<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0"><channel><title><![CDATA[Intruvent Edge]]></title><description><![CDATA[Intruvent Edge delivers clear, actionable Cyber Threat Intelligence (CTI) and defense insights so you can stay ahead of evolving cyber risks.]]></description><link>https://edge.intruvent.com</link><image><url>https://substackcdn.com/image/fetch/$s_!0A6w!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7bac430a-1ed6-4e39-8ade-7653ec098646_1024x1024.png</url><title>Intruvent Edge</title><link>https://edge.intruvent.com</link></image><generator>Substack</generator><lastBuildDate>Thu, 09 Jul 2026 08:01:20 GMT</lastBuildDate><atom:link href="https://edge.intruvent.com/feed" rel="self" type="application/rss+xml"/><copyright><![CDATA[Sig Murphy - Intruvent]]></copyright><language><![CDATA[en]]></language><webMaster><![CDATA[intruvent@substack.com]]></webMaster><itunes:owner><itunes:email><![CDATA[intruvent@substack.com]]></itunes:email><itunes:name><![CDATA[Sig Murphy]]></itunes:name></itunes:owner><itunes:author><![CDATA[Sig Murphy]]></itunes:author><googleplay:owner><![CDATA[intruvent@substack.com]]></googleplay:owner><googleplay:email><![CDATA[intruvent@substack.com]]></googleplay:email><googleplay:author><![CDATA[Sig Murphy]]></googleplay:author><itunes:block><![CDATA[Yes]]></itunes:block><item><title><![CDATA[Prevent This: Home Router Takeover]]></title><description><![CDATA[Right now, two million home devices are working second jobs their owners never applied for. Here's how to make sure that your devices are protected.]]></description><link>https://edge.intruvent.com/p/prevent-this-home-router-takeover</link><guid isPermaLink="false">https://edge.intruvent.com/p/prevent-this-home-router-takeover</guid><dc:creator><![CDATA[Sig Murphy]]></dc:creator><pubDate>Tue, 07 Jul 2026 17:31:30 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!8UB8!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F303ec438-d08d-4b88-910f-9cb5a4128c3a_1024x499.heic" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!8UB8!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F303ec438-d08d-4b88-910f-9cb5a4128c3a_1024x499.heic" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!8UB8!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F303ec438-d08d-4b88-910f-9cb5a4128c3a_1024x499.heic 424w, https://substackcdn.com/image/fetch/$s_!8UB8!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F303ec438-d08d-4b88-910f-9cb5a4128c3a_1024x499.heic 848w, https://substackcdn.com/image/fetch/$s_!8UB8!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F303ec438-d08d-4b88-910f-9cb5a4128c3a_1024x499.heic 1272w, https://substackcdn.com/image/fetch/$s_!8UB8!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F303ec438-d08d-4b88-910f-9cb5a4128c3a_1024x499.heic 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!8UB8!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F303ec438-d08d-4b88-910f-9cb5a4128c3a_1024x499.heic" width="1024" height="499" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/303ec438-d08d-4b88-910f-9cb5a4128c3a_1024x499.heic&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:499,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:63598,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/heic&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/205793286?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F303ec438-d08d-4b88-910f-9cb5a4128c3a_1024x499.heic&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!8UB8!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F303ec438-d08d-4b88-910f-9cb5a4128c3a_1024x499.heic 424w, https://substackcdn.com/image/fetch/$s_!8UB8!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F303ec438-d08d-4b88-910f-9cb5a4128c3a_1024x499.heic 848w, https://substackcdn.com/image/fetch/$s_!8UB8!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F303ec438-d08d-4b88-910f-9cb5a4128c3a_1024x499.heic 1272w, https://substackcdn.com/image/fetch/$s_!8UB8!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F303ec438-d08d-4b88-910f-9cb5a4128c3a_1024x499.heic 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><strong>Your home Internet router is the backbone of your digital life.  It is always on, always connected, and for millions of households, it is compromised.</strong> But it doesn&#8217;t stop there: Your router, your streaming box, or your smart TV may be routing criminal traffic through your home internet connection while you sleep.  And the worst parts: you might have installed the device from the factory in a compromised state.  You plug it in, and the illicit routing begins.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p><div><hr></div><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!p1cv!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F626f1121-d0c4-4641-8897-907df02f9c29_1200x896.heic" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!p1cv!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F626f1121-d0c4-4641-8897-907df02f9c29_1200x896.heic 424w, https://substackcdn.com/image/fetch/$s_!p1cv!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F626f1121-d0c4-4641-8897-907df02f9c29_1200x896.heic 848w, https://substackcdn.com/image/fetch/$s_!p1cv!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F626f1121-d0c4-4641-8897-907df02f9c29_1200x896.heic 1272w, https://substackcdn.com/image/fetch/$s_!p1cv!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F626f1121-d0c4-4641-8897-907df02f9c29_1200x896.heic 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!p1cv!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F626f1121-d0c4-4641-8897-907df02f9c29_1200x896.heic" width="1200" height="896" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/626f1121-d0c4-4641-8897-907df02f9c29_1200x896.heic&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:896,&quot;width&quot;:1200,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:272166,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/heic&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/205793286?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F626f1121-d0c4-4641-8897-907df02f9c29_1200x896.heic&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!p1cv!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F626f1121-d0c4-4641-8897-907df02f9c29_1200x896.heic 424w, https://substackcdn.com/image/fetch/$s_!p1cv!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F626f1121-d0c4-4641-8897-907df02f9c29_1200x896.heic 848w, https://substackcdn.com/image/fetch/$s_!p1cv!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F626f1121-d0c4-4641-8897-907df02f9c29_1200x896.heic 1272w, https://substackcdn.com/image/fetch/$s_!p1cv!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F626f1121-d0c4-4641-8897-907df02f9c29_1200x896.heic 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div><hr></div><h2><strong>The FBI Just Shut Down a Two-Million-Device Crime Network</strong></h2><p>On July 2, 2026, the FBI seized hundreds of internet domains belonging to a service called NetNut. Google, the IRS Criminal Investigation division, Lumen Technologies, and the Shadowserver Foundation all participated in the takedown. The target: a residential proxy network built on top of <strong>two million hijacked consumer devices</strong> like routers and streaming boxes.  But what makes this case alarming is that the service </p><p><span>According to his enlightening article, Brian Krebs showed that </span><a href="https://krebsonsecurity.com/2026/06/popa-botnet-linked-to-publicly-traded-israeli-firm/">researchers at Synthient</a> among other firms identified <span>NetNut is a proxy service owned by Alarum Technologies, a publicly traded Israeli company on the NASDAQ.  And what&#8217;s alarming is that NetNut is directly linked to a botnet called Popa. Their business model was straightforward: route paying customers&#8217; internet traffic through real home internet connections so it looks like ordinary browsing. </span><strong><span>The problem is that the &#8220;real home connections&#8221; belonged to people who never agreed to participate.</span></strong></p><p>In a single week in June 2026, Google&#8217;s Threat Intelligence Group observed <strong>316 distinct threat actor clusters</strong> using NetNut exit nodes. They included organized cybercriminal gangs and nation-state espionage groups using your neighbor&#8217;s router to mask password-spraying attacks against corporate targets, access stolen accounts, and reach their own criminal infrastructure.</p><p>This was the second major residential proxy takedown in six months. In January 2026, Google disrupted IPIDEA, an even larger network. During that operation, researchers observed <strong>over 550 threat groups</strong> routing attacks through home internet connections. IPIDEA had embedded its software into more than 600 Android apps and 3,000 Windows programs.</p><p><strong>After the IPIDEA takedown, its network rebuilt to full capacity within a single day by purchasing access from competitors. The demand for criminal traffic laundered through your home Wi-Fi did not disappear. It migrated.</strong></p><h2><strong>What &#8220;Exit Node&#8221; Means for You</strong></h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!WHgr!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa75dce31-f9a6-4b04-a060-7cff9601bd3e_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!WHgr!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa75dce31-f9a6-4b04-a060-7cff9601bd3e_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!WHgr!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa75dce31-f9a6-4b04-a060-7cff9601bd3e_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!WHgr!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa75dce31-f9a6-4b04-a060-7cff9601bd3e_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!WHgr!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa75dce31-f9a6-4b04-a060-7cff9601bd3e_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!WHgr!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa75dce31-f9a6-4b04-a060-7cff9601bd3e_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/a75dce31-f9a6-4b04-a060-7cff9601bd3e_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1277186,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/205793286?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa75dce31-f9a6-4b04-a060-7cff9601bd3e_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!WHgr!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa75dce31-f9a6-4b04-a060-7cff9601bd3e_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!WHgr!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa75dce31-f9a6-4b04-a060-7cff9601bd3e_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!WHgr!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa75dce31-f9a6-4b04-a060-7cff9601bd3e_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!WHgr!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa75dce31-f9a6-4b04-a060-7cff9601bd3e_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><strong>When your device becomes an exit node in a residential proxy network, it means other people&#8217;s internet traffic is flowing through your home connection.</strong> Your IP address, the one your internet provider assigned to your house, is being rented out to strangers.</p><p>Here is what that looks like in practice:</p><p><strong>A criminal in another country wants to break into a company&#8217;s email system. </strong>If they attack from their own IP address, security tools flag and block it immediately. But if they route the attack through your router, the company&#8217;s security system sees a login attempt from a residential Comcast address in Ohio. That looks normal. It gets through.</p><p><strong>Your internet slows down.</strong> When unauthorized traffic is flowing through your connection, your bandwidth is being consumed by activity you did not initiate. Streaming buffers. Video calls drop. Downloads crawl.</p><p><strong>Your other devices are exposed.</strong> Google&#8217;s Threat Intelligence Group confirmed that once a device on your network becomes an exit node, attackers can access other devices on that same home network. Your laptop, your phone, your security cameras: all of them are now reachable from the outside.</p><p><strong>Your IP address gets flagged.</strong> When a criminal uses your connection to commit fraud, send spam, or launch attacks, your IP address is the one that shows up in the logs. You may find yourself blocked from websites, flagged by your internet provider, or in rare cases, investigated for activity you had nothing to do with.</p><h2><strong>How Devices Get Recruited</strong></h2><p>Your home devices can become proxy exit nodes through four main channels. None of them require you to do anything overtly reckless.</p><h3><strong>1. Free VPN apps</strong></h3><p>This is the most common path. Free VPN services need to pay for their infrastructure somehow. Many of them do it by enrolling your device in a residential proxy network. The terms of service disclose this, technically, buried in paragraphs of legal text that nobody reads. When you install the app and tap &#8220;Accept,&#8221; you are agreeing to let strangers route their traffic through your phone.</p><p>The FBI&#8217;s advisory on residential proxy networks specifically warns consumers to <strong>exercise caution before downloading free VPN applications</strong>.</p><h3><strong>2. &#8220;Bandwidth sharing&#8221; apps</strong></h3><p>Apps that promise to pay you for your &#8220;unused internet bandwidth&#8221; are doing exactly what they describe: they are selling your connection to third parties. Some of those third parties are advertisers running market research. Others are criminals who need a clean IP address. The app does not distinguish between them.</p><h3><strong>3. Pirated software and media</strong></h3><p>Free games, cracked software, pirated movies, and torrented content frequently come bundled with malware that silently enrolls your device as a proxy node. You think you are getting a free copy of Photoshop. You are getting Photoshop and a second job as an unwitting accomplice.</p><h3><strong>4. Devices that arrive compromised from the factory</strong></h3><p><strong>This is the channel that should concern you most, because it requires no mistake on your part.</strong></p><p>In June 2026, the <em>Wall Street Journal</em> tested five cheap smart home devices purchased from Amazon and Walmart: two digital picture frames and three streaming boxes. <strong>All five were compromised out of the box.</strong> Within minutes of being plugged in, each device began routing traffic from users around the world through the buyer&#8217;s home internet connection. Visits to gambling sites, cryptocurrency platforms, and other destinations started flowing through connections belonging to ordinary families who had just opened a box from Amazon.</p><p>The Digital Citizens Alliance estimates that <strong>20 million American homes</strong> currently have at least one infected device. The proxy software is baked into the firmware at the factory. Firmware updates cannot remove it because the manufacturer put it there intentionally.