the forefront,” Messer said.

Iran and Venezuela suggest the “ideal use cases for cyber operations as enablers of conventional military operations,” according to Erica Lonergan, an adjunct fellow at the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation.

“Altogether, both of these operations reflect the routinization of the use of cyber capabilities during military operations, and we should expect to see more of these in the future. In my view, this is a good thing, because it suggests we are moving beyond seeing cyber as a unique, exquisite (and dangerous) capability,” said Lonergan, a former director of the congressionally-mandated Cyberspace Solarium.

“I would not generalize from these cases to make inferences about how this might play out in the context of a contingency involving an adversary like China.”

cnn.com
By
Sean Lyngaas
PUBLISHED Jan 28, 2026, 6:00 AM ET

Weeks before the 2024 election, American military hackers carried out a secret operation to disrupt the work of Russian trolls spewing false information at US voters.

Weeks before the 2024 election, American military hackers carried out a secret operation to disrupt the work of Russian trolls spewing false information at US voters.

From their perch at Cyber Command at Fort Meade, Maryland, the military hackers took aim at the computer servers and key personnel of at least two Russian companies that were covertly pumping out the propaganda, according to multiple sources briefed on the operation.

The trolls were trying to influence election results in six swing states by publishing fictitious news stories that attacked American politicians who supported Ukraine. One of the companies had held “strategy meetings” with Kremlin officials on how to covertly influence US voters, according to an FBI affidavit.

In one case, the Cyber Command operatives planned to knock offline computer servers based in a European country that one of the Russian companies used, the sources said. Though the Russian trolls continued to create content through Election Day, when President Donald Trump defeated then-Vice President Kamala Harris, one source briefed on the hacking effort said it successfully slowed down the Russians’ operations.

The hacking campaign, which hasn’t been previously reported, was one of multiple US cyber operations against Russian and Iranian groups aimed at blunting foreign influence on the 2024 election. It was part of a broader US government effort involving the FBI, the Department of Homeland Security, and other intelligence and security agencies that exposed and disrupted foreign meddling.

But a year into a second Trump administration, many of the government centers previously tasked with repelling foreign influence operations have been disbanded or downsized — and local election officials are preparing to face a continued onslaught of foreign influence operations largely on their own.

The administration has shut down foreign-influence-focused centers at the Office of the Director of National Intelligence, the FBI and the State Department that helped warn the public that China, Russia and Iran’s spy services were targeting Americans with election-related disinformation. The Department of Homeland Security has also slashed its election security teams, which pass intelligence to local election offices and help them defend against cyber threats.

The Trump administration has accused those federal programs of censoring Americans and conducting domestic interference in US elections.

While military cyber operations are still an option, there is widespread concern among current and former officials that the US government’s willingness to combat foreign efforts to shape elections has waned. The cuts to election security programs risk causing an exodus of expertise at US intelligence and security agencies that was built up over nearly a decade.

The cuts come even as the US intelligence community found, in a threat assessment released by the Office of the Director of National Intelligence Tulsi Gabbard, that foreign powers will continue to try to influence US elections.

“I find it devastating and deeply alarming for our national security,” said Mike Moser, a former election security specialist at DHS’ Cybersecurity and Infrastructure Security Agency, who resigned after the agency froze its election work last year. “To see those partnerships unilaterally dismantled is a tragedy. We are losing the human and technological infrastructure that protects our democracy.”

Foreign influence and propaganda tend to increase in years when general elections or midterms are held. But even in the off-year of 2025, groups tied to authoritarian regimes were weighing in on races like the New York City mayoral election.

Chinese state-owned media accounts repeatedly amplified Trump’s attacks on Zohran Mamdani, the Democrat who ended up winning New York’s mayoral election, according to disinformation-tracking firm Alethea Group. Some pro-Iranian influencer accounts, meanwhile, pivoted to attacking Mamdani as a “Zionist apologist” in October after Mamdani made overtures to Jewish voters in New York, Alethea said.

But by the time that election was held in November of last year, the cuts to election protection efforts had already taken hold.

The 2026 midterms could be a litmus test for how foreign adversaries respond to a US government that is less forceful in publicly combating influence operations.

“We’ve not had a disaster take place because, in many ways, the procedures and policies and tools set up during the first Trump administration helped keep us safe,” Sen. Mark Warner of Virginia, the top Democrat on the Senate Intelligence Committee, told CNN. “We’re going into a (2026) election cycle with our guard down.”

Multiple government agencies and processes for countering foreign influence that are now being cut were set up during Trump’s first term, including a dedicated team at the FBI that tracked counterintelligence threats to elections.

In April, Trump fired Gen. Tim Haugh, the head of Cyber Command and the National Security Agency ,who had led numerous operations countering Russian meddling.

“The foundation that we built to protect our electoral process was driven by the first Trump administration’s direct guidance to NSA and Cyber Command — the focus that they put at CISA and FBI to counter foreign influence and then any potential hacking activity targeting our electoral process,” Haugh told CNN in his first interview on the subject since being fired. He declined to comment on any Cyber Command operations during the 2024 election.

Far-right activist and Trump confidant Laura Loomer had pushed for Haugh’s removal, publicly calling him “disloyal” to Trump due to the fact that he had served alongside former Chairman of the Joint Chiefs of Staff Gen. Mark Milley. Haugh has denied the allegation.

Nearly 10 years after Russian agents tried to influence the 2016 election through hacking and disinformation, Americans are arguably more susceptible to covert propaganda than ever, according to experts.

“This is just an enormous set of vulnerability for our nation,” Haugh said. “We have shown a decreasing ability to discern truth from fiction as a society.”

Cyber Command declined to comment for this story. The NSA referred to questions to ODNI.

Cuts to federal funding for cybersecurity services for election offices have forced those offices to scramble for alternative funds, said Paul Lux, a Republican who is the top election official for Okaloosa County, Florida.

Election officials are also unsure whether the FBI and CISA will continue to hold classified briefings for them on threats to elections, something those agencies have done for years.

The briefings were “illuminating,” Lux said. “They allowed me to personally connect some dots” by making the threats more tangible, he added.

The FBI had no comment when asked by CNN whether the briefings would continue.

A CISA spokesperson did not directly answer a question about the briefings but provided a statement that read, in part, “since January 2025, CISA has issued 38 joint cybersecurity advisories with law enforcement and international partners and provided threat intelligence guidance to combat evolving threats and protect critical infrastructure, and we will continue to ensure election officials remain informed of any emerging issues going forward.”

With or without federal security and intelligence support, election officials will be ready to do their job, Lux said. “Our mission doesn’t change. (It is to) provide safe, free and fair elections with as much transparency as possible.”

Dismantling offices
The same type of Russian trolls that Cyber Command took aim at in the 2024 election continue to churn out content. A Russian covert influence network focused on undermining Western support for Ukraine has set up at least 200 fake websites since last March to target audiences in the US, France and elsewhere, according to the cyber intelligence firm Recorded Future.

The concern among more than a dozen current and former officials who spoke to CNN is that the Trump administration took a hatchet, rather than a scalpel, to federal programs aimed at countering the type of influence operation that Recorded Future uncovered. The programs could have been downsized, rather than abruptly canceled, in a way that met the Trump administration’s goal of cutting bureaucratic red tape, the sources said.

The State Department’s Global Engagement Center, which focused on combating foreign propaganda, posted a massive US intelligence dump on Russian meddling prior to the 2024 election. (The Trump administration formally shut down the State Department center last April after Congress let its funding expire.)

ODNI’s Foreign Malign Influence Center, which was set up under then-President Joe Biden, turned intelligence on Russian AI-generated videos posted on X purporting to show voter fraud into public statements in the days before Election Day in 2024.

Without that center, it’s unclear which government agency would warn the public of such efforts.

In announcing the Foreign Malign Influence Center’s closure in August, ODNI said the center was “redundant” and that other elements of the intelligence community perform some of the same work. Some Republican lawmakers agree.

“I am confident ODNI and the (intelligence community) will remain poised to assess and warn policymakers of covert and overt foreign influence operations targeting (US government) policies and manipulating public opinion,” said Rick Crawford, an Arkansas Republican who chairs the House intelligence committee, in a statement to CNN.

But Haugh, who spent more than three decades in the Air Force, said the cuts at various federal agencies mean that the US government has fewer levers to pull to punish or expose foreign influence operations.

ODNI did not answer a detailed list of questions on how the agency plans to counter foreign influence, including whether ODNI has a top intelligence specialist dedicated to the issue, as it has had in years past. An ODNI spokesperson referred CNN to a previous agency statement saying the Foreign Malign Influence Center’s core functions would be moved to other parts of ODNI.

Gabbard said in August that ODNI would cut its workforce by over 40% and save taxpayers hundreds of millions of dollars in the process.

Trump’s new pick to replace Haugh and lead the NSA and Cyber Command, Lt. Gen. Joshua Rudd, pledged to protect the electoral process from foreign interference during his Senate confirmation hearing.

“Any foreign attempt to undermine the American process of democracy, and at the center of that is our electoral process, as you all know far better than I do, has got to be safeguarded,” Rudd told senators on January 15.

A sensitive subject
The FBI’s election security posture today has been shaped by Trump’s grievances over the bureau’s investigation into his 2016 campaign’s contacts with Russia and his false claims of a stolen 2020 election.

As president-elect in 2017, Trump was incsensed when then-FBI Director James Comey briefed him on the existence of a salacious, and later debunked, dossier about Trump gathered by a former British intelligence agent. Many see a through line between that day and the FBI’s current counterintelligence posture for elections.

“You could argue that where we are today happened because Comey briefed Trump, Trump got embarrassed and the rest is one big revenge tour,” said a former senior FBI counterintelligence official who served during the first Trump term and Biden’s term. They spoke on the condition of anonymity out of fear of retaliation from the Trump administration

If and when US officials speak publicly on foreign efforts to shape US democracy is an intensely delicate subject in the second Trump administration. Trump has bristled at US intelligence findings that Russia tried to influence the 2016 election in his favor, while Democrats have often exaggerated those findings to attack Trump.

A year after FBI agents were caught off-guard in 2016 by the scale of Russian hacking and propaganda aimed at voters, the bureau set up a Foreign Influence Task Force (FITF), a team of about 30 people to focus on the threat of foreign meddling. The task force passed intelligence about what foreign spies were doing on Facebook and Twitter to those social media platforms.

In February 2025, Attorney General Pam Bondi dissolved FITF, citing the need to “free resources to address more pressing priorities, and end risks of further weaponization and abuses of prosecutorial discretion.”

The impact of Bondi’s memo goes beyond FITF, according to current and former FBI officials. It’s a disincentive for any FBI agent to take up a case involving Russian election influence.

“Say the Russians influence the election again — I’m worried that we won’t know it until after the fact,” the ex-FBI official said.

In a statement to CNN, the FBI said it continues to pursue cases related to “foreign influence efforts by adversarial nations.”

“The Counterintelligence Division and our field offices work together to defend the homeland against all foreign influence efforts, including any attempts at election interference,” the FBI said.

The Cyber Command operation against Russian trolls in 2024 followed the Justice Department’s public disclosure that it had seized internet domains used by the trolls. US officials saw the hacking as an added, clandestine counter-punch to complement the law enforcement seizure. Under the second Trump administration, the public may not know if the Justice Department takes such an action leading up to an election.

After Trump won the 2024 election, a planning document used by his transition team and reviewed by CNN lamented a “surge in politicization and meddling in US politics by US intelligence agencies,” and said the Justice Department and the FBI should revisit how they communicate threats to the public, “e.g. in announcing indictments of foreign hackers or getting involved in threats to election security in partisan ways.”

Working with local election offices
Cyber Command, the NSA and other parts of the US intelligence community began playing a more prominent role in the cyber defense of US elections after the Russian intervention in 2016. The federal Cybersecurity and Infrastructure Security Agency emerged as a conduit between those powerful military and spy agencies and local election offices, building trust with those offices and passing on intelligence on foreign threats. Trump signed a law establishing CISA as a part of the Department of Homeland Security during his first term.