</p><p><strong>US intelligence agencies have confirmed that Chinese state-sponsored hacking groups Volt Typhoon and Flax Typhoon route espionage traffic through exactly this kind of compromised consumer device infrastructure</strong>. A joint advisory issued in April 2026 by CISA, the FBI, the NSA, and eleven international cyber agencies described this as a deliberate strategic shift.</p><h2><strong>The Numbers</strong></h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!EZqk!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa0db7a7a-c406-4153-bfef-33ed23e49f9f_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!EZqk!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa0db7a7a-c406-4153-bfef-33ed23e49f9f_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!EZqk!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa0db7a7a-c406-4153-bfef-33ed23e49f9f_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!EZqk!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa0db7a7a-c406-4153-bfef-33ed23e49f9f_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!EZqk!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa0db7a7a-c406-4153-bfef-33ed23e49f9f_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!EZqk!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa0db7a7a-c406-4153-bfef-33ed23e49f9f_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/a0db7a7a-c406-4153-bfef-33ed23e49f9f_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1093148,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/205793286?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa0db7a7a-c406-4153-bfef-33ed23e49f9f_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!EZqk!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa0db7a7a-c406-4153-bfef-33ed23e49f9f_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!EZqk!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa0db7a7a-c406-4153-bfef-33ed23e49f9f_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!EZqk!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa0db7a7a-c406-4153-bfef-33ed23e49f9f_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!EZqk!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa0db7a7a-c406-4153-bfef-33ed23e49f9f_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><ul><li><p><strong>2 million+</strong> devices in the NetNut botnet at the time of the FBI seizure</p></li><li><p><strong>550+</strong> threat groups observed using the IPIDEA network in a single week</p></li><li><p><strong>316</strong> threat clusters observed using NetNut exit nodes in a single week in June 2026</p></li><li><p><strong>20 million</strong> US homes estimated to have at least one infected device</p></li><li><p><strong>5 out of 5</strong> cheap smart devices tested by the <em>Wall Street Journal</em> were compromised out of the box</p></li><li><p><strong>42%</strong> of LG webOS apps and <strong>25%+</strong> of Samsung Tizen apps found to contain residential proxy SDKs</p></li><li><p><strong>65%</strong> of enterprise customers queried domains associated with residential proxy networks in 2026</p></li></ul><h2><strong>Is Your Network Compromised Right Now?</strong></h2><p><span>There is a way to check. Spur, an internet intelligence firm that participated in both the IPIDEA and NetNut investigations, offers a </span><a href="https://spur.us/context/me">free public tool</a><span> that analyzes whether your home IP address is currently registered as a proxy node.</span></p><p>Visit the tool from your home Wi-Fi (not from a VPN or cellular connection). If it shows your IP is flagged as a residential proxy, one of your device is likely  an exit node.</p><p>Beyond that, here are signs that something on your network is working a second shift:</p><ul><li><p><strong>Unexplained slowdowns.</strong> If your internet speed drops without an obvious reason (no one streaming, no large downloads), unauthorized traffic may be consuming your bandwidth.</p></li><li><p><strong>Higher-than-normal data usage.</strong> Check your internet provider&#8217;s dashboard for your monthly data consumption. A sudden spike that does not match your household&#8217;s habits is worth investigating.</p></li><li><p><strong>Devices running hot or draining battery faster.</strong> Proxy malware keeps the network adapter active even when the screen is off. A phone or tablet that runs warm while sitting idle on a nightstand may be routing traffic.</p></li><li><p><strong>Getting blocked from websites.</strong> If you start seeing CAPTCHAs on every site or get blocked from services you normally access, your IP address may have been flagged for suspicious activity that someone else is performing through your connection.</p></li></ul><h2><strong>The Fix: Five Things You Can Do This Week</strong></h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!8fEu!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9016c942-de93-452a-a826-b22eb57d32ce_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!8fEu!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9016c942-de93-452a-a826-b22eb57d32ce_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!8fEu!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9016c942-de93-452a-a826-b22eb57d32ce_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!8fEu!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9016c942-de93-452a-a826-b22eb57d32ce_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!8fEu!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9016c942-de93-452a-a826-b22eb57d32ce_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!8fEu!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9016c942-de93-452a-a826-b22eb57d32ce_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/9016c942-de93-452a-a826-b22eb57d32ce_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1134756,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/205793286?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9016c942-de93-452a-a826-b22eb57d32ce_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!8fEu!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9016c942-de93-452a-a826-b22eb57d32ce_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!8fEu!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9016c942-de93-452a-a826-b22eb57d32ce_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!8fEu!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9016c942-de93-452a-a826-b22eb57d32ce_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!8fEu!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9016c942-de93-452a-a826-b22eb57d32ce_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h3><strong>1. Check your router&#8217;s admin panel.</strong></h3><p><em><strong><span>The FTC has a </span><a href="https://consumer.ftc.gov/articles/how-secure-your-home-wi-fi-network">step-by-step guide</a><span> for logging in. </span></strong></em><span>The short version: look at the sticker on the bottom of your router for the admin address and default password, or search &#8220;[your router brand] admin login&#8221; online. Once you are in, look at the list of connected devices and disconnect anything you do not recognize. While you are there, make sure your router&#8217;s firmware is up to date. Most routers have an &#8220;Update&#8221; button in the admin panel. If your router is more than five years old, it may no longer receive updates, which means known vulnerabilities will never be patched. That is worth a replacement.</span></p><h3><strong>2. Delete free VPN apps.</strong></h3><p>If you installed a free VPN on your phone, tablet, or streaming device, remove it. If you need a VPN, pay for one from a reputable provider with a clear privacy policy and a track record of independent audits. The cost is typically $3 to $8 per month. <strong>If the VPN is free, you are the product.</strong></p><h3><strong>3. Audit your streaming devices.</strong></h3><p>If you own a cheap streaming box, smart TV dongle, or digital picture frame from an off-brand manufacturer, check whether it carries Google Play Protect certification. On Android devices: open the Google Play Store, tap your profile icon, go to <strong>Settings &gt; About</strong>, and look for &#8220;Device is certified.&#8221; If it says anything else, or if the Play Store is not present, treat the device as suspect. <strong>The FBI specifically warns against devices that ask you to disable Play Protect during setup.</strong></p><h3><strong>4. Set up a guest network.</strong></h3><p>Most modern routers support a guest Wi-Fi network. Put your IoT devices (smart TVs, streaming boxes, smart speakers, cameras, picture frames) on the guest network and keep your computers and phones on the primary network. This way, if a smart device is compromised, it cannot reach your laptop or phone.</p><h3><strong>5. Stop downloading pirated content.</strong></h3><p>This is the advice nobody wants to hear. Free games, cracked software, and pirated movies are the primary delivery vehicle for proxy malware. The FBI&#8217;s advisory names this as a top infection vector. A $15 streaming subscription is cheaper than having your home network conscripted into a criminal botnet.</p><h2><strong>The Bottom Line</strong></h2><p>Your home router is the front door to your digital life. Everything in your house connects through it: your banking, your email, your kids&#8217; homework, your security cameras. When a criminal turns that router into an exit node, they are not just borrowing your internet connection. They are standing inside your network, with access to everything connected to it, using your address as their alibi.</p><p>The FBI and Google just shut down a network that had conscripted two million devices. But the market for residential proxies did not disappear with it. After the last takedown in January, the network rebuilt in a single day. The next one is already being assembled.</p><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-home-router-takeover?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-home-router-takeover?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://edge.intruvent.com/p/prevent-this-home-router-takeover?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p></p><p>Take fifteen minutes this week. Log into your router. Delete the free VPN. Check your streaming boxes. Set up a guest network. Run the Spur check on your IP address.</p><p>Two million devices were working for criminals last week. Make sure yours is not one of them.</p><div><hr></div><p>If you believe your devices have been compromised:</p><ul><li><p><strong>FBI IC3:</strong> <a href="https://ic3.gov/">ic3.gov</a></p></li><li><p><strong>FTC:</strong> <a href="https://reportfraud.ftc.gov/">reportfraud.ftc.gov</a> or 877-382-4357</p></li><li><p><strong>Spur IP Check:</strong> <a href="https://spur.us/context">spur.us/context</a></p></li><li><p><strong>Your ISP:</strong> Contact your internet provider if your IP has been flagged; they can issue a new address</p></li></ul><div><hr></div><h2><strong>Sources</strong></h2><ul><li><p><a href="https://krebsonsecurity.com/2026/07/fbi-seizes-netnut-proxy-platform-popa-botnet/">FBI Seizes NetNut Proxy Platform, Popa Botnet</a> (Krebs on Security, July 2026)</p></li><li><p><a href="https://cloud.google.com/blog/topics/threat-intelligence/google-continued-disruption-residential-proxy-networks">Google&#8217;s Continued Disruption of Malicious Residential Proxy Networks</a> (Google Cloud Blog, July 2026)</p></li><li><p><a href="https://thehackernews.com/2026/07/google-disrupts-netnut-residential.html">Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices</a>(The Hacker News, July 2026)</p></li><li><p><a href="https://www.bleepingcomputer.com/news/security/netnut-proxy-network-disrupted-2-million-infected-devices-cut-off/">NetNut proxy network disrupted, 2 million infected devices cut off</a>(BleepingComputer, July 2026)</p></li><li><p><a href="https://www.malwarebytes.com/blog/news/2026/07/netnut-botnet-takes-a-hit-dont-be-part-of-the-next-one">NetNut botnet takes a hit. Don&#8217;t be part of the next one.</a> (Malwarebytes, July 2026)</p></li><li><p><a href="https://cloud.google.com/blog/topics/threat-intelligence/disrupting-largest-residential-proxy-network">Disrupting the World&#8217;s Largest Residential Proxy Network</a> (Google Cloud Blog, January 2026)</p></li><li><p><a href="https://www.techlicious.com/blog/amazon-walmart-photo-frame-streaming-box-malware/">Cheap Amazon TV boxes and photo frames are secretly committing crimes</a>(Techlicious, June 2026)</p></li><li><p><a href="https://www.techtimes.com/articles/319625/20260703/fbi-google-disrupt-netnut-botnet-that-rented-2-million-home-devices-spies.htm">FBI and Google Disrupt NetNut Botnet That Rented 2 Million Home Devices to Spies</a>(TechTimes, July 2026)</p></li><li><p><a href="https://www.infosecurity-magazine.com/news/fbi-google-take-down-netnut-proxy/">FBI, Google Take Down NetNut Proxy Network Used by Cyber Threat Actors</a>(Infosecurity Magazine, July 2026)</p></li></ul><div><hr></div><p><em>Prevent This is a weekly cybersecurity newsletter from Intruvent Technologies. Each week, we break down one cyber threat in plain language and give you the tools to protect yourself and the people you care about. For our bi-weekly technical deep dive, check out <a href="https://edge.intruvent.com/">Intruvent Edge</a>.</em></p>]]></content:encoded></item><item><title><![CDATA[Intruvent EDGE: Ransomware Just Started Using Zero-Days. The Patch Window Is Now Gone.]]></title><description><![CDATA[The most prolific ransomware crew of 2026 spent zero-day money to get inside your VPN. Here is what that changes for how you defend the edge.]]></description><link>https://edge.intruvent.com/p/intruvent-edge-ransomware-just-started</link><guid isPermaLink="false">https://edge.intruvent.com/p/intruvent-edge-ransomware-just-started</guid><dc:creator><![CDATA[Sig Murphy]]></dc:creator><pubDate>Thu, 02 Jul 2026 17:44:26 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!frN-!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd367319b-e481-478d-a813-ebf18d3eeb83_1080x1211.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!frN-!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd367319b-e481-478d-a813-ebf18d3eeb83_1080x1211.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!frN-!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd367319b-e481-478d-a813-ebf18d3eeb83_1080x1211.png 424w, https://substackcdn.com/image/fetch/$s_!frN-!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd367319b-e481-478d-a813-ebf18d3eeb83_1080x1211.png 848w, https://substackcdn.com/image/fetch/$s_!frN-!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd367319b-e481-478d-a813-ebf18d3eeb83_1080x1211.png 1272w, https://substackcdn.com/image/fetch/$s_!frN-!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd367319b-e481-478d-a813-ebf18d3eeb83_1080x1211.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!frN-!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd367319b-e481-478d-a813-ebf18d3eeb83_1080x1211.png" width="1080" height="1211" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/d367319b-e481-478d-a813-ebf18d3eeb83_1080x1211.