But Trump and his top advisers never forgave CISA’s leadership for saying the 2020 election was secure. They accused CISA of “censoring” conservative voices when in the first Trump term, at the urging of Republican and Democratic election officials, the agency flagged to social media platforms posts that spread false information about voting. The second Trump administration last year paused all of CISA’s election security work and reassigned the agency’s election specialists or put them on administrative leave

CISA spokespeople say the agency still offers some cybersecurity services to election offices, as it does other sectors. But election officials say the impact from the cuts to so many offices, including CISA, is clear.

A day after the US bombed Iranian nuclear facilities in June, pro-Iranian hackers breached an Arizona state election website and replaced candidates’ photos with an image of Iran’s Supreme Leader Ayatollah Ali Khamenei. It had echoes of 2020, when, according to the FBI, Iranian hackers set up a website with violent threats to election officials.

But while CISA was central to the federal response to the 2020 incident — and communicated proactively with election officials then — Arizona election officials now say they are not getting the same level of collaboration with the agency. In a statement to CNN, a CISA official said the agency “worked with Arizona and provided direct assistance to support their response efforts.”

The cuts to CISA have “drastically reduced national visibility into foreign threats and increased the potential for security failures,” Moser, the former CISA election security official, told CNN. “While state and local officials take great care to secure elections, now they are effectively being siloed and expected to combat sophisticated nation-state adversaries with severely limited federal support.”

A CISA spokesperson said: “Every day, DHS and CISA are providing our partners the most capable and timely threat intelligence, expertise, no-cost tools and resources these partners need to defend against risks.”

Foreign powers, with the help of artificial intelligence, will continue to target American voters with disinformation, the ODNI said in its annual worldwide threat assessment published in March.

“Reinforcing doubt in the integrity of the U.S. electoral system achieves one of (Russia’s) core objectives,” the intelligence report says.

China, in particular, is making alarming leaps in AI-powered influence activity, according to researchers at Vanderbilt University’s Institute of National Security. In August, the institute published documents leaked from a Chinese firm that appear to show it targeting the 2024 Taiwan election with a wave of social media posts. The Chinese firm has also put together profiles on at least 117 members of Congress and more than 2,000 American political figures and “thought leaders,” according to the research.

“This election cycle, foreign governments will be able to use AI tools to essentially whisper in the ear of anyone they target,” said Emerson Brooking, a former Pentagon cyber policy adviser who now studies influence operations at the Atlantic Council’s Digital Forensic Research Lab. “And the Trump team isn’t just unprepared; they’ve deliberately knocked down a lot of the defenses built over the past eight years.”

Last year, Gabbard and Iowa GOP Sen. Chuck Grassley released declassified intelligence documents related to the FBI and intelligence community’s probes of Russian influence on the 2016 election. Contrary to Gabbard’s public claims, the documents do not show the probes were a hoax. But they do show the lengths to which Russia’s SVR foreign intelligence service was willing to go either to impress their Kremlin bosses or to play mind games with US officials analyzing the hack, according to Michael van Landingham, a former CIA analyst, and Alex Orleans, a counterintelligence researcher.

That Americans are still arguing about Russia’s 2016 influence operations 10 years later is exactly what Russian intelligence hoped for, they said.

“SVR officers are definitely dining out on the fact that our national discourse still can’t fully escape the riptides of 2016,” Orleans told CNN.

CNN’s Katie Bo Lillis and Evan Perez contributed to this report.

techcrunch.com
Lorenzo Franceschi-Bicchierai
11:15 AM PST · January 8, 2026

The infamous spyware maker released a new transparency report claiming to be a responsible spyware maker, without providing insight into how the company dealt with problematic customers in the past.

NSO Group, one of the most well-known and controversial makers of government spyware, released a new transparency report on Wednesday, as the company enters what it described as “a new phase of accountability.”

But the report, unlike NSO’s previous annual disclosures, lacks details about how many customers the company rejected, investigated, suspended, or terminated due to human rights abuses involving its surveillance tools. While the report contains promises to respect human rights and have controls to demand its customers do the same, the report provides no concrete evidence supporting either.

Experts and critics who have followed NSO and the spyware market for years believe the report is part of an effort and campaign by the company to get the U.S. government to remove the company from a blocklist — technically called the Entity List — as it hopes to enter the U.S. market with new financial backers and executives at the helm.

Last year, a group of U.S. investors acquired the company, and since then, NSO has been undergoing a transition that included high-profile personnel changes: former Trump official David Friedman was appointed the new executive chairman; CEO Yaron Shohat stepped down; and Omri Lavie, the last remaining founder who was still involved in the company, also left, as Israeli newspaper Haaretz reported.

“When NSO’s products are in the right hands within the right countries, the world is a far safer place. That will always be our overriding mission,” Friedman wrote in the report, which does not mention any country where NSO operates.

Natalia Krapiva, the senior tech-legal counsel at Access Now, a digital rights organization that investigates spyware abuses, told TechCrunch: “NSO is clearly on a campaign to get removed from the U.S. Entity List and one of the key things they need to show is that they have dramatically changed as a company since they were listed.”

“Changing the leadership is one part and this transparency report is another,” said Krapiva.

“However, we have seen this before with NSO and other spyware companies over the years where they change names and leadership and publish empty transparency or ethics reports but the abuses continue.”

“This is nothing but another attempt at window dressing and the U.S. government should not be taken for a fool,” said Krapiva.

Ever since the Biden administration added NSO to the Entity List, the company has lobbied to have its restrictions lifted. After President Donald Trump took office again last year, NSO intensified these efforts. But, as of May last year, NSO had failed to sway the new administration.

In late December, the Trump administration lifted sanctions against three executives tied to the Intellexa spyware consortium, in what some saw as a sign of a shift in the administration’s attitude toward spyware makers.

A lack of details
This year’s transparency report, which covers 2025, has fewer details than reports from previous years.

In an earlier transparency report covering 2024, for example, NSO said it opened three investigations of potential misuse. Without naming the customers, the company said it cut ties with one, and imposed on another customer “alternative remediation measures,” including mandating human rights training, monitoring the customer activities, and requesting more information about how the customer uses the system. NSO did not provide any information about the third investigation.

NSO also said that during 2024, the company rejected more than $20 million “in new business opportunities due to human rights concerns.”

In the transparency report published the prior year, covering 2022 and 2023, NSO said it suspended or terminated six government customers, without naming them, claiming these actions resulted in a revenue loss of $57 million.

In 2021, NSO said it had “disconnected” the systems of five customers since 2016 following an investigation of misuse, resulting in more than $100 million in “estimated loss of revenue,” and it also said that it “discontinued engagements” with five customers due to “concerns regarding human rights.”

NSO’s newest transparency report does not include the total number of customers NSO has, statistics that have been consistently present in previous reports.

TechCrunch asked NSO spokesperson Gil Lanier to provide similar statistics and figures, but did not receive answers by press time.

John Scott-Railton, a senior researcher at The Citizen Lab, a human rights organization that has investigated spyware abuses for more than a decade, criticized NSO.

“I was expecting information, numbers,” Scott-Railton told TechCrunch. “Nothing in this document allows outsiders to verify NSO’s claims, which is business as usual from a company that has a decade-long history of making claims that later turned out to be misrepresentation.”

The activist website called “ICE List” was offline after a massive DDoS attack. The crash followed a leak of 4,500 federal agent names linked to the Renee Nicole Good shooting.
The website ICE List, also known as the (ICE List Wiki), was crippled by a major cyber attack after it prepared to publish the identities of thousands of federal agents in the United States, particularly those associated with Immigration and Customs Enforcement, ICE.

The site’s founder, Netherlands-based activist Dominick Skinner, confirmed that a massive DDoS attack began flooding their servers on Tuesday evening last week.

For your information, a DDoS attack works by flooding a website with so much fake traffic that it eventually crashes. Skinner told reporters that the length and intensity of this attack suggest a deliberate, organised effort to keep the leaked information from reaching the public.

The Shooting That Sparked the Leak
According to The Daily Beast, the data at the centre of this battle was provided by a whistleblower from the Department of Homeland Security (DHS). The leak reportedly includes the names, personal phone numbers, and work histories of roughly 4,500 employees from ICE and Border Patrol.

Further probing revealed that the whistleblower was moved to act following the death of Renee Nicole Good, a 37-year-old mother of three, who was fatally shot by an ICE agent in Minneapolis on January 7, 2026.

Within hours of the shooting, activists managed to identify the agent involved as Jonathan E. Ross. Skinner noted that for the whistleblower, this tragic incident was the “last straw,” leading them to hand over a dataset full of work emails, job titles, and résumé-style background info.

Identifying the Attackers
While the site is back online, Skinner observed that much of the malicious traffic appeared to originate from a bot farm in Russia. However, it is nearly impossible to track the true source, as in the world of hacking, proxies are often used to bounce signals through different countries to hide a person’s tracks. Skinner described the attack as “sophisticated,” suggesting that the attackers are highly determined to keep the names hidden.

Skinner’s team continues to operate out of the Netherlands to stay beyond the immediate reach of US authorities. Despite the crash, they remain committed to the project with plans to move to more secure servers. They plan to publish most of the names, though they intend to omit certain staff members, such as nurses or childcare workers.

| TechCrunch
techcrunch.com/

Lorenzo Franceschi-Bicchierai
12:01 PM PST · January 16, 2026

Nicholas Moore pleaded guilty to stealing victims’ information from the Supreme Court and other federal government agencies, and then posting it on his Instagram @ihackthegovernment.

A hacker posted the personal data of several of his hacking victims on his Instagram account, @ihackthegovernment, according to a court document.

Last week, Nicholas Moore, 24, a resident of Springfield, Tennessee, pleaded guilty to repeatedly hacking into the U.S. Supreme Court’s electronic document filing system. At the time, there were no details about the specifics of the hacking crimes Moore was admitting to.

On Friday, a newly filled document — first spotted by Court Watch’s Seamus Hughes — revealed more details about Moore’s hacks. Per the filing, Moore hacked not only into the Supreme Court systems, but also the network of AmeriCorps, a government agency that runs stipend volunteer programs, and the systems of the Department of Veterans Affairs, which provides healthcare and welfare to military veterans.

Moore accessed those systems using stolen credentials of users who were authorized to access them. Once he gained access to those victims’ accounts, Moore accessed and stole their personal data and posted some online to his Instagram account: @ihackthegovernment.

In the case of the Supreme Court victim, identified as GS, Moore posted their name and “current and past electronic filing records.”

In the case of the AmeriCorps victim, identified as SM, Moore boasted that he had access to the organization’s servers and published the victim’s “name, date of birth, email address, home address, phone number, citizenship status, veteran status, service history, and the last four digits of his social security number.”

And, in the case of the victim at the Department of Veterans Affairs, identified as HW, Moore posted the victim’s identifiable health information “when he sent an associate a screenshot from HW’s MyHealtheVet account that identified HW and showed the medications he had been prescribed.”

According to the court document, Moore faces a maximum sentence of one year in prison and a maximum fine of $100,000.

• The Washington Times -
  By Bill Gertz
  Wednesday, December 17, 2025

The Chinese Ministry of State Security intelligence service disclosed in October that the U.S. National Security Agency has been engaged in a three-year cyber campaign to break into the official National Time Service Center.

The center is located in the north-central city of Xian. It provides precision time services that state media say are vital for military systems, communications, finance, electricity, transportation and mapping.

The NSA had no comment on the report, but defense analysts say the Chinese report is a significant clue to one of the most secret programs in support of an advanced form of strategic missile defense called “left of launch.”

Left of launch refers to a timeline for using various military tools, such as cyberattacks that could cause missiles to blow up in silos when launch buttons are pushed, special operations commandos and on-the-ground sabotage after a missile is detected being readied for firing.

The project to conduct prelaunch attacks and sabotage of missile systems has been underway for at least a decade, and its elements are among the U.S. military’s most closely guarded secrets.

Asked recently how left of launch will be used in President Trump’s forthcoming Golden Dome defense system to prevent a missile from being fired, Space Force Gen. Michael A. Guetlein, vice chief of space operations, said cryptically: “Can’t talk about it.”

PNT satellite system

Gaining access to China’s central time system would provide a major advantage to the U.S. military and military intelligence services during a conflict by allowing hackers to disrupt missile strikes before launch or shortly after launch, known as the boost phase.

The time center is a key element of China’s BeiDou satellite navigation system, a copy of the U.S. GPS, which uses more than 35 satellites to provide the People’s Liberation Army with vital PNT — positioning, navigation and timing — for its missile systems.

The satellite system is said to provide “centimeter-level” precision and is linked to the National Time Service Center.

Theoretically, NSA cyber sleuths, by breaching the time center, could have planted malicious software inside the PNT data chain that could then be used for intelligence gathering on missile targets and providing false navigation parameters for missile strikes.

U.S. advanced artificial intelligence technology also could fashion prelaunch disruptions that could retarget Chinese missiles against Beijing.

A Chinese state media report on the NSA cyberattacks stated that control over timing is equivalent to “controlling the heartbeat of modern society.”

“Once the timing system is interfered with or hijacked, the consequences are unimaginable,” the online Chinese communications outlet C114 reported. It noted potential disruptions of financial markets, power grids, rail lines and military systems.

For missile systems, PNT is an essential element for real-time location, direction and precise time data used for accurate targeting, trajectory control and command and control.

“There’s no doubt that the best time to defeat a missile is before it’s launched,” said Todd Harrison, a defense expert with the American Enterprise Institute. “The most obvious way is to track and destroy the launchers and the command and control infrastructure and sensors that enable them.”

Conducting the attacks is difficult because of the distances involved and the risks of escalation.

Various non-kinetic tools can be used to defeat a missile “kill chain” before launch, including jamming sensors and communications, and cyberattacks on command and control systems, Mr. Harrison said.

Electronic disruptions before launch can produce uncertain effectiveness during combat, even if they initially produce impacts, because thinking adversaries will adapt and overcome the disruptions.

“The question for Golden Dome is how much relative effort the architecture puts toward left of launch versus other phases of flight,” Mr. Harrison said. “Left of launch will surely be part of the approach, but we still don’t know how much emphasis it will garner.”

Sensors and capabilities

Mr. Trump’s executive order on missile defense, signed in January, specifically calls for developing and deploying left-of-launch capabilities for Golden Dome.

The order states that in addition to deploying defenses targeting missiles in midflight and terminal phases, the new system must “defeat missile attacks prior to launch and in the boost phase.”

Gen. Stephen Whiting, commander of U.S. Space Command, said in September that left-of-launch defenses will provide a next-generation missile defense capability.

Prelaunch defenses are needed because enemy missiles are becoming more precise and more lethal, he said at a defense conference.

“We are seeing both the capacity and the capability of the threat missiles we’re now facing rapidly increase,” Gen. Whiting said at the annual Air, Space & Cyber Conference. “Just look over the last 18 months in the Israel-Iran conflict … multiple salvos of missiles, not single-digit missiles, not double-digit missiles. We’re talking triple-digit missile salvos paired with one-way attack drones.”

Gen. Whiting said current missile defenses are capable of providing warning and tracking of traditional ballistic missiles, but newer high-speed hypersonic maneuvering missiles and space-based hypersonic missiles are “incredibly destabilizing.”

“Our missile defenses have done broadly a good job during the most recent conflicts, but most of those are focused on terminal engagement,” the general said.

“We want to be able to push that engagement to the left, and eventually left of launch,” he said.

To conduct such prelaunch strikes, greater sensor integration is needed, and more sophisticated cyberattacks will be used to “drive capabilities that allow us to affect targets before they even begin to launch,” Gen. Whiting said.

Robert Peters, senior research fellow for strategic deterrence and The Heritage Foundation, said one of the more promising elements of the Golden Dome will be deploying better overhead sensors and coupling them with theater defense sensors. The advanced sensors will enhance homeland missile defenses by providing significantly greater awareness of when enemy missiles are being readied for launch, and then provide more accurate data once a missile is fired.

“This better integration of data and sensors greatly increases a state’s ability to intercept missiles before they hit their targets,” Mr. Peters said.

Launch preparations for solid-fuel missiles in silos, such as China’s new fields of more than 350 intercontinental ballistic missiles in western China, will be more difficult to detect before launch.

Mobile ICBMs moved out of garrison in preparation for launch have signatures that can be tracked more easily as part of left-of-launch defenses, Mr. Peters said.

“Golden Dome, if done properly, will invest heavily in these types of sensor architectures, not simply on more and more modern interceptors, as critical as those are,” Mr. Peters said.

Israel’s military conducted a series of left-of-launch strikes on Iranian missiles before the joint U.S.-Israeli bombing raid on Iran’s key nuclear facilities.

The Israel Defense Forces released videos of airstrikes on several Iranian mobile missiles that were blown up before they could be fired in retaliatory attacks.

Israeli forces also conducted sabotage operations inside Iran. They neutralized some key missile technicians in the days before the June raid on three nuclear facilities, according to an Israeli think tank report.

In addition to better sensors and increased cyberattack capabilities, special operations forces also will be developed for prelaunch strikes on targets.

Left-of-launch options

Lt. Gen. Sean Farrell, deputy commander of U.S. Special Operations Command, said special operations commandos are working on left-of-launch missile defense capabilities for missiles and drones.

“We have been working left of launch on behalf of the [Defense] Department to try to understand how we can get after the threats before they become a threat,” Gen. Farrell said at the conference with Gen. Whiting. “I think a lot of that will translate as well if we’re able to synchronize and plan together at the strategic level on where we can bring left-of-launch attention to a layered approach to homeland defense.”

The ultimate goal of the layered and integrated missile defense is to deploy an array of forces across all military domains that can detect, disrupt and potentially stop missile threats before they emerge.

Left-of-launch capabilities have been a topic within the Pentagon since at least 2014, when a memorandum was disclosed from Chief of Naval Operations Adm. Jonathan Greenert and Army Chief of Staff Gen. Ray Odierno to the secretary of defense warning that missile defense spending was “unsustainable” because of sharp defense cuts.

The two military leaders called for building more cost-effective left-of-launch capabilities.

Defense officials at the time said the research for left of launch included non-kinetic weapons, such as cyberattacks and electronic warfare, including electromagnetic pulse attacks against missile command and control systems.

These weapons would be used after missile launch preparations are detected. They would disrupt or disable launch controls or send malicious commands to cause the missiles to explode on their launchers.

In 2016, Adm. William Gortney, then commander of U.S. Northern Command, stated in prepared congressional testimony that most missile defenses are designed to intercept missiles after launch, using ground-based interceptors, mobile regional defenses and ship-based anti-missile systems.

“We need to augment our defensive posture with one that is designed to defeat ballistic missile threats in the boost phase as well as before they are launched, known as ‘left of launch,’” Adm. Gortney said.

Other potential boost-phase defenses could include high-powered lasers deployed on drones or aircraft that can strike missiles just after launch.

All current missile defense systems use kinetic kill interceptors that require precision targeting data to knock out high-speed warheads. They include Patriot, Terminal High Altitude Area Defense, or THAAD, and large Ground-Based Interceptors in Alaska and California, an Aegis missile defense based mostly on ships and in several ground locations.

The Golden Dome will deploy space-based interceptors for the first time, providing greater coverage against missile threats.

Kenneth Todorov, former deputy director of the Missile Defense Agency and now vice president at Northrop Grumman Missile Defense Solutions, said the company is working on left-of-launch capabilities and counter-hypersonic missile efforts.

“With decades of experience supporting mission-critical defense programs across the entire kill chain, the company is bringing to bear a portfolio of advanced, innovative capabilities from left of launch, through detection and tracking, all the way to assessment of kill, delivering mission agility in addressing the evolving hypersonic threat,” Mr. Todorov said on the Northrop website.

Patrycja Bazylczyk, associate director of the Missile Defense Project at the Center for Strategic and International Studies, said left-of-launch defenses include a broad category of kinetic and non-kinetic efforts to counter enemy launches. They can include strikes on missile launchers, jamming enemy communications or infiltrating a missile factory.

“Left-of-launch efforts are not alternatives to active missile defenses; they work in tandem, allowing U.S. forces to more effectively counter enemy action rather than merely respond to it,” Ms. Bazylczyk said.

| United States Department of Justice
justice.gov
Updated December 10, 2025

Ukrainian National Indicted and Rewards Announced for Co-Conspirators Relating to Destructive Cyberattacks Worldwide
The Justice Department announced two indictments in the Central District of California charging Ukrainian national Victoria Eduardovna Dubranova, 33, also known as Vika, Tory, and SovaSonya, for her role in conducting cyberattacks and computer intrusions against critical infrastructure and other victims around the world, in support of Russia’s geopolitical interests. Dubranova was extradited to the United States earlier this year on an indictment charging her for her actions supporting CyberArmyofRussia_Reborn (CARR). Today, Dubranova was arraigned on a second indictment charging her for her actions supporting NoName057(16) (NoName). Dubranova pleaded not guilty in both cases, and is scheduled to begin trial in the NoName matter on Feb. 3, 2026 and in the CARR matter on April 7, 2026.

As described in the indictments, the Russian government backed CARR and NoName by providing, among other things, financial support. CARR used this financial support to access various cybercriminal services, including subscriptions to distributed denial of service-for-hire services. NoName was a state-sanctioned project administered in part by an information technology organization established by order of the President of Russia in October 2018 that developed, along with other co-conspirators, NoName’s proprietary distributed denial of service (DDoS) program.

“Today’s actions demonstrate the Department’s commitment to disrupting malicious Russian cyber activity — whether conducted directly by state actors or their criminal proxies — aimed at furthering Russia’s geopolitical interests,” said Assistant Attorney General for National Security John A. Eisenberg. “We remain steadfast in defending essential services, including food and water systems Americans rely on each day, and holding accountable those who seek to undermine them.”

“Politically motivated hacktivist groups, whether state-sponsored like CARR or state-sanctioned like NoName, pose a serious threat to our national security, particularly when foreign intelligence services use civilians to obfuscate their malicious cyber activity targeting American critical infrastructure as well as attacking proponents of NATO and U.S. interests abroad,” said First Assistant U.S. Attorney Bill Essayli for the Central District of California. “The charges announced today demonstrate our commitment to eradicating global threats to cybersecurity and pursuing malicious cyber actors working on behalf of adversarial foreign interests.”

“When pro-Russia hacktivist groups target our infrastructure, the FBI will use all available tools to expose their activity and hold them accountable,” said Assistant Director Brett Leatherman of the FBI Cyber Division. “Today’s announcement demonstrates the FBI’s commitment to disrupt Russian state-sponsored cyber threats, including reckless criminal groups supported by the GRU. The FBI doesn’t just track cyber adversaries – we work with global partners to bring them to justice.”

“The defendant’s illegal actions to tamper with the nation’s public water systems put communities and the nation’s drinking water resources at risk,” said EPA Acting Assistant Administrator Craig Pritzlaff. “These criminal charges serve as an unequivocal warning to malicious cyber actors in the U.S. and abroad: EPA’s Criminal Investigation Division and our law enforcement partners will not tolerate threats to our nation’s water infrastructure and will pursue justice against those who endanger the American public. EPA is unwavering in its commitment to clean, safe water for all Americans.”