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1211,&quot;width&quot;:1080,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1785646,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/204698682?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffe7063b9-e42d-4112-9b23-2913f3643f7b_1080x1350.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!frN-!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd367319b-e481-478d-a813-ebf18d3eeb83_1080x1211.png 424w, https://substackcdn.com/image/fetch/$s_!frN-!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd367319b-e481-478d-a813-ebf18d3eeb83_1080x1211.png 848w, https://substackcdn.com/image/fetch/$s_!frN-!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd367319b-e481-478d-a813-ebf18d3eeb83_1080x1211.png 1272w, https://substackcdn.com/image/fetch/$s_!frN-!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd367319b-e481-478d-a813-ebf18d3eeb83_1080x1211.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>For years, the deal with ransomware was simple. The affiliates were opportunists. They swept the internet for unpatched Fortinet boxes, aging Veeam servers, and SonicWall appliances that someone forgot to update. If you patched inside the vendor&#8217;s window and stayed current with CISA&#8217;s Known Exploited Vulnerabilities catalog, you were faster than the criminals. <strong>That was the whole strategy: do not be the slowest gazelle.</strong></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p><strong>In June 2026, the most prolific ransomware operation on earth broke that deal. Qilin exploited a Check Point VPN vulnerability that was live in the wild for a full month before the vendor disclosed it.</strong> <em><strong>There was no patch to be behind on.</strong></em> The window you were supposed to beat did not exist yet.</p><p><strong>This is the capability that used to belong to nation-states. It now belongs to a criminal enterprise</strong> that claimed roughly 141 organizations in a single trailing 30-day window, more than double its closest competitor. Here is what happened, why it matters more than the CVE score suggests, and what to do about an edge device you have been treating as trustworthy.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!QOms!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc9920273-f940-45c1-8dc2-bf55f25a27da_1024x753.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!QOms!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc9920273-f940-45c1-8dc2-bf55f25a27da_1024x753.jpeg 424w, https://substackcdn.com/image/fetch/$s_!QOms!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc9920273-f940-45c1-8dc2-bf55f25a27da_1024x753.jpeg 848w, https://substackcdn.com/image/fetch/$s_!QOms!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc9920273-f940-45c1-8dc2-bf55f25a27da_1024x753.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!QOms!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc9920273-f940-45c1-8dc2-bf55f25a27da_1024x753.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!QOms!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc9920273-f940-45c1-8dc2-bf55f25a27da_1024x753.jpeg" width="1024" height="753" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/c9920273-f940-45c1-8dc2-bf55f25a27da_1024x753.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:753,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:235276,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/204698682?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe3553022-0795-4944-8ba4-24e0bba76b4b_1024x1024.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!QOms!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc9920273-f940-45c1-8dc2-bf55f25a27da_1024x753.jpeg 424w, https://substackcdn.com/image/fetch/$s_!QOms!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc9920273-f940-45c1-8dc2-bf55f25a27da_1024x753.jpeg 848w, https://substackcdn.com/image/fetch/$s_!QOms!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc9920273-f940-45c1-8dc2-bf55f25a27da_1024x753.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!QOms!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc9920273-f940-45c1-8dc2-bf55f25a27da_1024x753.jpeg 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div><hr></div><h2><strong>What Happened</strong></h2><p>On June 8, 2026, Check Point disclosed CVE-2026-50751, a critical authentication bypass in its Security Gateway product. The flaw is pretty technical, but the short version is that an unauthenticated remote attacker can jump onto that system without a valid password. </p><p>The disclosure date is not the important date. <strong>The important date is May 7, one month earlier, which is when exploitation in the wild actually began.</strong> For a full month, attackers were bypassing authentication on internet-facing Check Point VPNs while the vulnerability had no CVE, no advisory, and no hotfix. That is the definition of a zero-day: exploited <em>before</em> the defender had any way to know it existed.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Ocmr!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F996a33a0-0b70-4265-a458-ffb229dc6b25_2400x1280.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Ocmr!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F996a33a0-0b70-4265-a458-ffb229dc6b25_2400x1280.png 424w, https://substackcdn.com/image/fetch/$s_!Ocmr!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F996a33a0-0b70-4265-a458-ffb229dc6b25_2400x1280.png 848w, https://substackcdn.com/image/fetch/$s_!Ocmr!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F996a33a0-0b70-4265-a458-ffb229dc6b25_2400x1280.png 1272w, https://substackcdn.com/image/fetch/$s_!Ocmr!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F996a33a0-0b70-4265-a458-ffb229dc6b25_2400x1280.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Ocmr!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F996a33a0-0b70-4265-a458-ffb229dc6b25_2400x1280.png" width="1456" height="777" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/996a33a0-0b70-4265-a458-ffb229dc6b25_2400x1280.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:777,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:203036,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/204698682?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F996a33a0-0b70-4265-a458-ffb229dc6b25_2400x1280.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!Ocmr!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F996a33a0-0b70-4265-a458-ffb229dc6b25_2400x1280.png 424w, https://substackcdn.com/image/fetch/$s_!Ocmr!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F996a33a0-0b70-4265-a458-ffb229dc6b25_2400x1280.png 848w, https://substackcdn.com/image/fetch/$s_!Ocmr!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F996a33a0-0b70-4265-a458-ffb229dc6b25_2400x1280.png 1272w, https://substackcdn.com/image/fetch/$s_!Ocmr!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F996a33a0-0b70-4265-a458-ffb229dc6b25_2400x1280.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>The attribution is not ours to claim. <strong>Check Point Research assesses with medium confidence that the actor is a financially motivated operator using Qilin ransomware</strong>, based on binary analysis of the ELF payloads the attacker pulled from its own infrastructure after each bypass. Rapid7 independently corroborated two high-confidence cases, and watchTowr Labs published the root-cause analysis of the flaw. If that attribution holds, <strong>this is the first confirmed instance of Qilin operating on a zero-day, which reframes the group from a fast follower into something closer to an advanced persistent threat</strong> with a profit motive.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!o5GF!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7b88121b-fcb8-453c-9582-c126f4926106_2400x1000.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!o5GF!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7b88121b-fcb8-453c-9582-c126f4926106_2400x1000.png 424w, https://substackcdn.com/image/fetch/$s_!o5GF!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7b88121b-fcb8-453c-9582-c126f4926106_2400x1000.png 848w, https://substackcdn.com/image/fetch/$s_!o5GF!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7b88121b-fcb8-453c-9582-c126f4926106_2400x1000.png 1272w, https://substackcdn.com/image/fetch/$s_!o5GF!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7b88121b-fcb8-453c-9582-c126f4926106_2400x1000.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!o5GF!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7b88121b-fcb8-453c-9582-c126f4926106_2400x1000.png" width="1456" height="607" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/7b88121b-fcb8-453c-9582-c126f4926106_2400x1000.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:607,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:172711,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/204698682?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7b88121b-fcb8-453c-9582-c126f4926106_2400x1000.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!o5GF!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7b88121b-fcb8-453c-9582-c126f4926106_2400x1000.png 424w, https://substackcdn.com/image/fetch/$s_!o5GF!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7b88121b-fcb8-453c-9582-c126f4926106_2400x1000.png 848w, https://substackcdn.com/image/fetch/$s_!o5GF!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7b88121b-fcb8-453c-9582-c126f4926106_2400x1000.png 1272w, https://substackcdn.com/image/fetch/$s_!o5GF!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7b88121b-fcb8-453c-9582-c126f4926106_2400x1000.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2><strong>Why a Zero-Day Changes the Ransomware Math</strong></h2><p>To understand why this matters, look at how ransomware affiliates have historically gained initial access. The playbook was n-day exploitation: wait for a vulnerability to be disclosed, reverse-engineer the patch, and race to exploit the organizations that had not applied it yet. The entire model depended on defender slowness. <strong>Akira built a franchise on exactly this, sweeping unpatched SonicWall (CVE-2024-40766) and FortiOS (CVE-2024-55591) appliances that lagged on updates.</strong></p><p>Against n-day exploitation, patching works. It is a race, and diligent teams win it. The organizations that get hit are the ones that fell behind.</p><p>Zero-day exploitation inverts the entire relationship. There is nothing to patch, no advisory to read, no KEV entry to prioritize. Every Check Point Remote Access VPN running IKEv1 was exploitable on May 7, and the most current, most diligent, most well-resourced security team in the world was exactly as exposed as the one that never patches anything. <strong>Speed stopped being a defense.</strong></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!PUXb!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F72b57407-1cb9-4521-8286-b3ca2f533cd1_2400x1360.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!PUXb!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F72b57407-1cb9-4521-8286-b3ca2f533cd1_2400x1360.png 424w, https://substackcdn.com/image/fetch/$s_!PUXb!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F72b57407-1cb9-4521-8286-b3ca2f533cd1_2400x1360.png 848w, https://substackcdn.com/image/fetch/$s_!PUXb!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F72b57407-1cb9-4521-8286-b3ca2f533cd1_2400x1360.png 1272w, https://substackcdn.com/image/fetch/$s_!PUXb!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F72b57407-1cb9-4521-8286-b3ca2f533cd1_2400x1360.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!PUXb!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F72b57407-1cb9-4521-8286-b3ca2f533cd1_2400x1360.png" width="1456" height="825" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/72b57407-1cb9-4521-8286-b3ca2f533cd1_2400x1360.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:825,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:254592,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/204698682?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F72b57407-1cb9-4521-8286-b3ca2f533cd1_2400x1360.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!PUXb!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F72b57407-1cb9-4521-8286-b3ca2f533cd1_2400x1360.png 424w, https://substackcdn.com/image/fetch/$s_!PUXb!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F72b57407-1cb9-4521-8286-b3ca2f533cd1_2400x1360.png 848w, https://substackcdn.com/image/fetch/$s_!PUXb!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F72b57407-1cb9-4521-8286-b3ca2f533cd1_2400x1360.png 1272w, https://substackcdn.com/image/fetch/$s_!PUXb!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F72b57407-1cb9-4521-8286-b3ca2f533cd1_2400x1360.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>This capability is expensive. Developing or acquiring a working zero-day against enterprise VPN infrastructure implies either in-house exploit development or a purchase from an initial access broker with serious resources. Ransomware groups have historically not spent money this way because they did not need to. n-day exploitation was cheap and it worked. Qilin choosing to operate at this level is a signal about where the economics of the top-tier ransomware operations have gone.</p><h2><strong>Who Is Qilin</strong></h2><p>Qilin has held the top of the ransomware leaderboard for five straight months through May 2026. The numbers, drawn from public leak-site tracking are staggering. In one trailing 30-day window they claimed  to have hit 141 organizations across at least 25 countries, more than double the next-most-active group. They posted 101 victims in May alone, the fifth consecutive month above 100, for 546 claimed victims through the first five months of the year. One caveat that public trackers stress: Qilin averages roughly 46 days between an attack and the leak-site listing, so today&#8217;s numbers reflect intrusions from one to two months ago and June&#8217;s total is still filling in.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!89xr!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F70a596fb-2a7b-4cc9-aa2f-1ebcad0a0710_2400x1320.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!89xr!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F70a596fb-2a7b-4cc9-aa2f-1ebcad0a0710_2400x1320.png 424w, https://substackcdn.com/image/fetch/$s_!89xr!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F70a596fb-2a7b-4cc9-aa2f-1ebcad0a0710_2400x1320.png 848w, https://substackcdn.com/image/fetch/$s_!89xr!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F70a596fb-2a7b-4cc9-aa2f-1ebcad0a0710_2400x1320.png 1272w, https://substackcdn.com/image/fetch/$s_!89xr!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F70a596fb-2a7b-4cc9-aa2f-1ebcad0a0710_2400x1320.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!89xr!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F70a596fb-2a7b-4cc9-aa2f-1ebcad0a0710_2400x1320.png" width="1456" height="801" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/70a596fb-2a7b-4cc9-aa2f-1ebcad0a0710_2400x1320.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:801,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:299421,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/204698682?