Cyber Army of Russia Reborn

According to the indictment, CARR, also known as Z-Pentest, was founded, funded, and directed by the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). CARR claimed credit for hundreds of cyberattacks against victims worldwide, including attacks against critical infrastructure in the United States, in support of Russia’s geopolitical interests. CARR regularly posted on Telegram claiming credit for its attacks and published photos and videos depicting its attacks. CARR primarily hacked industrial control facilities and conducted DDoS attacks. CARR’s victims included public drinking water systems across several states in the U.S., resulting in damage to controls and the spilling of hundreds of thousands of gallons of drinking water. CARR also attacked a meat processing facility in Los Angeles in November 2024, spoiling thousands of pounds of meat and triggering an ammonia leak in the facility. CARR has attacked U.S. election infrastructure during U.S. elections, and websites for U.S. nuclear regulatory entities, among other sensitive targets.

An individual operating as “Cyber_1ce_Killer,” a moniker associated with at least one GRU officer instructed CARR leadership on what kinds of victims CARR should target, and his organization financed CARR’s access to various cybercriminal services, including subscriptions to DDoS-for-hire services. At times, CARR had more than 100 members, including juveniles, and more than 75,000 followers on Telegram.

The CARR indictment charges Dubranova with one count of conspiracy to damage protected computers and tamper with public water systems, one count of damaging protected computers, one count of access device fraud, and one count of aggravated identity theft. If convicted of these charges, Dubranova would face a statutory maximum penalty of 27 years in federal prison.

NoName057(16)

NoName was covert project whose membership included multiple employees of The Center for the Study and Network Monitoring of the Youth Environment (CISM), among other cyber actors. CISM was an information technology organization established by order of the President of Russia in October 2018 that purported to, among other things, monitor the safety of the internet for Russian youth.

According to the indictment, NoName claimed credit for hundreds of cyberattacks against victims worldwide in support of Russia’s geopolitical interests. NoName regularly posted on Telegram claiming credit for its attacks and published proof of victim websites being taken offline. The group primarily conducted DDoS cyberattacks using their own proprietary DDoS tool, DDoSia, which relied on network infrastructure around the world created by employees of CISM.

NoName’s victims included government agencies, financial institutions, and critical infrastructure, such as public railways and ports. NoName recruited volunteers from around the world to download DDoSia and used their computers to launch DDoS attacks on the victims that NoName leaders selected. NoName also published a daily leaderboard of volunteers who launched the most DDoS attacks on its Telegram channel and paid top-ranking volunteers in cryptocurrency for their attacks.

The NoName indictment charges Dubranova with one count of conspiracy to damage protected computers. If convicted of this charge, Dubranova would face a statutory maximum penalty of five years in federal prison.

Concurrent with today’s actions, the U.S. Department of State has offered potential rewards for up to $2 million for information on individuals associated with CARR and up to $10 million for information on individuals associated with NoName. Additionally, today the FBI, CISA, NSA, DOE, EPA, and DC3 issued a Joint Cybersecurity Advisory assessing that pro-Russia hacktivist groups, like CARR and NoName, target minimally secured, internet-facing virtual network computing connections to infiltrate (or gain access to) operational technology control devices within critical infrastructure systems to execute attacks against critical infrastructure, resulting in varying degrees of impact, including physical damage.

On July 19, 2024, U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) announced sanctions targeting two CARR members, Yuliya Vladimirovna Pankratova and Denis Olegovich Degtyarenko, for their roles in cyber operations against U.S. critical infrastructure. These two individuals were the group’s leader and a primary hacker, respectively.

The FBI Los Angeles Field Office investigated the CARR and NoName cases as part of FBI’s Operation Red Circus, an ongoing operation to disrupt Russian state-sponsored cyberthreats to U.S. critical infrastructure and interests abroad.

Assistant U.S. Attorneys Angela Makabali and Alexander Gorin for the Central District of California and Trial Attorney Greg Nicosia of the National Security Division’s National Security Cyber Section are prosecuting these cases. Assistant U.S. Attorney James E. Dochterman for the Central District of California is handling the forfeiture cases. The Justice Department’s Office of International Affairs provided significant assistance for both investigations.

An indictment is merely an allegation. All defendants are presumed innocent until proven guilty beyond a reasonable doubt in a court of law.

space.com
By Tereza Pultarova published 2 days ago

An AI start-up has found a vulnerability in security software protecting NASA's ground control communications with satellites in space.
"A vulnerability in this software poses a threat to billions of dollars in space infrastructure and the scientific missions they enable."

Communications between Earth and NASA spacecraft were critically vulnerable to hacking for years until an AI found the flaw and fixed it in just four days.

The vulnerability was sniffed out by an AI cybersecurity algorithm developed by California-based start-up AISLE and resides in the CryptoLib security software that protects spacecraft-to-ground communications. The vulnerability could have enabled hackers to seize control over countless space missions including NASA's Mars rovers, according to the cybersecurity researchers.

"For three years, the security system meant to protect spacecraft-to-ground communications contained a vulnerability that could undermine that protection." the AISLE cyber-security researchers wrote in a blog post on the company's website describing the vulnerability. "A vulnerability in this software poses a threat to billions of dollars in space infrastructure and the scientific missions they enable."

The researchers said the vulnerability was found in the authentication system and could have been exploited through compromised operator credentials. For example, the attackers could have gained access to user names and passwords of NASA employees through social engineering, methods such as phishing or infecting computers with viruses uploaded to USB drives and left where personnel could find them.

"The vulnerability transforms what should be routine authentication configuration into a weapon," the researchers wrote. "An attacker … can inject arbitrary commands that execute with full system privileges."

In other words, an attacker could remotely hijack the spacecraft or just intercept the data it is exchanging with ground control.

Fortunately, to gain access to the spacecraft through the CryptoLib vulnerability would require the attackers to, at some point, have local access to the system, which "reduces the attack surface compared to a remotely exploitable flaw," the researchers said in the blog post.

| FinCEN.gov
December 04, 2025

WASHINGTON—Today, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) is issuing a Financial Trend Analysis on ransomware incidents in Bank Secrecy Act (BSA) data between 2022 and 2024, which totaled more than $2.1 billion in ransomware payments.

WASHINGTON—Today, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) is issuing a Financial Trend Analysis on ransomware incidents in Bank Secrecy Act (BSA) data between 2022 and 2024, which totaled more than $2.1 billion in ransomware payments.

“Banks and other financial institutions play a key role in protecting our economy from ransomware and other cyber threats,” said FinCEN Director Andrea Gacki. “By quickly reporting suspicious activity under the Bank Secrecy Act, they provide law enforcement with critical information to help detect cybersecurity trends that can damage our economy. This work is vital to safeguarding our nation’s financial sector and strengthening our national security.”

Previous FinCEN Financial Trend Analyses have focused on reported ransomware payments and incidents by the date the activity was filed with FinCEN. Today’s report shifts the focus to the incident date of each ransomware attack and offers greater visibility into the activities conducted by ransomware actors.

Reported Ransomware Incidents and Payments Reach All-Time High in 2023

Ransomware incidents and payments reported to FinCEN reached their highest level in 2023 with 1,512 incidents, totaling $1.1 billion in payment—an increase of 77 percent in total payments year-over-year from 2022 to 2023.
Following law enforcement’s disruption of two high-profile ransomware groups, ransomware incidents reported to FinCEN decreased in 2024, with 1,476 incidents, reflecting $734 million in the aggregate value of reported payments in BSA reports.
The median amount of a single ransomware transaction was $124,097 in 2022; $175,000 in 2023; and $155,257 in 2024. Between 2022 and 2024, the most common payment amount range was below $250,000.
FinCEN Data Shows Ransomware Payments Top $2.1B in Just Three Years

During the three-year review period (January 2022 – December 2024), FinCEN received 7,395 BSA reports related to 4,194 ransomware incidents totaling more than $2.1 billion in ransomware payments.
During the previous nine-year period (2013 through the end of 2021) FinCEN received 3,075 BSA reports totaling approximately $2.4 billion in ransomware payments.
Financial Services, Manufacturing, and Healthcare were the Most Impacted Industries

The manufacturing industry accounted for 456 incidents totaling approximately $284.6 million reported payments; the financial services industry accounted for 432 incidents totaling approximately $365.6 million reported payments; and the healthcare industry accounted for 389 incidents totaling approximately $305.4 million reported payments.
The Onion Router (TOR) was the Most Common Communication Method Reported

Threat actors most often communicated with their intended ransomware targets via messages sent over The Onion Router protocol, accounting for 67 percent of reports that provided the communication method.
Other ransomware threat actors communicated with their intended targets via email or through other private encrypted messaging systems.
ALPHV/BlackCat was the Most Prevalent Ransomware Variant Between 2022 and 2024

FinCEN identified more than 200 ransomware variants reported in BSA data.
The most reported variants were Akira, ALPHV/BlackCat, LockBit, Phobos, and Black Basta.
The 10 variants with the highest cumulative payment amounts identified in BSA reports accounted for approximately $1.5 billion in payments.
Ransomware is a complex cybersecurity problem requiring a variety of preventive, protective, and preparatory best practices. More information on FinCEN’s efforts to combat ransomware, including guidance and other resources for financial institutions, is available at www.fincen.gov/resources/fincen-combats-ransomware.

FinCEN’s FTA is available online at Ransomware Trends in Bank Secrecy Act Data

Questions or comments regarding the contents of this release should be addressed to the FinCEN Regulatory Support Section by submitting an inquiry at www.fincen.gov/contact.

FinCEN periodically publishes Financial Trend Analyses describing threat pattern and trend information derived from Bank Secrecy Act (BSA) filings to highlight priority illicit finance risks. These analyses provide information that is relevant to a wide range of consumers, businesses, and industries; communicate the value of BSA reporting; and enhance feedback loops between government users of BSA reports and their filers. Additionally, Financial Trend Analyses fulfill FinCEN’s obligations pursuant to section 6206 of the Anti-Money Laundering Act of 2020, which requires FinCEN to periodically publish threat pattern and trend information derived from BSA filings.

| TechCrunch
Zack Whittaker
10:55 AM PST · December 3, 2025

Marquis said ransomware hackers stole reams of banking customer data, containing personal information and financial records, as well as Social Security numbers, belonging to hundreds of thousands of people. The number of affected people is expected to rise.

Fintech company Marquis is notifying dozens of U.S. banks and credit unions that they had customer data stolen in a cyberattack earlier this year.

Details of the cyberattack emerged this week after Marquis filed data breach notices with several U.S. states confirming its August 14 incident as a ransomware attack.

Texas-based Marquis is a marketing and compliance provider that allows banks and other financial institutions to collect and visualize all of their customer data in one place. The company counts more than 700 banking and credit union customers on its website. As such, Marquis has access to and stores large amounts of data belonging to consumer banking customers across the United States.

At least 400,000 people are so far confirmed affected by the data breach, according to legally required disclosures filed in the states of Iowa, Maine, Texas, Massachusetts, and New Hampshire that TechCrunch has reviewed.

Texas has the largest number of state residents so far who had data stolen in the breach, affecting at least 354,000 people.

Marquis said in its notice with Maine’s attorney general that banking customers with the Maine State Credit Union accounted for the majority of its data breach notifications, or around one-in-nine people who are known to be affected throughout the state.

The number of individuals affected by the breach is expected to rise as more data breach notifications roll in from other states.

Marquis said the hackers stole customer names, dates of birth, postal addresses, and financial information, such as bank account, debit, and credit card numbers. Marquis said the hackers also stole customers’ Social Security numbers.

According to its most recent notices, Marquis blamed the ransomware attack on hackers who exploited a vulnerability in its SonicWall firewall. The vulnerability was considered a zero-day, meaning the flaw was not known to SonicWall or its customers before it was maliciously exploited by hackers.

Marquis did not attribute the ransomware attack to a particular group, but the Akira ransomware gang was reportedly behind the mass-hacks targeting SonicWall customers at the time.

TechCrunch asked Marquis if it is aware of the total number of people affected by the breach, and if Marquis received any communication from the hackers or if the company paid a ransom, but we did not hear back by the time of publication.

cisa.gov Alert
Release DateNovember 24, 2025

CISA is aware of multiple cyber threat actors actively leveraging commercial spyware to target users of mobile messaging applications (apps).1 These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app, facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device.

These cyber actors use tactics such as:

• Phishing and malicious device-linking QR codes to compromise victim accounts and link them to actor-controlled devices.
• Zero-click exploits,2 which require no direct action from the device user.
• Impersonation3 of messaging app platforms, such as Signal and WhatsApp.
  While current targeting remains opportunistic, evidence suggests these cyber actors focus on high-value individuals, such as current and former high-ranking government, military, and political officials,4 as well as civil society organizations (CSOs) and individuals across the United States,5 Middle East,6 and Europe.7

CISA strongly encourages messaging app users to review the updated Mobile Communications Best Practice Guidance and Mitigating Cyber Threats with Limited Resources: Guidance for Civil Society for steps to protect mobile communications and messaging apps, as well as mitigations against spyware.

forbes.com
By Thomas Brewster, Forbes Staff.
Nov 15, 2025, 08:00am ESTUpdated Nov 16, 2025, 06:40am EST

The U.S. government has been contracting stealth startup Twenty, which is working on AI agents and automated hacking of foreign targets at massive scale.
The U.S. is quietly investing in AI agents for cyberwarfare, spending millions this year on a secretive startup that’s using AI for offensive cyberattacks on American enemies.
According to federal contracting records, a stealth, Arlington, Virginia-based startup called Twenty, or XX, signed a contract with the U.S. Cyber Command this summer worth up to $12.6 million. It scored a $240,000 research contract with the Navy, too. The company has received VC support from In-Q-Tel, the nonprofit venture capital organization founded by the CIA, as well as Caffeinated Capital and General Catalyst. Twenty couldn’t be reached for comment at the time of publication.

Twenty’s contracts are a rare case of an AI offensive cyber company with VC backing landing Cyber Command work; typically cyber contracts have gone to either small bespoke companies or to the old guard of defense contracting like Booz Allen Hamilton or L3Harris.

Though the firm hasn’t launched publicly yet, its website states its focus is “transforming workflows that once took weeks of manual effort into automated, continuous operations across hundreds of targets simultaneously.” Twenty claims it is “fundamentally reshaping how the U.S. and its allies engage in cyber conflict.”

Its job ads reveal more. In one, Twenty is seeking a director of offensive cyber research, who will develop “advanced offensive cyber capabilities including attack path frameworks… and AI-powered automation tools.” AI engineer job ads indicate Twenty will be deploying open source tools like CrewAI, which is used to manage multiple autonomous AI agents that collaborate. And an analyst role says the company will be working on “persona development.” Often, government cyberattacks use social engineering, relying on convincing fake online accounts to infiltrate enemy communities and networks. (Forbes has previously reported on police contractors who’ve created such avatars with AI.)

Twenty’s executive team, according to its website, is stacked with former military and intelligence agents. CEO and cofounder Joe Lin is a former U.S. Navy Reserve officer who was previously VP of product management at cyber giant Palo Alto Networks. He joined Palo Alto after the firm acquired Expanse, where he helped national security clients determine where their networks were vulnerable. CTO Leo Olson also worked on the national security team at Expanse and was a signals intelligence officer at the U.S. Army. VP of engineering Skyler Onken spent over a decade at U.S. Cyber Command and the U.S. Army. The startup’s head of government relations, Adam Howard, spent years on the Hill, most recently working on the National Security Council transition team for the incoming Trump administration.

The U.S. government isn’t the only country using AI to build out its hacking capabilities. Last week, AI giant Anthropic released some startling research: Chinese hackers were using its tools to carry out cyberattacks. The company said hackers had deployed Claude to spin up AI agents to do 90% of the work on scouting out targets and coming up with ideas on how to hack them.

It’s possible the U.S. could also be using OpenAI, Anthropic or Elon Musk’s xAI in offensive cyber operations. The Defense Department gave each company contracts worth up to $200 million for unspecified “frontier AI” projects. None have confirmed what they’re working on for the DOD.

Given its focus on simultaneous attacks on hundreds of targets, Twenty’s products appear to be a step up in terms of cyberwarfare automation.

By contrast, beltway contractor Two Six Technologies has received a number of contracts in the AI offensive cyber space, including one for $90 million in 2020, but its tools are mostly to assist humans rather than replace them. For the last six years, it’s been working on developing automated AI “to assist cyber battlespace” and “support development of cyber warfare strategies” under a project dubbed IKE. Reportedly its AI was allowed to press ahead with carrying out an attack if the chances of success were high. The contract value was ramped up to $190 million by 2024, but there’s no indication IKE uses agents to carry out operations at the scale that Twenty is claiming. Two Six did not respond to requests for comment.

AI is much more commonly used on the defensive side, particularly in enterprises. As Forbes reported earlier this week, an Israeli startup called Tenzai is tweaking AI models from OpenAI and Anthropic, among others, to try to find vulnerabilities in customer software, though its goal is red teaming, not hacking.

www.politico.com
Katherine Tully-McManus
11/10/2025, 2:01pm ET

Library of Congress employees were informed to take caution when emailing the office of the congressional scorekeeper.
A cybersecurity breach discovered last week affecting the Congressional Budget Office is now considered “ongoing,” threatening both incoming and outgoing correspondence around Congress’ nonpartisan scorekeeper.

Employees at the Library of Congress were warned in a Monday email, obtained by POLITICO, that the CBO cybersecurity incident is “affecting its email communications” and that library staff should take a range of measures to protect themselves.

Library of Congress workers also were told to restrict their communication with the nonpartisan agency tasked with providing economic and budgetary information to lawmakers.

“Do NOT click on any links in emails from CBO. Do NOT share sensitive information with CBO colleagues over email, Microsoft Teams, or Zoom at this time,” the email reads.

“Maintain a high level of vigilance and verify the legitimacy of CBO communications by confirming with the sender via telephone that they sent the message,” the note continues.

Congressional staff are in regular communication with CBO regarding scores of legislation and cost estimates the agency prepares for bills in both the House and Senate.

There was no immediate information Monday about the broader implications that a legislative branch office was continuing to experience cybersecurity vulnerabilities.

A CBO spokesperson said last week that officials had taken “immediate action to contain” the breach as officials investigate the incident.

When asked for comment Monday about ongoing issues, the CBO spokesperson referred to the prior statement.

| TechCrunch techcrunch.com
Lorenzo Franceschi-Bicchierai
8:36 AM PST · November 7, 2025

The congressional research office confirmed a breach, but did not comment on the cause. A security researcher suggested the hack may have originated because CBO failed to patch a firewall for more than a year.

The U.S. Congressional Budget Office has confirmed it was hacked.

Caitlin Emma, a spokesperson for CBO, told TechCrunch on Friday that the agency is investigating the breach and “has identified the security incident, has taken immediate action to contain it, and has implemented additional monitoring and new security controls to further protect the agency’s systems going forward.”

CBO is a nonpartisan agency that provides economic analysis and cost estimates to lawmakers during the federal budget process, including after legislative bills get approved at the committee level in the House and Senate.

On Thursday, The Washington Post, which first revealed the breach, reported that unspecified foreign hackers were behind the intrusion. According to the Post, CBO officials are worried that the hackers accessed internal emails and chat logs, as well as communications between lawmakers’ offices and CBO researchers.

Reuters reported that the Senate Sergeant at Arms office, the Senate’s law enforcement agency, notified congressional offices of a breach, warning them that emails between CBO and the offices could have been compromised and used to craft and send phishing attacks.

It’s unclear how the hackers gained access to the CBO’s network. But soon after news of the breach became public, security researcher Kevin Beaumont wrote on Bluesky that he suspected hackers may have exploited the CBO’s outdated Cisco firewall to break into the agency’s network.

Last month, Beaumont noted that CBO had a Cisco ASA firewall on its network that was last patched in 2024. At the time of his posting, the CBO’s firewall was allegedly vulnerable to a series of newly discovered security bugs, which were being exploited by suspected Chinese government-backed hackers.

Beaumont said the CBO’s firewall had not been patched by the time the federal government shutdown took effect on October 1.

On Thursday, Beaumont said that the firewall is now offline.

The CBO’s spokesperson declined to comment when asked about Beaumont’s findings. Spokespeople for Cisco did not immediately respond to a request for comment.

washingtonpost.com
By Joseph Menn

More than a half-dozen federal departments and agencies backed a proposal to ban future sales of the most popular home routers in the United States on the grounds that the vendor’s ties to mainland China make them a national security risk, according to people briefed on the matter and a communication reviewed by The Washington Post.

The proposal, which arose from a months-long risk assessment, calls for blocking sales of networking devices from TP-Link Systems of Irvine, California, which was spun off from a China-based company, TP-Link Technologies, but owns some of that company’s former assets in China. The ban was proposed by the Commerce Department and supported this summer by an interagency process that includes the Departments of Homeland Security, Justice and Defense, the people said.

“TP-Link vigorously disputes any allegation that its products present national security risks to the United States,” Ricca Silverio, a spokeswoman for TP-Link Systems, said in a statement. “TP-Link is a U.S. company committed to supplying high-quality and secure products to the U.S. market and beyond.”

If imposed, the ban would be among the largest in consumer history and a possible sign that the East-West divide over tech independence is still deepening amid reports of accelerated Chinese government-supported hacking. Only the legislated ban of Chinese-owned TikTok, which President Donald Trump has averted with executive orders and a pending sale, would impact more U.S. consumers.

None of the agencies involved responded to requests to comment on the proposal, which is now back in the hands of Commerce. While Commerce initially proposed the ban and sought the interagency review, it has taken no action since that process was completed. It could still decide to not issue a ban against TP-Link routers or could reach an agreement with the company for a different resolution of its concerns. The White House, which the people said supported the proposed ban, could also change its mind.

A former senior Defense Department official and two other people familiar with the details described the ban proposal to The Post; they spoke on the condition of anonymity to reveal internal deliberations. One of those people and four other current officials confirmed that the proposal had secured interagency approval.

A White House spokesperson asked about the proposed ban declined to address it specifically. “We are aware of active efforts by the Chinese government to exploit critical security vulnerabilities and are working with all relevant parties to assess exposure and mitigate the damage,” the spokesperson said.

Trump met Chinese leader Xi Jinping on Thursday in South Korea, where they reached an agreement that lowered the temperature of the conflict over trade between the two countries. The negotiations leading to that deal have made any move toward banning TP-Link routers less likely in the near term, two of the people said. One of them said the administration viewed TP-Link as a bargaining chip in further U.S.-China trade talks.

A spokesman for TP-Link Systems, Jeff Seedman, called it “nonsensical to suggest” that any measure taken against the company could serve as a “bargaining chip” in U.S.-China talks. “Any adverse action against TP-Link would have no impact on China, but would harm an American company,” he said.

Commerce officials concluded TP-Link Systems products pose a risk because the U.S.-based company’s products handle sensitive American data and because the officials believe it remains subject to jurisdiction or influence by the Chinese government. TP-Link Systems denies that, saying that it fully split from the Chinese TP-Link Technologies over the past three years. The Commerce proposal mentions the prospect that the company could offer a deal after notification that would satisfy the government and forestall a ban, one of the people said, but the government would have to be certain that key hardware and software was being developed without influence from China.

TP-Link Systems has sole ownership of some engineering, design and manufacturing capabilities in China that were once part of China-based TP-Link Technologies and operates them without Chinese government supervision, according to company spokeswoman Silverio. TP-Link Technologies serves only the Chinese market, she said. U.S.-based TP-Link Systems has about 500 employees in the U.S. and about 11,000 in China, Silverio said, adding that some of them work in facilities physically adjacent to those still owned by TP-Link Technologies.

TP-Link Systems’s website says it has 36 percent of the U.S. market for home routers by direct unit sales, while other estimates and congressional testimony put the share above 50 percent. A substantial portion of TP-Link routers and those of its competitors are purchased or leased through internet service providers, industry analysts said.