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F70a596fb-2a7b-4cc9-aa2f-1ebcad0a0710_2400x1320.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!89xr!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F70a596fb-2a7b-4cc9-aa2f-1ebcad0a0710_2400x1320.png 424w, https://substackcdn.com/image/fetch/$s_!89xr!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F70a596fb-2a7b-4cc9-aa2f-1ebcad0a0710_2400x1320.png 848w, https://substackcdn.com/image/fetch/$s_!89xr!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F70a596fb-2a7b-4cc9-aa2f-1ebcad0a0710_2400x1320.png 1272w, https://substackcdn.com/image/fetch/$s_!89xr!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F70a596fb-2a7b-4cc9-aa2f-1ebcad0a0710_2400x1320.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>Three structural facts make Qilin more dangerous than the raw victim count suggests.</p><p><strong>It runs as a cartel.</strong> Since September 2025, Qilin has operated alongside LockBit and DragonForce in a shared arrangement, pooling affiliates and infrastructure. An affiliate who breaks into your network may deploy whichever of the three encryptors is operationally convenient. This also insulates the operation against takedown pressure, because dismantling one brand does not remove the shared affiliate pool or tooling.</p><p><strong>It pays affiliates well.</strong> Qilin reportedly offers operators a revenue split as high as 85 percent, which pulls skilled affiliates out of defunct operations and concentrates talent. A group that attracts the best affiliates and now supplies them with a VPN zero-day is a materially different threat than a commodity ransomware brand.</p><p><strong>It targets the edge.</strong> Qilin&#8217;s access pattern centers on internet-facing appliances: VPNs, backup infrastructure, and remote access gateways. CVE-2026-50751 fits this pattern precisely, and Check Point gateways sit at the IT and OT boundary in energy utilities, manufacturers, and industrial operators. An authentication bypass on that device is unauthenticated access to the exact chokepoint that is supposed to enforce perimeter trust.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!pqss!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5176f135-072a-483a-984f-d08de4a75744_2400x1280.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!pqss!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5176f135-072a-483a-984f-d08de4a75744_2400x1280.png 424w, https://substackcdn.com/image/fetch/$s_!pqss!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5176f135-072a-483a-984f-d08de4a75744_2400x1280.png 848w, https://substackcdn.com/image/fetch/$s_!pqss!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5176f135-072a-483a-984f-d08de4a75744_2400x1280.png 1272w, https://substackcdn.com/image/fetch/$s_!pqss!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5176f135-072a-483a-984f-d08de4a75744_2400x1280.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!pqss!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5176f135-072a-483a-984f-d08de4a75744_2400x1280.png" width="1456" height="777" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/5176f135-072a-483a-984f-d08de4a75744_2400x1280.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:777,&quot;width&quot;:1456,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:186075,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/204698682?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5176f135-072a-483a-984f-d08de4a75744_2400x1280.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!pqss!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5176f135-072a-483a-984f-d08de4a75744_2400x1280.png 424w, https://substackcdn.com/image/fetch/$s_!pqss!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5176f135-072a-483a-984f-d08de4a75744_2400x1280.png 848w, https://substackcdn.com/image/fetch/$s_!pqss!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5176f135-072a-483a-984f-d08de4a75744_2400x1280.png 1272w, https://substackcdn.com/image/fetch/$s_!pqss!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5176f135-072a-483a-984f-d08de4a75744_2400x1280.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div><hr></div><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Jvwb!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcf632d6a-0987-435c-919a-161398ed37bd_706x593.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Jvwb!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcf632d6a-0987-435c-919a-161398ed37bd_706x593.png 424w, https://substackcdn.com/image/fetch/$s_!Jvwb!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcf632d6a-0987-435c-919a-161398ed37bd_706x593.png 848w, https://substackcdn.com/image/fetch/$s_!Jvwb!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcf632d6a-0987-435c-919a-161398ed37bd_706x593.png 1272w, https://substackcdn.com/image/fetch/$s_!Jvwb!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcf632d6a-0987-435c-919a-161398ed37bd_706x593.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Jvwb!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcf632d6a-0987-435c-919a-161398ed37bd_706x593.png" width="706" height="593" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/cf632d6a-0987-435c-919a-161398ed37bd_706x593.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:593,&quot;width&quot;:706,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:109787,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/204698682?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcf632d6a-0987-435c-919a-161398ed37bd_706x593.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!Jvwb!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcf632d6a-0987-435c-919a-161398ed37bd_706x593.png 424w, https://substackcdn.com/image/fetch/$s_!Jvwb!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcf632d6a-0987-435c-919a-161398ed37bd_706x593.png 848w, https://substackcdn.com/image/fetch/$s_!Jvwb!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcf632d6a-0987-435c-919a-161398ed37bd_706x593.png 1272w, https://substackcdn.com/image/fetch/$s_!Jvwb!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcf632d6a-0987-435c-919a-161398ed37bd_706x593.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><strong>Why Traditional Controls Miss the Front End of This Attack</strong></p><p>The encryption stage of a Qilin attack is loud and obvious. The initial access stage, through this vulnerability, is quiet in a way that defeats most of the controls organizations rely on.</p><p><strong>The authentication looks successful because it is.</strong> The attacker establishes a valid VPN session. <strong>From the gateway&#8217;s perspective, a Remote Access connection was negotiated and accepted. There is no failed-login spike to alert on</strong>, because the bypass produces a successful authentication event, not a brute-force pattern.</p><p><strong>The vulnerable protocol is one most teams forgot they were running.</strong> IKEv1 is deprecated. Many organizations enabled it years ago for legacy client compatibility and never turned it off. It sits in the configuration, unused and unwatched, until it becomes the entry point.</p><p><strong>Patch-cadence metrics gave false comfort.</strong> A team measuring itself on mean-time-to-patch against KEV deadlines looked healthy through the entire month of exploitation. There was nothing to patch. The metric that was supposed to measure exposure was blind to it.</p><p><strong>The edge device is trusted by design.</strong> The VPN gateway is the thing that establishes trust for everything behind it. Once an attacker is through it with a valid session, they are inside the boundary that most internal monitoring assumes is friendly.</p><h2><strong>Detection and Hunting</strong></h2><p>Because there was a month of pre-disclosure exploitation, patching now is necessary but not sufficient. <strong>If you run Check Point Remote Access VPN with IKEv1, you must hunt the pre-patch window, not just apply the hotfix.</strong> The queries below are written generically. Adapt field names to your VPN and SIEM schema.</p><p><strong>Start at the network layer.</strong> The exploit lives in a single malformed IKEv1 packet. watchTowr Labs traced the root cause to the VPNExtFeatures Vendor ID payload: the gateway reads four attacker-controlled trailing bytes and writes them straight into an authentication flag register, letting the client set a bit that disables signature verification. Enable the Check Point IPS signatures released with the hotfix so the gateway rejects the crafted Vendor ID. watchTowr also published a detection artifact generator (their <code>watchTowr-vs-Check-Point-CVE-2026-50751</code> tool) that safely tests whether a gateway still accepts the malicious payload, which is the fastest way to confirm your remediation actually took.</p><h3><strong> DETECTION ONLY: VPN Sessions Established Over IKEv1 (May 7 Onward)</strong></h3><pre><code>-- Surface Remote Access / Mobile Access sessions negotiated over IKEv1
-- since the start of the exploitation window. IKEv1 should be rare or
-- absent in a modern deployment; every hit deserves review.
index=vpn sourcetype=checkpoint
  (action=session_established OR event=login)
  ike_version=&#8221;IKEv1&#8221;
  earliest=&#8221;05/07/2026:00:00:00&#8221;
| stats count, values(src_ip) as src_ips,
        min(_time) as first_seen, max(_time) as last_seen
        by user, gateway
| sort - count</code></pre><h3><strong>DETECTION ONLY: Successful VPN Auth Without a Preceding Credential Event</strong></h3><pre><code>-- A bypass yields a successful session with no password or MFA event
-- in front of it. Collect session and auth events together, group by
-- user + source, and flag any that established a session but never
-- produced a credential event. Correlate on a session/connection ID
-- instead of user+src_ip if your logs carry one (more precise).
index=vpn sourcetype=checkpoint
  (action=session_established OR event=mfa_challenge OR event=password_auth)
  earliest=&#8221;05/07/2026:00:00:00&#8221;
| stats sum(eval(if(action=&#8221;session_established&#8221;,1,0))) as sessions
        sum(eval(if(event=&#8221;mfa_challenge&#8221; OR event=&#8221;password_auth&#8221;,1,0))) as creds
        min(_time) as first_seen max(_time) as last_seen
        by user, src_ip
| where sessions &gt; 0 AND creds = 0
| table first_seen, last_seen, user, src_ip, sessions</code></pre><h3><strong>DETECTION ONLY: Post-VPN Lateral Movement From Gateway Client Pool (KQL)</strong></h3><pre><code>// New internal connections originating from VPN client-pool addresses
// reaching domain controllers, backup servers, or hypervisor management.
// ipv4_is_in_range() does the CIDR match; a plain string compare will not.
DeviceNetworkEvents
| where Timestamp &gt;= datetime(2026-05-07)
| where ipv4_is_in_range(LocalIP, &#8220;10.10.20.0/24&#8221;)   // set to your VPN client pool
| where RemoteIPType == &#8220;Private&#8221;
| where RemotePort in (3389, 445, 5985, 902, 443)    // RDP, SMB, WinRM, ESXi, HTTPS
| summarize Connections=count(), Targets=make_set(RemoteIP)
    by LocalIP, bin(Timestamp, 1h)
| where Connections &gt; 20</code></pre><p><em>All three queries are detection and triage aids. They will surface legitimate remote access alongside anomalies. Review the results with an analyst. Do not wire them to automated blocking, and do not block VPN client-pool ranges at the network level, because doing so will disrupt legitimate remote users.</em></p><h2><strong>What You Should Do</strong></h2><h3><strong>Immediate (Today)</strong></h3><ol><li><p><strong>Apply the Check Point hotfix for CVE-2026-50751</strong> across every Security Gateway running Remote Access or Mobile Access. Reference Check Point advisory sk185033.</p></li><li><p><strong>Disable IKEv1.</strong> If any gateway still negotiates IKEv1, turn it off and move remaining clients to IKEv2. The deprecated protocol is the vulnerable surface. Removing it closes the door independent of patch status.</p></li><li><p><strong>Hunt the May 7 to June 8 window.</strong> Run the queries above. Assume the appliance may have been reached before you patched, and look for the evidence rather than trusting the hotfix to be retroactive. It is not.</p></li><li><p><strong>Force-reset credentials and invalidate active VPN sessions</strong> if you find any IKEv1 session you cannot tie to a known user, then treat it as a potential intrusion and open an incident.</p></li></ol><h3><strong>This Week</strong></h3><ol><li><p><strong>Inventory every internet-facing remote access and edge appliance,</strong> not only Check Point. VPN concentrators, backup servers, and management interfaces are the assets ransomware groups now buy zero-days to reach.</p></li><li><p><strong>Segment the VPN client pool away from crown-jewel systems.</strong> Domain controllers, backup infrastructure, and hypervisor management should not be reachable directly from a freshly established VPN session without additional authentication.</p></li><li><p><strong>Verify backup immutability and recovery isolation.</strong> Qilin deletes shadow copies and inhibits recovery. Confirm at least one backup tier is offline or immutable and test that you can actually restore from it.</p></li><li><p><strong>Instrument the edge for behavior, not just patch state.</strong> Feed VPN session logs into your SIEM and baseline normal session origins and post-connection behavior so a bypass session stands out even when the authentication looks clean.</p></li></ol><h3><strong>Going Forward</strong></h3><ol><li><p><strong>Retire the patch-cadence-as-safety assumption.</strong> Mean-time-to-patch remains a useful hygiene metric, but it measures exposure to n-day threats only. Against a ransomware group with zero-day capability, it is silent. Add pre-disclosure hunting and edge-behavior monitoring to your program so your assurance does not depend on a patch existing.</p></li><li><p><strong>Treat edge appliances as pre-breach.</strong> Assume the internet-facing device can be reached by an unauthenticated attacker at any time and design what sits behind it accordingly. Defense in depth behind the VPN is the control that survives a zero-day; perimeter trust is the control that does not.</p></li><li><p><strong>Track the ransomware cartels as capability ecosystems.</strong> Qilin, LockBit, and DragonForce share affiliates and tooling. A new technique proven by one becomes available to all. Watch the cartel, not the brand on the ransom note.</p></li></ol><h2><strong>The Bigger Picture</strong></h2><p>The comfortable story about ransomware was that it targeted the careless. The groups were opportunists, the reasoning went, and opportunists take the easy target. Keep your patches current, keep your KEV deadlines, keep your appliances updated, and the criminals would move on to someone slower. For a long time that story was mostly true.</p><p>CVE-2026-50751 is the moment that story stopped being reliable. When the most prolific ransomware operation of the year is willing to spend zero-day money to get inside your VPN a month before anyone knows the flaw exists, <strong>being current is no longer the same as being safe</strong>. The defenders who patched on day one and the defenders who never patch were equally exposed for the entire month of May.