Federal regulations partly based on executive orders issued by Trump in his first term and by President Joe Biden empower the commerce secretary to make a risk assessment of transactions in “information and communications technology or services” that involve material from entities “controlled by, or subject to the jurisdiction or direction of foreign adversaries” and may therefore pose an “undue or unacceptable” security risk.

Last year, Commerce Secretary Gina Raimondo blocked U.S. sales of antivirus software from Russia’s Kaspersky Lab, noting the extensive access such security programs have to computers. “Russia has shown it has the capacity — and even more than that, the intent — to exploit Russian companies like Kaspersky to collect and weaponize the personal information of Americans, and that’s why we are compelled to take the action we are taking today,” Raimondo said at the time. Kaspersky denied that its U.S. activities posed a security risk.

Under the law, if the commerce secretary determines there is a security risk from foreign-influenced technology, the department can suggest ways to mitigate those risks. In the case of TP-Link Systems, Commerce officials decided that no mitigation short of a prohibition would suffice, according to the people briefed on the interagency review.

Seedman said any concerns “are fully resolvable by a common-sense mix of measures like onshoring key development functions, making strong and coordinated investments in cybersecurity, and being transparent with the government.” TP-Link Systems, he added, “has repeatedly sought Commerce’s input as to where the government believes there could be residual concerns. Commerce has so far not responded to TP-Link’s outreach in that regard.”

The proposed ban’s approval by the other federal departments returned it to Commerce, leaving the department free to issue a formal notification to TP-Link Systems that would give the company 30 days to respond. Commerce would then have 30 days to consider any objections before any ban would take effect.

The Post could not determine why Commerce has not taken further action. Some of those briefed said officials might by leery of stepping on any toes in the White House, especially amid trade talks with China that involve other technology issues. More recently, the government shutdown has become the top priority at Commerce and is occupying the time of the officials who remain on the job, the people said.

None of those interviewed for this article said they knew of any substantive objections inside government to the ban, which has been sought by members of both parties in Congress.

Paul Triolo, a partner at DGA Group in Washington who monitors U.S.-China technology issues, said recently it was not clear whether the interagency decision required an additional White House sign-off. “It may be too small of a thing to create a reaction from China,” he said.

Sen. Tom Cotton (R-Arkansas), who chairs the Senate Intelligence Committee, pushed for an investigation of TP-Link and is frustrated that no action has been taken, a spokesman said. “The continued sale of networking equipment linked to communist China in the United States puts our security at risk and American competitors at a disadvantage,” Cotton told The Post.

Many brands of home and small office routers, including those from TP-Link, have been used as stepping stones in recent years by Chinese government-supported hacking groups, which break into them to disguise where they are coming from, government and private-sector cybersecurity officials determined.

Some security experts have complained that the company has been slow to fix flaws after they are exposed. Last month, TP-Link Systems said it was still working to patch U.S. routers exposed to a high-severity weakness that had been reported in May. The company said its response time was within industry norms and that some measures show it has fewer reported flaws than rivals.

TP-Link Systems gear did not play a notable role in the major hack of U.S. telecommunication carriers exposed more than a year ago, which Sen. Mark R. Warner (D-Virginia) called the “worst telecom hack in our nation’s history.” But Microsoft said last year that hacked TP-Link Systems routers made up most of a covert network used by Chinese attackers since at least 2021 to steal log-in credentials from the software giant’s sensitive customers.

Microsoft said that network was used by multiple Chinese groups on spying missions. TP-Link Systems issued a patch for the vulnerable devices in November, four months after they were reported being hacked, even though they had been designated as end-of-life and too old for such updates. TP-Link said its action showed its willingness to go beyond what was legally required to help with security issues.

Some other U.S. router makers also depend on manufacturers in China. But U.S. officials said they are more concerned about TP-Link because under Chinese law companies there must comply with intelligence agency requests and notify Beijing of security flaws. They said the Chinese arm could even be compelled to push out software updates that could change the way the devices function.

California-based TP-Link Systems said it is “not subject to the direction of the PRC [Chinese government] intel apparatus.” It told The Post that only U.S. engineers can push updates to U.S. customers.

TP-Link Systems is owned by one of the two brothers who started TP-Link Technologies in China and his wife. The company said the brother in Irvine, chief executive Jeffrey (Jianjun) Chao, is pursuing U.S. citizenship and plans to expand the company’s American workforce.

A federal judge hearing an unrelated patent dispute in Texas against TP-Link Technologies concluded two years ago that frequent changes in that company’s corporate structure seemed designed to avoid accountability, telling an attorney for the Chinese company that “the evidence that we have indicates that your clients are deliberately trying to hide their relationship with TP-Link USA,” as the American operation was called at the time.

“The Texas case did not even involve TP-Link’s California company,” Silverio told The Post. “The defendants in that case were TP-Link foreign entities that were not affiliated with the California company at the time. The defendants later became affiliated with TP-Link’s California entity after a series of corporate reorganizations.”

It is unclear exactly which networking products would be covered under what is technically defined as a “prohibition” by Commerce on certain transactions, though they would include home and small office routers.

In related work on TP-Link Systems, the Justice Department’s antitrust unit is weighing criminal charges, based on claims that TP-Link products have been subsidized by the Chinese government and artificially priced under U.S. rivals, according to the people briefed on the interagency discussions. The company says it does not price products lower than they cost to make, and its spokeswoman said it has not heard from the Justice Department regarding an antitrust probe but would cooperate with any investigation.

The interagency probe began under the Biden administration and gained steam after the inauguration amid Trump’s tough talk on China, officials said. The possibility of a ban was first reported by the Wall Street Journal late last year, and the criminal antitrust probe was reported in April by Bloomberg News. Bloomberg reported this month that the administration was considering other actions.

Python Software Foundation News
pyfound.blogspot.com
Monday, October 27, 2025

The PSF has withdrawn a $1.5 million proposal to US government grant program
In January 2025, the PSF submitted a proposal to the US government National Science Foundation under the Safety, Security, and Privacy of Open Source Ecosystems program to address structural vulnerabilities in Python and PyPI. It was the PSF’s first time applying for government funding, and navigating the intensive process was a steep learning curve for our small team to climb. Seth Larson, PSF Security Developer in Residence, serving as Principal Investigator (PI) with Loren Crary, PSF Deputy Executive Director, as co-PI, led the multi-round proposal writing process as well as the months-long vetting process. We invested our time and effort because we felt the PSF’s work is a strong fit for the program and that the benefit to the community if our proposal were accepted was considerable.

We were honored when, after many months of work, our proposal was recommended for funding, particularly as only 36% of new NSF grant applicants are successful on their first attempt. We became concerned, however, when we were presented with the terms and conditions we would be required to agree to if we accepted the grant. These terms included affirming the statement that we “do not, and will not during the term of this financial assistance award, operate any programs that advance or promote DEI, or discriminatory equity ideology in violation of Federal anti-discrimination laws.” This restriction would apply not only to the security work directly funded by the grant, but to any and all activity of the PSF as a whole. Further, violation of this term gave the NSF the right to “claw back” previously approved and transferred funds. This would create a situation where money we’d already spent could be taken back, which would be an enormous, open-ended financial risk.

Diversity, equity, and inclusion are core to the PSF’s values, as committed to in our mission statement:
The mission of the Python Software Foundation is to promote, protect, and advance the Python programming language, and to support and facilitate the growth of a diverse and international community of Python programmers.
Given the value of the grant to the community and the PSF, we did our utmost to get clarity on the terms and to find a way to move forward in concert with our values. We consulted our NSF contacts and reviewed decisions made by other organizations in similar circumstances, particularly The Carpentries.

In the end, however, the PSF simply can’t agree to a statement that we won’t operate any programs that “advance or promote” diversity, equity, and inclusion, as it would be a betrayal of our mission and our community.

We’re disappointed to have been put in the position where we had to make this decision, because we believe our proposed project would offer invaluable advances to the Python and greater open source community, protecting millions of PyPI users from attempted supply-chain attacks. The proposed project would create new tools for automated proactive review of all packages uploaded to PyPI, rather than the current process of reactive-only review. These novel tools would rely on capability analysis, designed based on a dataset of known malware. Beyond just protecting PyPI users, the outputs of this work could be transferable for all open source software package registries, such as NPM and Crates.io, improving security across multiple open source ecosystems.

In addition to the security benefits, the grant funds would have made a big difference to the PSF’s budget. The PSF is a relatively small organization, operating with an annual budget of around $5 million per year, with a staff of just 14. $1.5 million over two years would have been quite a lot of money for us, and easily the largest grant we’d ever received. Ultimately, however, the value of the work and the size of the grant were not more important than practicing our values and retaining the freedom to support every part of our community. The PSF Board voted unanimously to withdraw our application.

Giving up the NSF grant opportunity—along with inflation, lower sponsorship, economic pressure in the tech sector, and global/local uncertainty and conflict—means the PSF needs financial support now more than ever. We are incredibly grateful for any help you can offer. If you're already a PSF member or regular donor, you have our deep appreciation, and we urge you to share your story about why you support the PSF. Your stories make all the difference in spreading awareness about the mission and work of the PSF.

How to support the PSF:
Become a Member: When you sign up as a Supporting Member of the PSF, you become a part of the PSF. You’re eligible to vote in PSF elections, using your voice to guide our future direction, and you help us sustain what we do with your annual support.
Donate: Your donation makes it possible to continue our work supporting Python and its community, year after year.
Sponsor: If your company uses Python and isn’t yet a sponsor, send them our sponsorship page or reach out to sponsors@python.org today. The PSF is ever grateful for our sponsors, past and current, and we do everything we can to make their sponsorships beneficial and rewarding.

reuters.com By A.J. Vicens
October 29, 202511:10 PM GMT+1Updated October 29, 2025

Hackers accessed Ribbon's network in December 2024
Three customers impacted, according to ongoing investigation
Ribbon's breach part of broader trend targeting telecom firms
Oct 29 (Reuters) - Hackers working for an unnamed nation-state breached networks at Ribbon Communications (RBBN.O), opens new tab, a key U.S. telecommunications services company, and remained within the firm’s systems for nearly a year without being detected, a company spokesperson confirmed in a statement on Wednesday.
Ribbon Communications, a Texas-based company that provides technology to facilitate voice and data communications between separate tech platforms and environments, said in its October 23 10-Q filing, opens new tab with the Securities and Exchange Commission that the company learned early last month that people “reportedly associated with a nation-state actor” gained access to the company’s IT network, with initial access dating to early December 2024.

The hack has not been previously reported. It is perhaps the latest example of technology companies that play a critical role in the global telecommunications ecosystem being targeted as part of nation-state hacking campaigns.
Ribbon did not identify the nation-state actor, or disclose which of its customers were affected by the breach, but told Reuters in the statement that its investigation has so far revealed three “smaller customers” impacted.
“While we do not have evidence at this time that would indicate the threat actor gained access to any material information, we continue to work with our third-party experts to confirm this,” a Ribbon spokesperson said in an email. “We have also taken steps to further harden our network to prevent any future incidents.”

lemonde.fr
Par Florian Reynaud et Martin Untersinger
Publié le 16 octobre 2025 à 06h30, modifié le 16 octobre 2025 à 10h04

En novembre 2024, la présentation de cette task force par le FBI à des policiers et des magistrats européens a choqué certains enquêteurs. Ils craignent notamment pour l’intégrité de leurs investigations.