</p><p>This does not mean patching is pointless. It means patching is table stakes, and the real defensive posture has moved past it. The organizations that weather this shift will be the ones that stopped trusting their edge devices, segmented aggressively behind them, protected their recovery path, and learned to hunt for the quiet successful login rather than the loud failed one. The organizations that keep measuring their safety by how fast they close a window will keep being surprised by the attacks that never opened one.</p><p>Nation-state tradecraft has been trickling down to criminal operations for a decade. This is the trickle becoming a stream. Plan for the version of ransomware that does not wait for your patch cycle, because it is already here and it is claiming more than a hundred organizations a month.</p><div><hr></div><h1>Indicators of Compromise</h1><p><strong>Source:</strong> <strong>The atomic indicators (IP addresses and file hashes) in this section are published by Check Point Research in advisories sk185033 and sk185035</strong>. The behavioral and host indicators are drawn from Check Point, Rapid7, and watchTowr Labs reporting. Intruvent has aggregated and tiered them for operational use; we did not independently source them from our own casework.</p><p>Check Point updates its list over time, so treat the primary advisory as authoritative and pull the current version before you operationalize anything here.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!YrBm!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5b2097a3-af45-485e-9912-bda1f4720a23_702x1308.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!YrBm!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5b2097a3-af45-485e-9912-bda1f4720a23_702x1308.png 424w, https://substackcdn.com/image/fetch/$s_!YrBm!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5b2097a3-af45-485e-9912-bda1f4720a23_702x1308.png 848w, https://substackcdn.com/image/fetch/$s_!YrBm!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5b2097a3-af45-485e-9912-bda1f4720a23_702x1308.png 1272w, https://substackcdn.com/image/fetch/$s_!YrBm!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5b2097a3-af45-485e-9912-bda1f4720a23_702x1308.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!YrBm!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5b2097a3-af45-485e-9912-bda1f4720a23_702x1308.png" width="702" height="1308" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/5b2097a3-af45-485e-9912-bda1f4720a23_702x1308.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1308,&quot;width&quot;:702,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:180851,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/204698682?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5b2097a3-af45-485e-9912-bda1f4720a23_702x1308.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!YrBm!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5b2097a3-af45-485e-9912-bda1f4720a23_702x1308.png 424w, https://substackcdn.com/image/fetch/$s_!YrBm!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5b2097a3-af45-485e-9912-bda1f4720a23_702x1308.png 848w, https://substackcdn.com/image/fetch/$s_!YrBm!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5b2097a3-af45-485e-9912-bda1f4720a23_702x1308.png 1272w, https://substackcdn.com/image/fetch/$s_!YrBm!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5b2097a3-af45-485e-9912-bda1f4720a23_702x1308.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h3><strong>&#9888; Blocking Guidance (read before you act)</strong></h3><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!xZSa!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b6d1c6b-21be-4814-9186-a2d4fcea3ed4_709x593.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!xZSa!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b6d1c6b-21be-4814-9186-a2d4fcea3ed4_709x593.png 424w, https://substackcdn.com/image/fetch/$s_!xZSa!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b6d1c6b-21be-4814-9186-a2d4fcea3ed4_709x593.png 848w, https://substackcdn.com/image/fetch/$s_!xZSa!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b6d1c6b-21be-4814-9186-a2d4fcea3ed4_709x593.png 1272w, https://substackcdn.com/image/fetch/$s_!xZSa!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b6d1c6b-21be-4814-9186-a2d4fcea3ed4_709x593.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!xZSa!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b6d1c6b-21be-4814-9186-a2d4fcea3ed4_709x593.png" width="709" height="593" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/8b6d1c6b-21be-4814-9186-a2d4fcea3ed4_709x593.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:593,&quot;width&quot;:709,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:122453,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/204698682?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b6d1c6b-21be-4814-9186-a2d4fcea3ed4_709x593.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!xZSa!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b6d1c6b-21be-4814-9186-a2d4fcea3ed4_709x593.png 424w, https://substackcdn.com/image/fetch/$s_!xZSa!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b6d1c6b-21be-4814-9186-a2d4fcea3ed4_709x593.png 848w, https://substackcdn.com/image/fetch/$s_!xZSa!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b6d1c6b-21be-4814-9186-a2d4fcea3ed4_709x593.png 1272w, https://substackcdn.com/image/fetch/$s_!xZSa!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b6d1c6b-21be-4814-9186-a2d4fcea3ed4_709x593.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/intruvent-edge-ransomware-just-started?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/intruvent-edge-ransomware-just-started?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://edge.intruvent.com/p/intruvent-edge-ransomware-just-started?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p></p><div><hr></div><h2><strong>Sources</strong></h2><ul><li><p>Check Point Research, state-of-exploitation analysis and Qilin attribution (medium confidence, binary analysis), June 2026</p></li><li><p>Check Point advisories and hotfix, support references sk185033 and sk185035 (mitigation: IKEv2-only, mandatory machine certificate, IPS signatures; atomic IOCs)</p></li><li><p>NVD, CVE-2026-50751: nvd.nist.gov/vuln/detail/CVE-2026-50751 (CVSS 9.3, CWE-287)</p></li><li><p>CISA Known Exploited Vulnerabilities Catalog, entry added June 8, 2026 (known ransomware campaign use, federal due date June 11)</p></li><li><p>BleepingComputer, &#8220;Check Point links VPN zero-day attacks to Qilin ransomware gang,&#8221; June 2026</p></li><li><p>SecurityWeek, &#8220;Check Point VPN Zero-Day Exploited in Qilin Ransomware Attacks,&#8221; June 2026</p></li><li><p>Rapid7 emergent threat response, CVE-2026-50751 (two high-confidence exploitation cases)</p></li><li><p>watchTowr Labs, &#8220;Marking Your Own Homework,&#8221; root-cause analysis and detection artefact generator (watchTowr-vs-Check-Point-CVE-2026-50751)</p></li><li><p>Help Net Security (exploitation and PoC coverage, June 8 and June 12, 2026) and The Hacker News, June 8, 2026</p></li><li><p>Breachsense May 2026 ransomware report and Privacy Insight Solutions Qilin profile (victim volume, leaderboard, 46-day listing lag)</p></li></ul><p><em>Attribution note: the CVE-2026-50751-to-Qilin linkage is Check Point Research&#8217;s medium-confidence assessment, independently corroborated by Rapid7 and watchTowr Labs. Qilin victim counts are derived from public leak-site tracking (Breachsense, Privacy Insight Solutions, Comparitech), which tends to run high, and are presented as claimed figures.</em></p>]]></content:encoded></item><item><title><![CDATA[Prevent This: Voice Cloning Scams]]></title><description><![CDATA[One in four Americans has already received a deepfake voice call. The FBI's top defense costs nothing and takes 30 seconds.]]></description><link>https://edge.intruvent.com/p/prevent-this-voice-cloning-scams</link><guid isPermaLink="false">https://edge.intruvent.com/p/prevent-this-voice-cloning-scams</guid><dc:creator><![CDATA[Sig Murphy]]></dc:creator><pubDate>Tue, 30 Jun 2026 17:01:30 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!6Fpw!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae8fad11-5683-4350-9efc-42005bfb4908_1024x1024.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!6Fpw!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae8fad11-5683-4350-9efc-42005bfb4908_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!6Fpw!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae8fad11-5683-4350-9efc-42005bfb4908_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!6Fpw!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae8fad11-5683-4350-9efc-42005bfb4908_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!6Fpw!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae8fad11-5683-4350-9efc-42005bfb4908_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!6Fpw!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae8fad11-5683-4350-9efc-42005bfb4908_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!6Fpw!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae8fad11-5683-4350-9efc-42005bfb4908_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/ae8fad11-5683-4350-9efc-42005bfb4908_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1152227,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/204199116?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae8fad11-5683-4350-9efc-42005bfb4908_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!6Fpw!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae8fad11-5683-4350-9efc-42005bfb4908_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!6Fpw!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae8fad11-5683-4350-9efc-42005bfb4908_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!6Fpw!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae8fad11-5683-4350-9efc-42005bfb4908_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!6Fpw!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fae8fad11-5683-4350-9efc-42005bfb4908_1024x1024.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>Welcome to Prevent This, our weekly community newsletter covering cybersecurity for everyone. <em>If you found us through Intruvent Edge, our bi-weekly technical deep dive, welcome. </em>Both live on the same Substack. Feel free to share either one. We&#8217;re glad you&#8217;re here.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p><p>Three seconds of audio. That is all it takes to clone a human voice with enough accuracy to fool the person who raised it.</p><div><hr></div><h2><strong>The Call That Sounded Exactly Like Her Daughter</strong></h2><p><strong>Deborah Del Mastro was at home when her phone rang. A man on the other end said he had kidnapped her daughter and wanted $20,000 for her release.</strong> Before Deborah could respond, she heard her daughter&#8217;s voice. Crying. Pleading. Begging for help.</p><p>It sounded exactly like her.</p><p>Deborah sent <strong>$5,000</strong> before she was able to confirm that her daughter was safe, sitting at her own kitchen table in another city, completely unaware that anything had happened.</p><p><strong>In Florida, another woman heard what she believed was her daughter sobbing after a serious car accident. She sent $15,000</strong>. Her daughter had not been in any accident.</p><p><strong>In Hong Kong, a finance worker joined what appeared to be a routine video call with colleagues. Every face on the screen was familiar. Every voice matched. He followed instructions from his CFO to transfer funds across several accounts. By the time anyone realized the entire call had been fabricated, $25 million was gone.</strong></p><p>None of these people were careless. None of them ignored warning signs. They heard a voice they trusted, and they responded the way any of us would.</p><p>The voice was fake. The emotion it triggered was real. And that gap between what you hear and what is actually happening is where the money goes.</p><h2><strong>How Three Seconds Becomes a Perfect Copy</strong></h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!kjSd!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff4889391-0f61-4a8b-9a6b-7f74872e2b65_1024x670.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!kjSd!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff4889391-0f61-4a8b-9a6b-7f74872e2b65_1024x670.jpeg 424w, https://substackcdn.com/image/fetch/$s_!kjSd!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff4889391-0f61-4a8b-9a6b-7f74872e2b65_1024x670.jpeg 848w, https://substackcdn.com/image/fetch/$s_!kjSd!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff4889391-0f61-4a8b-9a6b-7f74872e2b65_1024x670.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!kjSd!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff4889391-0f61-4a8b-9a6b-7f74872e2b65_1024x670.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!kjSd!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff4889391-0f61-4a8b-9a6b-7f74872e2b65_1024x670.jpeg" width="1024" height="670" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/f4889391-0f61-4a8b-9a6b-7f74872e2b65_1024x670.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:670,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:100420,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/204199116?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff4889391-0f61-4a8b-9a6b-7f74872e2b65_1024x670.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!kjSd!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff4889391-0f61-4a8b-9a6b-7f74872e2b65_1024x670.jpeg 424w, https://substackcdn.com/image/fetch/$s_!kjSd!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff4889391-0f61-4a8b-9a6b-7f74872e2b65_1024x670.jpeg 848w, https://substackcdn.com/image/fetch/$s_!kjSd!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff4889391-0f61-4a8b-9a6b-7f74872e2b65_1024x670.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!kjSd!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff4889391-0f61-4a8b-9a6b-7f74872e2b65_1024x670.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>Voice cloning technology has existed in research labs for years. What changed in 2025 and 2026 is that it became fast, cheap, and available to anyone with an internet connection.</p><p>Here is how it works in practice:</p><p><strong>Step 1: Harvest.</strong> The scammer needs a sample of the target&#8217;s voice. A birthday video on Instagram. A work presentation posted to LinkedIn. A voicemail greeting. A TikTok. A podcast appearance. Three seconds of clear audio is enough for modern cloning tools to build a working voice model. Longer samples produce better results, but the minimum threshold is startlingly low.</p><p><strong>Step 2: Clone.</strong> The audio sample is fed into a voice synthesis tool. Some of these tools are commercial products marketed for legitimate uses (audiobook narration, accessibility, content creation). Others are open-source models that anyone can download and run on a laptop. The tool analyzes the pitch, cadence, rhythm, and tonal characteristics of the voice and builds a model that can say anything typed into a text box.