Les policiers sont venus de toute l’Europe. En ce début novembre 2024, ils ont rendez-vous au siège d’Europol, l’organisme de coopération des polices européennes, à La Haye, aux Pays-Bas. Ils vont plancher en secret sur une enquête ultrasensible visant Black Basta, un gang de cybercriminels d’élite.
Même s’il est alors en perte de vitesse, ce groupe fait encore partie des plus dangereux au monde. Il a frappé entreprises et administrations sans épargner personne, pas même des hôpitaux : la quasi-totalité des services de police et de justice d’Europe l’ont dans le viseur. Comme souvent dans ce type de rassemblement, le puissant FBI – partenaire de longue date d’Europol – est présent. Mais au cours de la réunion, l’agent de liaison de la police fédérale américaine laisse sa place à un de ses collègues pour un exposé des plus inhabituels.
Ce dernier est venu présenter une unité secrète du gouvernement américain : le « Group 78 ». Il ira ensuite faire de même dans une deuxième réunion, à Eurojust, le pendant d’Europol où se coordonnent les magistrats. Sur la base de documents, de plusieurs sources policières et judiciaires européennes et à l’issue d’une enquête de plusieurs mois, Le Monde et Die Zeit sont en mesure de révéler l’existence de cette cellule secrète, son nom et la manière dont elle a été présentée aux enquêteurs européens.
Des enquêteurs médusés
Lors de ces deux réunions, l’agent du FBI détaille la façon dont le Group 78 entend remplir sa mission. Sa stratégie est double : d’une part, mener des actions en Russie pour rendre la vie des membres de Black Basta impossible et les forcer à quitter le territoire pour les mettre à portée des mandats d’arrêt les visant ; d’autre part, manipuler les autorités russes pour qu’elles mettent fin à la protection dont bénéficie le gang. Pour les policiers et les magistrats européens, le message est clair : les services de renseignement américains viennent de faire une entrée fracassante dans le paysage.
Une partie d’entre eux est sous le choc. D’abord parce que le Group 78 semble conscient de perturber, par ses actions, des opérations judiciaires européennes. Ensuite, des enquêteurs craignent que la stratégie de cette cellule cache des actions violentes ou illégales. Et si, grâce à ces dernières, les criminels se retrouvent à portée de mandat d’arrêt européen, cela reviendrait, pour la justice européenne, à blanchir les manœuvres des services américains. « Hors de question que je couvre ça », s’écrie auprès du Monde et de son partenaire d’enquête un magistrat européen, très remonté.
Enfin, certains reprochent au FBI d’avoir mélangé les rôles en introduisant le Group 78 dans une enceinte judiciaire où la coopération, la transparence entre alliés et le secret de l’enquête ont permis de remporter des succès majeurs dans la lutte contre la pègre numérique. Que plusieurs sources présentes aient accepté de se confier à des journalistes est un signe du malaise suscité.
Le Group 78 est apparu « dans une ou deux enquêtes, causant une colère considérable au sein de la coopération policière, dénonce auprès du Monde et de son partenaire un second magistrat spécialisé d’un autre pays européen. Nous ne savons pas exactement qui l’a fondé et quelles sont ses motivations politiques. Nous ne voulons rien avoir affaire avec ça. Nous sommes des enquêteurs : pour nous, dès qu’un groupe comme Group 78 apparaît, c’est fini. » La présentation du FBI a contraint certains enquêteurs à revoir leurs plans vis-à-vis de Black Basta, confirme une source proche du dossier.

| CNN Politics edition.cnn.com
By Sean Lyngaas
Oct 8, 2025

Suspected Chinese government-backed hackers have breached computer systems of US law firm Williams & Connolly, which has represented some of America’s most powerful politicians, as part of a larger spying campaign against multiple law firms, according to a letter the firm sent clients and a source familiar with the hack.

The cyber intrusions have hit the email accounts of select attorneys at these law firms, as Beijing continues a broader effort to gather intelligence to support its multi-front competition with the US on issues ranging from national security to trade, multiple sources have told CNN.

The hackers in this case used a previously unknown software flaw, coveted by spies because it allows for stealth, to access Williams & Connolly’s computer network, said the letter sent to clients this week and reviewed by CNN. The letter did not name the hackers responsible, but the source familiar with the hack told CNN that Beijing was the prime suspect.

“Given the nature of the threat actor, we have no reason to believe that the data will be disclosed or used publicly,” the letter said, in a hint that the intruder was focused on espionage rather than extortion.

CNN has reached out to the Chinese Embassy in Washington, DC for comment.

Liu Pengyu, a spokesperson for the embassy, told CNN in response to a separate hacking allegation last month: “China firmly opposes and combats all forms of cyber attacks and cybercrime.”

It was not immediately clear which Williams & Connolly attorneys or clients were affected by the hack.

Williams & Connolly is known for its politically influential clientele and a storied bench of courtroom lawyers. The firm has represented Bill and Hillary Clinton; corporate clients, including tech, health care and media companies; and white-collar criminal defendants like Theranos founder Elizabeth Holmes.

A Williams & Connolly spokesperson declined to answer questions on who was responsible for the hack.

The hackers are “believed to be affiliated with a nation-state actor responsible for recent attacks on a number of law firms and companies,” Williams & Connolly said in a statement to CNN. “We have taken steps to block the threat actor, and there is now no evidence of any unauthorized traffic on our network.”

Another prominent US law firm hit by suspected Chinese hackers is Wiley Rein, CNN reported in July. With clients that span the Fortune 500, Wiley Rein is a powerful player in helping US companies and the government navigate the trade war with China.

The suspected Chinese hackers have been rampant in recent weeks, also hitting the cloud-computing firms that numerous American companies rely on to store key data, experts at Google-owned cybersecurity firm Mandiant have told CNN. In a sign of how important China’s hacking army is in the race for tech supremacy, the hackers have also stolen US tech firms’ proprietary software and used it to find new vulnerabilities to burrow deeper into networks, according to Mandiant.

The Chinese government routinely denies allegations that it conducts hacking operations, often pointing to alleged US operations targeting Chinese entities and accusing Washington of a “double standard.”

At any given time, the FBI has multiple investigations open into China’s elite hacking teams, which US officials consider the biggest state-backed cyber threat to American interests.

CNN has requested comment from the FBI.

“Law firms are prime targets for nation-state threat actors because of the complex, high-stakes issues they handle,” said Sean Koessel, co-founder of cybersecurity firm Volexity, which has investigated Chinese digital spying campaigns.

“Intellectual property, emerging technologies, international trade, sanctions, public policy, to name a few,” Koessel told CNN. “In short, they hold a wealth of sensitive, non-public information that can offer significant strategic advantage.”

fortune.com
By Amanda Gerut
News Editor, West Coast
October 4, 2025 at 5:33 AM EDT

Using AI to create fake identities, they get remote jobs, then hide in plain sight—in Slack, on Zooms, and in corporate infrastructure.

But at a cybersecurity conference in Las Vegas this August, an analyst wearing a black hoodie and dark glasses who goes by “SttyK” broke some disappointing news to a packed crowd of researchers, executives, and government employees: That trick no longer works. “Do not [ask why] Kim Jong-un is so fat,” SttyK warned in all-caps on a presentation slide. “They all notice what you guys have noticed and improved their opsec [operation security].”

It might sound far-fetched—like the plot of a Cold War–era spy movie—but the scheme is all too real, according to the FBI and other agencies, as well as the UN, cybersecurity investigators, and nonprofits: Thousands of North Korean men trained in information technology are stealing identities, falsifying their résumés, and deceiving their way into highly paid remote tech jobs in the U.S. and other wealthy countries, using artificial intelligence to fabricate work and veil their faces and identities.

In violation of international sanctions, the scam has pried open a gusher of cash for Kim’s government, which confiscates most of the IT workers’ salaries. The FBI estimates that the program has funneled anywhere from hundreds of millions to $1 billion to the authoritarian regime in the past five years, funding ruler Kim’s ambition of building the Democratic People’s Republic of North Korea (DPRK) into a nuclear-armed force.

The afflicted include hundreds of Fortune 500 businesses, aerospace manufacturers, and U.S. financial institutions ranging from banks to tiny crypto startups, says the FBI. The North Korean workers also take on freelance gigs and subcontracting: They have posed as HVAC specialists, engineers, and architects, spinning up blueprints and municipal approvals with the help of AI.

Companies across Europe, as well as Saudi Arabia and Australia, have also been targeted. Government officials and cybersecurity investigators from the U.S., Japan, and South Korea met in Tokyo in late August to forge stronger collaborative ties to counter the incursions.

The scheme is one of the most spectacular international fraud enterprises in history, and it creates layer upon layer of risks for companies that fall for it. First, there’s the corporate security danger posed by agents of a foreign government being within a company’s internal systems.

Then there’s the legal risk that comes with violating sanctions against North Korea, even if unintentionally. U.S. and international sanctions are intended to isolate and punish the bellicose rogue state, and violations can jeopardize national security for the U.S. and its allies, according to the FBI. “This is a code red,” said U.S. Attorney for D.C. Jeanine Pirro at a press conference in July. “Your tech sectors are being infiltrated by North Korea. And when big companies are lax and they’re not doing their due diligence, they are putting America’s security at risk.”

Companies also must confront the distressing possibility that an employee—perhaps even one making a six-figure salary—could be laboring under conditions that one South Korea–based NGO has called “comparable to modern slavery.”

That’s because the North Korean men (and they are all men) who are perpetrating these deceptions are also, in a sense, victims of the brutal regime: They are separated from their families and trafficked to offshore sites to do the remote IT work, and they face the prospect of beatings, imprisonment, threats to their loved ones, and other human rights violations if they fail to make enough money for the North Korean government.

“The Call is Coming from Inside the House”
This covert weaponization of the techdependent global economy has ensnared every industry and company size. But it has proved incredibly difficult to find and prosecute members of this shadow workforce among the U.S.’s 6 million tech and IT employees. Those tracking the scheme say that agents hide in plain sight in the IT and tech departments of American companies: writing and testing code, discussing bugs, updating deliverables, and even joining video scrums and chatting via Slack. Over the past 12 months, the scheme has proliferated further, with a 220% worldwide increase in intrusions into companies, according to cybersecurity firm CrowdStrike.

Here’s how the international scam often works: North Korean workers, many living in four- or five-man clusters in China or Russia, use AI to create unique personas based on real, verified identities to evade background checks and other standard security measures. Sometimes they buy these identities from Americans, and other times they steal them outright. They craft detailed LinkedIn profiles, topped with a headshot—usually manipulated—with work histories and technical certifications.

“If this happened to these big banks, to these Fortune 500 companies, it can or is happening at your company.”
U.S. Attorney for D.C. Jeanine Pirro

Paid coconspirators in the U.S. and elsewhere physically hold on to the fraudulent workers’ company laptops and turn them on each morning so that the agents can remotely access them from other locations. The FBI has raided dozens of these sites, known as “laptop farms,” across the U.S., said CrowdStrike’s counter adversary VP Adam Meyers. And now they’re popping up overseas. “We’ve seen the operations all over,” said Meyers, “ranging from Western Europe all across to Romania and Poland.”

The broad and decentralized program, with work camps largely based in countries where there is little international cooperation among law enforcement, has so far been a frustrating game of Whac-a-Mole for law enforcement agencies, which have arrested only lower-level accomplices. “Both the Chinese and Russian governments are aware these IT workers are actively defrauding and victimizing Americans,” an FBI spokesman told Fortune. “The Chinese and Russian governments are not enforcing sanctions against these individuals operating in their country.”

Reputational risk from the intrusions has kept targeted companies largely silent so far, although federal agencies including the Department of Justice, FBI, and State Department have jointly issued dozens of public warnings to executives without naming the specific companies that have been impacted. One exception is the sneaker and apparel giant Nike, which identified itself as a victim of the scheme after discovering it had hired a North Korean operative who worked for the company in 2021 and 2022. Nike did not respond to multiple requests for comment.

“There are probably, today, somewhere between 1,000 and 10,000 fake employees working for companies around the world,” said Roger Grimes, an expert in the North Korean IT worker scheme with cybersecurity firm KnowBe4. “Most of the companies don’t talk about it when it happens—but they reach out secretly.” Grimes estimates he has spoken with executives from 50 to 75 companies that have unknowingly hired North Koreans. Even his own company is not immune: KnowBe4 last year disclosed that it unwittingly hired a North Korean worker who doctored a photo with AI and used a stolen identity.