</p><p><strong>Step 3: Call.</strong> The scammer places a phone call using the cloned voice. Some run the voice model in real time, typing responses and having the AI speak them aloud during the conversation. Others pre-record a few panicked phrases (&#8220;Mom, help me,&#8221; &#8220;Please, I&#8217;m scared,&#8221; &#8220;They won&#8217;t let me go&#8221;) and play them in the background while a human handler runs the negotiation.</p><p>The phone number on caller ID can be spoofed to show the victim&#8217;s real number. The voice sounds right. The area code matches. The emotional context (an accident, an arrest, a kidnapping) is designed to shut down the part of your brain that would normally pause and verify.</p><p>The entire setup costs less than a restaurant dinner. Some voice cloning tools are free.</p><h2><strong>The Numbers</strong></h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!AP2K!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9792b974-f9d9-468f-ab3a-a1db336e61d4_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!AP2K!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9792b974-f9d9-468f-ab3a-a1db336e61d4_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!AP2K!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9792b974-f9d9-468f-ab3a-a1db336e61d4_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!AP2K!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9792b974-f9d9-468f-ab3a-a1db336e61d4_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!AP2K!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9792b974-f9d9-468f-ab3a-a1db336e61d4_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!AP2K!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9792b974-f9d9-468f-ab3a-a1db336e61d4_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/9792b974-f9d9-468f-ab3a-a1db336e61d4_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:952368,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/204199116?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9792b974-f9d9-468f-ab3a-a1db336e61d4_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!AP2K!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9792b974-f9d9-468f-ab3a-a1db336e61d4_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!AP2K!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9792b974-f9d9-468f-ab3a-a1db336e61d4_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!AP2K!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9792b974-f9d9-468f-ab3a-a1db336e61d4_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!AP2K!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9792b974-f9d9-468f-ab3a-a1db336e61d4_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>The FBI&#8217;s Internet Crime Complaint Center reported <strong>$893 million</strong> in losses to AI-powered scams in 2025, including voice cloning, AI-generated phishing, and deepfake fraud. That figure sits inside a record <strong>$20.9 billion</strong> in total reported cybercrime losses for the year, up 26% from the year before.</p><p><strong>One in four Americans has received an AI-generated deepfake voice call in the past year. Not one in a hundred. Not one in ten. One in four.</strong> If you are reading this in a room with three other people, statistically one of you has already gotten the call.</p><p>The FCC classified AI-generated voices in robocalls as illegal under the Telephone Consumer Protection Act earlier this year, giving state attorneys general the authority to prosecute. But enforcement lags behind the technology. The tools are getting cheaper and more convincing faster than regulators can respond.</p><p>The people most frequently targeted are older adults. The FBI&#8217;s warning specifically highlights seniors worried about children and grandchildren as the primary audience for these scams. But the Hong Kong case proves this is not a &#8220;grandparent problem.&#8221; A trained finance professional on a video call with familiar faces still got fooled. The technology works on anyone whose first instinct is to help someone they love.</p><h2><strong>Why Your Brain Falls for It</strong></h2><p><strong>Voice is one of the most trusted signals we have. You learned your mother&#8217;s voice before you learned her face. A crying child, a panicked spouse, a frightened parent: these sounds bypass rational thought and go straight to action.</strong> Scammers have understood this for decades. What AI gave them is the ability to put any voice they want on the other end of the phone.</p><p>The old version of this scam, sometimes called the &#8220;grandparent scam,&#8221; relied on a vague impersonation. The caller would say &#8220;Grandma, it&#8217;s me&#8221; and let the victim fill in the name. It worked often enough to be profitable, but it also failed often enough that alert targets could catch it.</p><p>The AI version does not rely on vagueness. The voice is specific. It sounds like one person and only that person. When the scammer says &#8220;Mom, I&#8217;m in trouble,&#8221; it sounds like your kid. Not a kid. Your kid.</p><p>That specificity is what makes the scam so effective, and it is also what makes the defense so simple.</p><h2><strong>The Fix: One Text Message, Right Now</strong></h2><p><strong>The FBI&#8217;s top recommendation for defending against voice cloning scams is free, takes 30 seconds, and does not require any technolog</strong>y:</p><p><strong>Set a family safe word.</strong></p><p><strong>Send a text message to every person you would call in an emergency: your parents, your kids, your spouse, your siblings, your closest friends. Pick a word or phrase that has no connection to anything public</strong>. Not your pet&#8217;s name (it&#8217;s on Instagram). Not your street (it&#8217;s on your driver&#8217;s license). Not your high school mascot (it&#8217;s on Facebook).</p><p>Pick something random and private. &#8220;Purple stapler.&#8221; &#8220;Taco emergency.&#8221; &#8220;Foghorn.&#8221; Anything that an AI cannot guess because it was never posted, spoken, or written anywhere online.</p><p><strong>The rule is simple: if someone calls asking for money, help, or urgent action, you ask for the safe word first.</strong> If they cannot give it, you hang up and call the person directly at a number you already have saved.</p><p>An AI can clone a voice. It cannot clone a secret.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Aeo1!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F09627a27-5d95-49c9-8895-495d74b31d6d_1376x768.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Aeo1!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F09627a27-5d95-49c9-8895-495d74b31d6d_1376x768.jpeg 424w, https://substackcdn.com/image/fetch/$s_!Aeo1!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F09627a27-5d95-49c9-8895-495d74b31d6d_1376x768.jpeg 848w, https://substackcdn.com/image/fetch/$s_!Aeo1!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F09627a27-5d95-49c9-8895-495d74b31d6d_1376x768.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!Aeo1!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F09627a27-5d95-49c9-8895-495d74b31d6d_1376x768.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Aeo1!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F09627a27-5d95-49c9-8895-495d74b31d6d_1376x768.jpeg" width="1376" height="768" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/09627a27-5d95-49c9-8895-495d74b31d6d_1376x768.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:768,&quot;width&quot;:1376,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:408733,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/204199116?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F09627a27-5d95-49c9-8895-495d74b31d6d_1376x768.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!Aeo1!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F09627a27-5d95-49c9-8895-495d74b31d6d_1376x768.jpeg 424w, https://substackcdn.com/image/fetch/$s_!Aeo1!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F09627a27-5d95-49c9-8895-495d74b31d6d_1376x768.jpeg 848w, https://substackcdn.com/image/fetch/$s_!Aeo1!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F09627a27-5d95-49c9-8895-495d74b31d6d_1376x768.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!Aeo1!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F09627a27-5d95-49c9-8895-495d74b31d6d_1376x768.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h2><strong>What Else You Can Do</strong></h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!kX4g!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc1c4e205-8b0e-4283-b6e7-92f00d9bc027_1024x1024.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!kX4g!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc1c4e205-8b0e-4283-b6e7-92f00d9bc027_1024x1024.jpeg 424w, https://substackcdn.com/image/fetch/$s_!kX4g!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc1c4e205-8b0e-4283-b6e7-92f00d9bc027_1024x1024.jpeg 848w, https://substackcdn.com/image/fetch/$s_!kX4g!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc1c4e205-8b0e-4283-b6e7-92f00d9bc027_1024x1024.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!kX4g!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc1c4e205-8b0e-4283-b6e7-92f00d9bc027_1024x1024.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!kX4g!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc1c4e205-8b0e-4283-b6e7-92f00d9bc027_1024x1024.jpeg" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/c1c4e205-8b0e-4283-b6e7-92f00d9bc027_1024x1024.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:129632,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/204199116?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc1c4e205-8b0e-4283-b6e7-92f00d9bc027_1024x1024.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!kX4g!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc1c4e205-8b0e-4283-b6e7-92f00d9bc027_1024x1024.jpeg 424w, https://substackcdn.com/image/fetch/$s_!kX4g!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc1c4e205-8b0e-4283-b6e7-92f00d9bc027_1024x1024.jpeg 848w, https://substackcdn.com/image/fetch/$s_!kX4g!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc1c4e205-8b0e-4283-b6e7-92f00d9bc027_1024x1024.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!kX4g!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc1c4e205-8b0e-4283-b6e7-92f00d9bc027_1024x1024.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h3><strong>1. Hang up. Call back.</strong></h3><p>If you get a call from someone claiming to be a family member in distress, hang up and dial them directly. Use the number saved in your contacts, not a number the caller gives you. If the person is truly in danger, they will still be in danger 60 seconds from now when you call back. If they are not, you just saved yourself thousands of dollars.</p><p>This single step defeats the entire scam. Voice cloning only works if the call continues without interruption. The moment you break the connection and initiate your own, the illusion ends.</p><h3><strong>2. Lock down your voice online.</strong></h3><p>Scammers build voice clones from public audio. The less of your voice that exists online, the harder you are to clone.</p><ul><li><p><strong>Set social media to private.</strong> Instagram Reels, TikTok videos, Facebook Stories, and YouTube clips are the primary sources. You do not have to stop posting. You just need to control who can access your content.</p></li><li><p><strong>Change your voicemail greeting.</strong> A default carrier greeting (&#8220;The person you are calling is not available&#8221;) gives a cloner nothing to work with. A personalized greeting with your name and voice gives them everything they need.</p></li><li><p><strong>Think before you share voice notes.</strong> WhatsApp and iMessage voice notes are convenient. They are also perfect voice samples. In group chats with people you do not know well, consider typing instead.</p></li></ul><h3><strong>3. Watch for the red flags.</strong></h3><p>Even a convincing voice clone leaves clues if you know what to listen for:</p><p><strong>Unusual pauses or flat spots.</strong> Real-time voice cloning introduces tiny delays. If the &#8220;person&#8221; on the other end takes a beat too long to respond, or their voice lacks the natural ums and hesitations of real speech, something may be off.</p><ul><li><p><strong>Emotional pressure to act immediately.</strong> &#8220;Don&#8217;t hang up.&#8221; &#8220;Don&#8217;t call anyone.&#8221; &#8220;They said they&#8217;ll hurt me if you tell anyone.&#8221; Every version of this scam depends on urgency. The moment someone tells you not to verify, that is exactly when you should verify.</p></li><li><p><strong>Unusual payment methods.</strong> Wire transfers, Venmo, gift cards, cryptocurrency, Zelle. Legitimate emergencies (bail, hospital bills, accident costs) are never resolved with gift cards from CVS.</p></li></ul><h3><strong>4. Have the conversation with your parents.</strong></h3><p>If you have parents or grandparents who are not technically inclined, this is the article to share with them. <strong>The scam is specifically designed to exploit the people who love you most. A parent who hears their child screaming for help will act first and think second. That instinct is human nature, and the safe word gives them a pause button.</strong></p><p>Offer to set it up with them. Send the text. Pick the word together. Make sure they know: if anyone calls asking for money using your voice, ask for the word. If they do not have it, hang up and call back.</p><p>We <a href="https://edge.intruvent.com/p/prevent-this-life-event-scams">wrote in April</a> about scammers targeting people during their worst moments. Voice cloning is the tool that makes those scams work. The defense is the same: slow down, verify, and never let urgency override judgment.</p><h2><strong>The Bottom Line</strong></h2><p><strong>Three seconds of audio from a birthday video. That is all it takes to build a voice that can make your mother send $5,000 to a stranger.</strong></p><p>The technology is cheap, accessible, and improving every month. The FBI logged nearly <strong>$900 million</strong> in AI scam losses last year, and one in four Americans has already received a deepfake call. The FCC has made AI-generated robocalls illegal, but the law cannot move faster than a laptop with a free voice cloning tool and a spoofed phone number.</p><p>The fix does not require technology. It requires a conversation.</p><p>Send a text to your family today. Pick a word nobody else could guess. Agree that no matter how real a voice sounds, no matter how scared the caller seems, the word comes first. If they cannot say it, hang up and call back.</p><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-voice-cloning-scams?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-voice-cloning-scams?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://edge.intruvent.com/p/prevent-this-voice-cloning-scams?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p>An AI can sound exactly like the person you love most. It cannot know what you agreed on over breakfast.</p><div><hr></div><p>If you or someone you know has been targeted by a voice cloning scam:</p><ul><li><p><strong>FBI IC3:</strong> <a href="https://ic3.gov/">ic3.gov</a></p></li><li><p><strong>FTC:</strong> <a href="https://reportfraud.ftc.gov/">reportfraud.ftc.gov</a> or 877-382-4357</p></li><li><p><strong>Local law enforcement:</strong> File a police report, especially if money was sent</p></li><li><p><strong>Your bank:</strong> If funds were transferred, contact your bank&#8217;s fraud department immediately; some wire transfers can be recalled within 24 hours</p></li></ul><div><hr></div><h2><strong>Sources</strong></h2><ul><li><p><a href="https://thehackernews.com/2026/06/fbi-warns-russian-intelligence-hackers.html">FBI PSA I-062626-PSA: Russian Intelligence Targeting Signal Backup Keys</a> (June 2026)</p></li><li><p><a href="https://www.click2houston.com/news/local/2026/06/02/fbi-warns-of-ai-voice-cloning-scam-that-mimics-loved-ones-in-distress/">FBI warns of AI voice cloning scam mimicking loved ones</a> (Click2Houston, June 2026)</p></li><li><p><a href="https://www.cnn.com/2026/05/29/tech/ai-voice-cloning-scams-protect-yourself">AI voice cloning scams are on the rise</a> (CNN, May 2026)</p></li><li><p><a href="https://moneywise.com/news/top-stories/fbi-ai-deepfake-voice-cloning-scams-losses">FBI: AI voice cloning scams drained nearly $900 million</a> (MoneyWise, 2026)</p></li><li><p><a href="https://www.savingadvice.com/articles/2026/05/19/10736104_fbi-issues-warning-deepfake-kidnappings-and-voice-clones-target-seniors-heres-how-to-stay-safe.html">FBI warning: deepfake kidnappings target seniors</a> (SavingAdvice, May 2026)</p></li><li><p><a href="https://www.savingadvice.com/articles/2026/05/21/10736407_ai-voice-cloning-scams-explode-one-in-four-people-have-encountered-them-losing-up-to-15000.html">1 in 4 people have encountered AI voice cloning scams</a> (SavingAdvice, May 2026)</p></li><li><p><a href="https://lumichats.com/blog/ai-voice-cloning-scams-2026-how-to-protect-yourself-family">AI voice cloning scams 2026: how to protect your family</a> (LumiChats)</p></li><li><p><a href="https://blog.myfinancialfreedomtracker.com/en/ai-scam-deepfake-fraud-protection-2026">AI scams stole $21 billion: how to protect yourself</a> (Financial Freedom Tracker, 2026)</p></li><li><p><a href="https://consumer.ftc.gov/consumer-alerts/2026/04/how-spot-top-scams-started-social-media">FTC: How to spot scams that start on social media</a> (April 2026)</p></li></ul><div><hr></div><p><em>Prevent This is a weekly cybersecurity newsletter from Intruvent Technologies. Each week, we break down one cyber threat in plain language and give you the tools to protect yourself and the people you care about. For our bi-weekly technical deep dive, check out <a href="https://edge.intruvent.com/">Intruvent Edge</a>.</em></p>]]></content:encoded></item><item><title><![CDATA[Prevent This: Handing Over Your ID to a Stranger]]></title><description><![CDATA[74 million identity documents were exposed in the last three months. Most of them were handed over voluntarily. Here's how to prevent that from happening to you.]]></description><link>https://edge.intruvent.com/p/prevent-this-handing-over-your-id</link><guid isPermaLink="false">https://edge.intruvent.com/p/prevent-this-handing-over-your-id</guid><dc:creator><![CDATA[Sig Murphy]]></dc:creator><pubDate>Tue, 23 Jun 2026 17:30:23 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!Ks7J!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6987bc14-bfa2-49e9-bc1d-752692b19126_1024x1024.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Ks7J!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6987bc14-bfa2-49e9-bc1d-752692b19126_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Ks7J!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6987bc14-bfa2-49e9-bc1d-752692b19126_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!Ks7J!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6987bc14-bfa2-49e9-bc1d-752692b19126_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!Ks7J!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6987bc14-bfa2-49e9-bc1d-752692b19126_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!Ks7J!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6987bc14-bfa2-49e9-bc1d-752692b19126_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Ks7J!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6987bc14-bfa2-49e9-bc1d-752692b19126_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/6987bc14-bfa2-49e9-bc1d-752692b19126_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1054117,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/203275233?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6987bc14-bfa2-49e9-bc1d-752692b19126_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!Ks7J!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6987bc14-bfa2-49e9-bc1d-752692b19126_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!Ks7J!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6987bc14-bfa2-49e9-bc1d-752692b19126_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!Ks7J!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6987bc14-bfa2-49e9-bc1d-752692b19126_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!Ks7J!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6987bc14-bfa2-49e9-bc1d-752692b19126_1024x1024.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>A $30 fishing license. A cruise vacation. A hotel check-in. A job application at McDonald&#8217;s. None of these should ruin your life. But for millions of people this year, handing over an ID for one of these everyday moments put them on a list they never asked to be on.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><h2><strong>The Man Who Lost a Decade to a Stolen Social Security Number</strong></h2><p>Dan Kluver is a factory worker in Olivia, Minnesota. He coaches baseball. He teaches Sunday school. He spent four decades without ever getting into trouble.  He wants to get his story out there to prevent similar things from happening to you.</p><p>One day, Kluver got pulled over during a routine traffic stop. The officer told him his license had been suspended. Kluver had no idea why. It turned out there was a second driver&#8217;s license with his name on it being used in Missouri. <strong>Someone had purchased his Social Security number off the black market and had been living under his identity for 15 years.</strong></p><p>To the IRS, it looked like one Daniel Kluver was working several jobs across two states and paying taxes at a rate far below what he owed. The IRS started garnishing his paychecks. His wife Kristy emptied her savings before their 2012 wedding, sending a <strong>$6,000 check </strong>to cover the balance. Their relief lasted until the next tax season, when a new bill arrived. This one was for <strong>$22,000</strong>.</p><p>They spent the next decade living with the consequences. Annual tax audits. Budgets that never added up. Paychecks that arrived lighter than they should have been.</p><p>Then came the part that no credit monitoring service could have prevented. <strong>The person using Kluver&#8217;s identity was involved in a fatal car accident that killed a 68-year-old grandfather and injured his 9-year-old granddaughter. The name on the driver&#8217;s license at the scene? Daniel Kluver. A wrongful death lawsuit was filed against him.</strong></p><p>One stolen document. Fifteen years. A drained savings account, a decade of IRS audits, and a wrongful death lawsuit with his name on it.</p><p>Kluver&#8217;s story, <a href="https://www.willmarradio.com/news/guatemala-man-arrested-for-using-olivia-mans-i-d-for-the-past-15-years/article_a5700ef4-516e-445d-8e21-081ab0332f03.html">originally reported</a> in 2025, is the worst-case version of something that is now happening at industrial scale. The difference between 2010 and 2026 is volume. Back then, someone bought Kluver&#8217;s Social Security number from a single contact for cash. Today, companies are losing millions of identity documents at a time, and most of us are the ones handing them over.</p><p><em><span>There is a reason attackers are going after identity documents specifically, and not just credit card numbers.</span></em><span> On dark web marketplaces, a stolen credit card number sells for about </span><strong>$17</strong><span>. </span><strong><span>A stolen driver&#8217;s license sells for </span>$70 to $165</strong><span>. </span><strong><span>A U.S. passport scan goes for around </span>$100</strong><span>, </span><strong><span>and a verified physical passport can fetch </span>over $700</strong><span>. A complete identity package (name, SSN, date of birth, address, and a document scan to match) runs </span><strong>$1,000 or more</strong><span>. The pricing tells you exactly how criminals value these assets. A credit card can be cancelled with a phone call; its street value reflects that short shelf life. </span><strong><span>A passport number, a driver&#8217;s license number, a date of birth paired with a face? Those do not expire when someone reports them stolen. They hold their value for years, and the criminals buying them know it.</span></strong></p><h2><strong>The Year Your ID Became Everyone&#8217;s Business</strong></h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!NOx6!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F47c86e54-2092-4b85-a0ef-7403e6642660_1022x910.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!NOx6!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F47c86e54-2092-4b85-a0ef-7403e6642660_1022x910.png 424w, https://substackcdn.com/image/fetch/$s_!NOx6!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F47c86e54-2092-4b85-a0ef-7403e6642660_1022x910.png 848w, https://substackcdn.com/image/fetch/$s_!NOx6!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F47c86e54-2092-4b85-a0ef-7403e6642660_1022x910.png 1272w, https://substackcdn.com/image/fetch/$s_!NOx6!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F47c86e54-2092-4b85-a0ef-7403e6642660_1022x910.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!NOx6!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F47c86e54-2092-4b85-a0ef-7403e6642660_1022x910.png" width="1022" height="910" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/47c86e54-2092-4b85-a0ef-7403e6642660_1022x910.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:910,&quot;width&quot;:1022,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:953751,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/203275233?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdc8e2be4-69a6-445c-83d1-2eaafc3f1ed5_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!NOx6!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F47c86e54-2092-4b85-a0ef-7403e6642660_1022x910.png 424w, https://substackcdn.com/image/fetch/$s_!NOx6!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F47c86e54-2092-4b85-a0ef-7403e6642660_1022x910.png 848w, https://substackcdn.com/image/fetch/$s_!NOx6!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F47c86e54-2092-4b85-a0ef-7403e6642660_1022x910.png 1272w, https://substackcdn.com/image/fetch/$s_!NOx6!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F47c86e54-2092-4b85-a0ef-7403e6642660_1022x910.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>In just the past few months, four breaches have exposed government-issued identity documents on a scale that would have been unthinkable a few years ago.</p><h3><strong>3 million fishing license buyers. Texas.</strong></h3><p><strong>On June 18, the Texas Parks and Wildlife Department disclosed that a third-party vendor handling hunting and fishing license sales had been breached.</strong> The attackers walked away with driver&#8217;s license numbers, passport numbers, email addresses, phone numbers, and home addresses belonging to <strong>3,087,721 Texans</strong>. Social Security numbers and credit card data were not included, but what was stolen is arguably worse in the long run: your driver&#8217;s license number does not change when it gets breached. You cannot call a bank and get a new one.</p><p>The investigation has not determined how the attackers got in or how long they had access. No group has claimed responsibility. Affected customers can enroll in one year of free credit monitoring through Kroll by calling <strong>844-959-7123</strong> before <strong>September 14, 2026</strong>.</p><h3><strong>6 million cruise passengers. Carnival.</strong></h3><p>In April, an attacker tricked a single Carnival Corporation employee into handing over their login credentials. <strong>That one compromised account gave the attacker access to the personal information of nearly 6 million customers</strong> across Carnival Cruise Line, Princess Cruises, Holland America, and Cunard. The stolen data included names, dates of birth, passport numbers, and driver&#8217;s license numbers.</p><p>The hacking group ShinyHunters claimed the attack and published 8.7 million records when Carnival declined to pay. Texas Attorney General Ken Paxton opened a formal investigation. Three lawsuits have been filed. As one commenter on a cruise forum put it: &#8220;Stolen credit information is kept forever. Two years of monitoring means nothing.&#8221;</p><h3><strong>1 million hotel guests. Worldwide.</strong></h3><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!5Hky!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff53f95b3-64e5-4c4a-8f4d-9076e79daa1c_1376x768.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!5Hky!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff53f95b3-64e5-4c4a-8f4d-9076e79daa1c_1376x768.jpeg 424w, https://substackcdn.com/image/fetch/$s_!5Hky!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff53f95b3-64e5-4c4a-8f4d-9076e79daa1c_1376x768.jpeg 848w, https://substackcdn.com/image/fetch/$s_!5Hky!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff53f95b3-64e5-4c4a-8f4d-9076e79daa1c_1376x768.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!5Hky!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff53f95b3-64e5-4c4a-8f4d-9076e79daa1c_1376x768.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!5Hky!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff53f95b3-64e5-4c4a-8f4d-9076e79daa1c_1376x768.jpeg" width="1376" height="768" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/f53f95b3-64e5-4c4a-8f4d-9076e79daa1c_1376x768.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:768,&quot;width&quot;:1376,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:388908,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/203275233?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff53f95b3-64e5-4c4a-8f4d-9076e79daa1c_1376x768.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!5Hky!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff53f95b3-64e5-4c4a-8f4d-9076e79daa1c_1376x768.jpeg 424w, https://substackcdn.com/image/fetch/$s_!5Hky!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff53f95b3-64e5-4c4a-8f4d-9076e79daa1c_1376x768.jpeg 848w, https://substackcdn.com/image/fetch/$s_!5Hky!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff53f95b3-64e5-4c4a-8f4d-9076e79daa1c_1376x768.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!5Hky!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff53f95b3-64e5-4c4a-8f4d-9076e79daa1c_1376x768.