A panel of experts convened by the UN to assess compliance with sanctions against North Korea estimates that the IT worker scheme generates between $250 million and $600 million in revenue annually from workers who transfer their earnings to the regime. The panel reported last year that IT workers in the scheme are expected to earn at least $100,000 annually. The highest earners make between $15,000 and $60,000 a month and are allowed to keep 30% of their salaries. The lowest can only keep 10%.

Businesses that hire these workers—even unintentionally—are violating regulatory and financial sanctions, which creates legal liability if U.S. law enforcement ever opted to charge companies. “The call is coming from inside the house,” said Pirro at the July press conference. “If this happened to these big banks, to these Fortune 500, brand-name, quintessential American companies, it can or is happening at your company. Corporations failing to verify virtual employees pose a security risk for all.”

She continued, speaking directly to American companies: “You are the first line of defense against the North Korean threat.”

The Motivation and the Impact
The growing awareness of the North Korean IT worker scheme has raised alarms in recent years, but its roots go back decades. A DPRK nuclear test in 2006 led to the UN’s Security Council imposing comprehensive sanctions that year, and then expanding those sanctions in 2017 to prohibit trade and ban companies from employing North Korean workers.

President Donald Trump signed into law further U.S. sanctions on North Korea during his first term. The law, “Countering America’s Adversaries Through Sanctions Act,” assumes that any goods made anywhere in the world by North Korean workers should be considered the products of “forced labor” and are forbidden from entering the U.S.

Starved of cash by international sanctions, the regime began sending agents overseas to earn money in various industries, including construction, fishing, and cigarette smuggling. They eventually moved into the lucrative field of tech. Then, when businesses turned to remote work during the pandemic, the IT scheme took off, explained cybersecurity firm DTEX Systems lead investigator Michael “Barni” Barnhart.

The IT operation functions separately from North Korea’s army of malicious hackers, who focus on ransomware and crypto heists, although cybersecurity experts believe the two teams are yoked closely enough to share intelligence and work in tandem.

Grimes is often surprised by the audacity of the IT deceptions, he said. In one instance, he told Fortune, a company thought it had hired three people, but they were actually just a single North Korean man managing three personas. He had successfully used the same photo to apply to multiple jobs but altered it to make each image slightly different—long hair, short hair, and three different names. “Once you see it, it’s so obvious what they’ve done,” said Grimes. “It takes a lot of…I’m trying to think of a better term than ‘balls,’ but it takes a lot of balls to use the same picture.”

For recruiters, inconsistencies—like candidates who claim to hail from Texas, but speak with Korean accents and seem to know nothing about their home state—are sometimes chalked up initially to cultural differences, Grimes said. But once companies are alerted to the conspiracy, it quickly becomes clear who the fraudulent hires are.

The impact of the scheme becoming more publicly known in the past couple of years has led to what the FBI described to Fortune as an escalating desperation among the workers, and a shift in tactics: There have been more attempts to steal intellectual property and data when workers are discovered and fired.

Investigators recently identified a new evolution in the operational structure, which further conceals the North Korean IT workers. They’re subcontracting out more of the actual labor to developers based in India and Pakistan, investigator Evan Gordenker of incident response firm Palo Alto Networks explained. This creates what Gordenker described as a “Matryoshka doll” effect—a proxy between the North Koreans and the company paying them, and another layer of subterfuge that makes it even harder to find the culprits.

“What they’ve found is that it’s actually fairly cheap to find someone of a similar-ish skill set in Pakistan and India,” said Gordenker. It’s an alarming sign of the criminal enterprise’s success, he added: The North Korean fraudsters are so overwhelmed with work that they need to pass some of it off.

The Recruitment of American Accomplices
One ex-North Korean IT worker who communicated via email with Fortune escaped after years inside the scheme. He lives under the alias Kim Ji-min to prevent retaliation against his family still in North Korea.

His method was to use Facebook, LinkedIn, and Upwork to pose as someone looking to hire help for a software project, he explained in an email interview facilitated and translated by PSCORE, a South Korea–based NGO that has worked with thousands of North Korean refugees. When engineers and developers responded to his listings, Kim would steal their identities and use them to apply for tech jobs. He was hired to work on e-commerce websites and in software development for a health care app, he said, though he declined to name the companies he worked for: “They had no idea we were from North Korea.”

IT workers also hang out on Discord and Reddit to create relationships with freelancers and those looking to make extra cash, particularly in the “r/overemployed” subreddit, said Gordenker. The pitch is typically simple but effective, he said: “It’s usually like, ‘I’m a Japanese developer. I’m looking to get established in the United States, and I’m looking for someone to serve as the face of my company in that country. Would you be willing to, for 200 bucks a week?’” From there, the IT workers ask the person to upload photos of their ID. Sometimes it takes only five minutes. “Some people are sort of like, ‘Oh, $200 bucks a week? Yeah. Sign me up, absolutely,’” said Gordenker. “It’s stunningly easy.”

A Maryland man, Minh Phuong Ngoc Vong, pleaded guilty in April to charges that he allowed North Korean workers to use his identity to get 13 different jobs. Court records show that he offered up his driver’s license and personal details after being approached on a video game.

The recruitment tactics can be predatory: The scheme often targets people who are down on their luck, promising them easy money for picking up a laptop or submitting to a urinalysis to pass a drug test. “They will recruit people from recovering gambling addict forums and things like that where people have debt,” Gordenker said. “They need the money badly, and that creates leverage.”

Security investigator Aidan Raney, who posed as a willing American accomplice to the scheme, learned other operational details. The agents who recruited Raney spiced up his résumé with fabricated roles at companies, and turned his headshot into a black-and-white photo so it would look different from his real LinkedIn headshot. Raney corresponded with three or four workers who all called themselves “Ben,” and the Bens submitted his details to recruiters to land him the job interviews.

“They handle essentially all the work,” said Raney, founder and CEO of security firm Farnsworth Intelligence. “What they were trying to do was use my real identity to bypass background checks and things like that, and they wanted it to be extremely close to my real-life identity.”

Sometimes the work of the American accomplice is more involved: An operation in the suburbs of Phoenix facilitated by one woman, Christina Chapman, helped North Koreans fraudulently obtain jobs at 311 companies and earned the workers $17.1 million in salaries and bonuses, according to the Department of Justice’s 2024 indictment of Chapman. The operation was the biggest laptop farm busted so far, by revenue. North Koreans used 68 stolen identities to get work, and Chapman helped them dial in remotely for interviews and calls. Chapman’s cut totaled about $177,000, prosecutors said, but after pleading guilty she has been sentenced to 8.5 years in prison for her role and ordered to forfeit earnings and pay fines worth more than she ever earned in the scheme.

Nike was one of the companies that hired an IT worker in Chapman’s network, according to a victim impact statement the company filed before her sentencing. Nike paid about $75,000 to the unnamed worker over the course of five months, the letter states. “The defendant’s decision to obtain employment through Nike, via identity theft, and subsequently launder earnings to foreign state actors, was not only a violation of law—it was a betrayal of trust,” Chris Gharst, Nike’s director of global investigations, wrote to the judge. “The incident required us to expend valuable time and resources on internal investigations.”

Criminals or victims?
Law enforcement agencies and cybersecurity investigators have tracked participants in the North Korean IT worker scheme, but so far only low-level accomplices have been arrested and charged in the U.S. The workers use artificial intelligence and stolen or purchased IDs to craft fake résumés and LinkedIn pages to apply for remote jobs. Some of their names are believed to be aliases.

AI has breathed even more life into the operation. An August 2025 report from Anthropic revealed that North Korean agents had leveraged its Claude AI assistant to prep for interviews and get jobs in development and programming. “The most striking finding is the actors’ complete dependency on AI to function in technical roles,” the report states. “These operators do not appear to be able to write code, debug programs, or even communicate professionally without Claude’s assistance.”

The scam is alarming for the companies targeted, but the North Korean laborers themselves are much worse off, according to PSCORE secretarygeneral Bada Nam. Failure to meet monthly earnings quotas results in degradation, beatings, or worse—being forced back to North Korea where the workers and their families face prison, labor camps, and abuse. The consistent access to food outside of famine-ravaged North Korea might be more desirable than in-country work assignments, but the intense competition and humiliation workers face if they don’t excel has driven some to suicide, Nam said. “Because of this system, [we] view these workers not simply as perpetrators of fraud or deception, but also as victims of forced labor and human rights violations,” said Nam. “Their situation is comparable to modern slavery. Just as global consumers have become more attentive to supply chains in order to avoid supporting child labor, we believe a similar awareness is needed regarding North Korean IT workers.”

Those pursuing and trying to expose the scale and impact of this grift include the Las Vegas conference speaker SttyK, who is in his twenties and based in Japan. He is part of a secretive network of investigators who track North Korean operatives, producing research that’s used by large cybersecurity firms. The community has learned a lot from files and manuals mistakenly uploaded without password protection to the open cloud-based tech platform GitHub, which explain how to fraudulently get a remote tech job. SttyK and his research partners have also been aided by at least one secret informant involved in the scheme.

The GitHub trove shows that there are some cultural clues to watch for, SttyK told Fortune: The North Koreans prefer British to American English in translations; they use excessive amounts of exclamation marks and heart emojis in emails; and they really love the animated comedy franchise Minions, often using images from the films as their avatars. The IT workers use Slack to communicate among themselves, and SttyK showed a message from a North Korean boss reminding teams to work at least 14 hours a day. They log in six days a week, and on their day off, the workers play volleyball, diligently recording the winners and losers in spreadsheets, the GitHub files revealed.

There are no hard-and-fast rules to the scheme, said Grimes, and the quality of the work varies significantly: Some North Koreans achieve standout job performance, leveraging it so they can recommend friends or even themselves under another identity for new roles. Others only want to get their first few paychecks before they get fired for doing poor work or not showing up. “There isn’t one way of doing things,” said Grimes. “Different teams farm out the work in different ways.”

The Perpetrators as Victims Themselves
Ironically, perhaps, the harshness of the system may actually make the agents attractive hires for U.S. companies: These are tech workers who don’t complain, take personal days, or ask for mental health breaks. Indeed, beneath the sprawling scheme lies an uncomfortable truth: The modern economy prizes efficiency, productivity, and results. And North Korean IT workers are leaning in on those tenets.

In job interviews the North Koreans give the impression they love work and don’t mind 12-hour days, Grimes said. Executives at victimized companies have sometimes said the North Koreans were their best employees. This unflagging work ethic dovetails with preconceptions about Asian immigrants’ industriousness, and often outweighs the red flags that should raise alarms. “People tell themselves all sorts of stories” to rationalize inconsistencies, said Grimes. “It’s interesting human behavior.”

Mick Baccio, president of the cybersecurity nonprofit Thrunt, went a step further, suggesting that the North Koreans infiltrating American organizations may exploit employers’ inability to distinguish between different Asian ethnic groups. “Many companies have a very Western, U.S.-centric view on the problem,” he said. “I’m half Thai and it’s hard for some people to distinguish that…It’s not malicious.”

On the North Korean side, the longtime success of the scheme relies upon complete fidelity to leadership that the regime programs into citizens from a young age, said Hyun-Seung Lee, a defector who escaped North Korea 10 years ago and knew some of the IT workers in an earlier iteration of the scheme. Lee said that asking candidates to insult Kim may actually still work to expose some agents. Even now, after all these years, Lee finds he still has an emotional reaction to hearing such a thing, he said—and IT workers could be similarly affected.

“They believe that it is their fate, their responsibility, to be loyal to the regime,” said Lee. “And they’re trying to survive.”

A hub for fraud in Arizona
Christina Chapman pleaded guilty to charges related to her role in running a “laptop farm” for the North Korean scheme in the suburbs of Phoenix. Here’s what it looked like, according to the Department of Justice indictment.

68Stolen identities

311Companies scammed

$17.1 millionSalaries and bonuses transmitted to North Kora

$177,000Chapman’s earnings for her part in the scheme

This article appears in the October/November 2025 issue of Fortune with the headline “Espionage enters the chat.”