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>In May, a security researcher discovered that a Japanese hotel check-in platform called Tabiq, operated by a startup named Reqrea, had left <strong>over one million passport scans, driver&#8217;s licenses, and selfie verification photos</strong> sitting in an Amazon cloud storage bucket that was open to the public internet. No password. No authentication. Just a URL.</p><p>The files dated back to 2020. Six years of guest identity documents from hotels across Japan, belonging to travelers from countries around the world, accessible to anyone who found the link. Amazon&#8217;s cloud storage has been private by default since 2017. Making it public in 2026 requires actively overriding the default settings. Someone chose to do that.</p><p>The selfie verification photos are particularly concerning. These images are often linked to facial recognition workflows. Paired with the passport scans stored alongside them, they create a complete identity package: a face, a name, a document number, and a photo that proves they match.</p><h3><strong>64 million job applicants. McDonald&#8217;s.</strong></h3><p>Security researchers Ian Carroll and Sam Curry discovered that the AI chatbot McDonald&#8217;s uses to screen job applicants, <strong>a system called McHire built by a company called Paradox.ai, was secured with the admin password &#8220;123456.&#8221;</strong></p><p>That password gave them full administrator access to a test environment. From there, a basic vulnerability in the system let them pull up any applicant&#8217;s records by changing a number in the URL. The result: <strong>64 million records containing names, email addresses, phone numbers, chat transcripts from AI interviews, shift preferences, and personality test results were accessible.</strong></p><p>The password had been in place since 2019. The test account, according to Paradox.ai&#8217;s legal team, &#8220;had not been logged into since 2019 and frankly, should have been decommissioned.&#8221;</p><h2><strong>Why This Is Different from a Credit Card Breach</strong></h2><p>When your credit card number gets stolen, you call the bank, dispute the charges, and get a new card in a week. The process is annoying but it works. Credit card fraud has a well-established playbook: the card issuer eats the loss, you get a fresh number, and life moves on.</p><p>Identity documents do not work that way.</p><p>Your driver&#8217;s license number is issued by your state. It follows you for life unless you specifically request a new one (and not all states make that easy). Your passport number is tied to a physical document that costs $130 to replace and takes weeks to process. Neither changes automatically when a company that was holding a copy of it gets hacked.</p><p>And unlike a stolen credit card, where the damage is financial and contained, <strong>a stolen identity document can be used to:</strong></p><ul><li><p><strong>Open credit accounts in your name.</strong> New-account fraud is now the #1 type of identity crime, accounting for <strong>62% of all identity misuse cases</strong> per the Identity Theft Resource Center. Credit cards (41%), checking accounts (18%), and personal loans (9%) are the most common.</p></li><li><p><strong>Create a synthetic identity.</strong> Criminals combine your real driver&#8217;s license number with a fake name and date of birth to build a new persona that passes basic verification checks. Synthetic identity fraud is projected to cause <strong>$3.1 billion in losses</strong> in 2026.</p></li><li><p><strong>File taxes in your name.</strong> Dan Kluver spent a decade fighting IRS bills because someone else was earning income under his Social Security number. The IRS takes an average of <strong>22 months</strong> to resolve identity theft cases.</p></li><li><p><strong>Accumulate a criminal record in your name.</strong> If someone is pulled over or arrested while carrying your information, the charges and warrants go on your record. You may not find out until your next background check, job application, or traffic stop.</p></li></ul><p>The damage is slow, invisible, and cumulative. Only <strong>9% of victims</strong> who suffer financial impact are able to fully resolve their cases, according to the ITRC&#8217;s 2026 report. A quarter of all identity theft victims are now managing <strong>two or more concurrent incidents</strong> at the same time.</p><h2><strong>What Can You Do?</strong></h2><h3><strong>1. If you Don&#8217;t Need it, freeze your credit.</strong></h3><p>If you don&#8217;t plan on using your credit score to open any new accounts or take out any new loans, it may make sense to do a credit freeze.  A credit freeze prevents anyone (including you) from opening a new credit account until you temporarily lift the freeze. It is the single most effective defense against new-account fraud, which is now the dominant form of identity theft.</p><p>It is free. It takes about 10 minutes. You need to do it at all three bureaus:</p><ul><li><p><strong>Equifax:</strong> <a href="https://www.equifax.com/personal/credit-report-services/credit-freeze/">equifax.com/personal/credit-report-services/credit-freeze</a></p></li><li><p><strong>Experian:</strong> <a href="https://www.experian.com/freeze/center.html">experian.com/freeze/center.html</a></p></li><li><p><strong>TransUnion:</strong> <a href="https://www.transunion.com/credit-freeze">transunion.com/credit-freeze</a></p></li></ul><p>When you legitimately need to apply for credit (a mortgage, a car loan, a new credit card), you temporarily lift the freeze at the relevant bureau, complete your application, and re-freeze. The lift takes minutes.</p><h3><strong>2. Ask questions before handing over your ID.</strong></h3><p>My family almost learned this lesson the hard way. In the mid-1980s, my parents booked a hotel in Paris for a work trip. The name was nearly identical to a well-known luxury hotel, off by a single French numeral. We walked in, and there, behind the front desk, was a gold-framed portrait of Muammar Gaddafi. The clerk smiled at us enthusiastically. &#8220;Americans? Passports, please. We will hold them for you.&#8221;</p><p>My father was career military. He did not hand over the passports. My parents walked us back out the front door, checked the marquee, realized we were at the wrong hotel, and we (eventually) found the right one down the street. Back then there wasn&#8217;t an easy way to &#8220;google something,&#8221; or check Apple Maps.  There was just a portrait on the wall that told my parents everything they needed to know about who was asking for their documents.</p><p>Forty years later, the question is the same. The difference is that the portrait isn&#8217;t on the wall anymore. The clerk asking for your ID might be a website, an app, a self-check-in kiosk, or a third-party vendor you&#8217;ve never heard of. You do not get to see what&#8217;s behind the counter.</p><p>Most of us hand over our driver&#8217;s license without thinking about it. At a hotel front desk, a car rental counter, a sporting goods store, a doctor&#8217;s office. The person behind the counter asks, and we comply.</p><p>Start asking two questions:</p><ul><li><p><strong>&#8220;Do you need to scan it, or just see it?&#8221;</strong> There is a difference between verifying your identity (looking at your ID and confirming your name and face) and capturing your identity (scanning or photographing the document and storing a copy). Many businesses scan as a default when visual verification would suffice.</p></li><li><p><strong>&#8220;How long do you keep the copy?&#8221;</strong> If they scan it, your document is now a file on their system. Is it deleted after checkout? Kept for 30 days? Stored indefinitely? The Tabiq hotel system kept guest passport scans for six years in an unprotected cloud bucket. No guest was ever told.</p></li></ul><p>You will not always get a satisfying answer. But asking the question shifts the dynamic. It reminds the business that they are taking custody of something they are responsible for protecting.</p><h3><strong>3. Check if you are in the Texas or Carnival breaches.</strong></h3><p>If you have purchased a Texas hunting or fishing license, or if you have sailed on Carnival Cruise Line, Princess Cruises, Holland America, or Cunard, you may already be affected.</p><ul><li><p><strong>Texas Parks &amp; Wildlife:</strong> Call <strong>844-959-7123</strong> to confirm eligibility and enroll in free credit monitoring. Deadline: <strong>September 14, 2026</strong>.</p></li><li><p><strong>Carnival Corporation:</strong> Activate the free two-year TransUnion credit monitoring using the code in your notification letter. Deadline: <strong>August 31, 2026</strong>.</p></li><li><p><strong>Have I Been Pwned:</strong> Check whether your email appears in the Carnival breach (or any other) at <a href="https://haveibeenpwned.com/">haveibeenpwned.com</a>.</p></li></ul><h3><strong>4. Request a new driver&#8217;s license number from your state DMV.</strong></h3><p>If you know your driver&#8217;s license number was exposed in a breach, contact your state&#8217;s Department of Motor Vehicles and ask about getting a new number issued. Not all states make this easy, but most allow it in cases of documented identity theft or confirmed breach exposure. You will typically need a copy of the breach notification letter and a police report or FTC identity theft report.</p><h3><strong>5. Monitor your IRS account.</strong></h3><p><strong>Dan Kluver&#8217;s first warning sign was a tax bill for income he never earned.</strong> You can catch this early by creating an account at <a href="https://www.irs.gov/payments/your-online-account">IRS.gov</a> and checking your wage and income transcripts annually. If someone is filing taxes or earning income under your Social Security number, it will show up there before it shows up anywhere else.</p><p>You can also file an <strong>IRS Identity Protection PIN</strong> (IP PIN), a six-digit number that prevents anyone else from filing a tax return using your Social Security number. Request one at <a href="https://www.irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin">irs.gov/identity-theft-fraud-scams/get-an-identity-protection-pin</a>.</p><h2><strong>The Bottom Line</strong></h2><p>Dan Kluver handed over his Social Security number to an employer, the way all of us do. Someone else got hold of it, and his life was upended for 15 years. He lost thousands of dollars, endured a decade of audits, and found his name on a wrongful death lawsuit for an accident he had nothing to do with.</p><p>The difference between Kluver&#8217;s story and what is happening in 2026 is not the method. Identity theft works the same way it always has: someone gets a document with your name on it and uses it as if they were you. The difference is the supply. Three million fishing license buyers. Six million cruise passengers. One million hotel guests. Sixty-four million job applicants. These are not hacking victims in the traditional sense. They are people who did something ordinary (bought a license, booked a cruise, checked into a hotel, applied for a job) and trusted the company on the other side to protect what they handed over.</p><p>Some of those companies stored passport scans in public cloud buckets. Some secured admin accounts with the password &#8220;123456.&#8221; Some do not even know how the breach happened yet.</p><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-handing-over-your-id?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-handing-over-your-id?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://edge.intruvent.com/p/prevent-this-handing-over-your-id?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p><span>You cannot control how a third party stores your identity documents after you hand them over. But you can freeze your credit so a stolen document cannot be used to open accounts in your name. You can ask whether a business actually needs to scan your ID or just see it. You can check your IRS transcripts for income you did not earn. And you can set an Identity Protection PIN so nobody files a tax return as you.</span></p><p>These steps take about 20 minutes total. Dan Kluver spent 15 years cleaning up the alternative.</p><div><hr></div><p>If you have been affected by any of the breaches discussed in this article:</p><ul><li><p><strong>FTC Identity Theft Report:</strong> <a href="https://www.identitytheft.gov/">identitytheft.gov</a></p></li><li><p><strong>Identity Theft Resource Center:</strong> <a href="https://www.idtheftcenter.org/">idtheftcenter.org</a> or 888-400-5530 (free, confidential assistance)</p></li><li><p><strong>IRS Identity Theft:</strong> <a href="https://www.irs.gov/identity-theft-fraud-scams">irs.gov/identity-theft-fraud-scams</a></p></li><li><p><strong>State DMV:</strong> Contact your state&#8217;s DMV to request a new driver&#8217;s license number if yours was exposed</p></li></ul><div><hr></div><h2><strong>Sources</strong></h2><ul><li><p><a href="https://www.willmarradio.com/news/guatemala-man-arrested-for-using-olivia-mans-i-d-for-the-past-15-years/article_a5700ef4-516e-445d-8e21-081ab0332f03.html">Willmar Radio: Man arrested for using Olivia man&#8217;s ID for 15 years</a> (Dan Kluver case)</p></li><li><p><a href="https://techcrunch.com/2026/06/18/texas-government-data-breach-allowed-hackers-to-steal-3-million-drivers-licenses-and-passports/">TechCrunch: Texas government data breach, 3 million driver&#8217;s licenses and passports</a>(June 18, 2026)</p></li><li><p><a href="https://www.securityweek.com/texas-parks-wildlife-data-breach-affects-3-million-individuals/">SecurityWeek: Texas Parks &amp; Wildlife Data Breach Affects 3 Million</a> (June 2026)</p></li><li><p><a href="https://www.malwarebytes.com/blog/data-breaches/2026/05/carnival-confirms-data-breach-impacting-nearly-6-million">Malwarebytes: Carnival confirms breach impacting nearly 6 million</a> (May 2026)</p></li><li><p><a href="https://www.texasattorneygeneral.gov/news/releases/attorney-general-paxton-announces-ongoing-investigation-carnival-cruise-line-over-data-breach">Texas AG: Investigation into Carnival Cruise Line</a> (2026)</p></li><li><p><a href="https://techcrunch.com/2026/05/15/a-hotel-check-in-system-left-a-million-passports-and-drivers-licenses-open-for-anyone-to-see/">TechCrunch: Hotel check-in system left a million passports open</a> (May 15, 2026)</p></li><li><p><a href="https://www.securityweek.com/mcdonalds-chatbot-recruitment-platform-leaked-64-million-job-applications/">SecurityWeek: McDonald&#8217;s chatbot leaked 64 million job applications</a></p></li><li><p><a href="https://www.csoonline.com/article/4020919/mcdonalds-ai-hiring-tools-password-123456-exposes-data-of-64m-applicants.html">CSO Online: McDonald&#8217;s AI hiring tool&#8217;s password &#8220;123456&#8221;</a></p></li><li><p><a href="https://www.security.org/identity-theft/statistics/">Security.org: Identity Theft Statistics 2026</a></p></li><li><p><a href="https://www.idtheftcenter.org/post/2026-trends-in-identity-report-hacked-devices-overtake-scams/">ITRC: 2026 Trends in Identity Report</a></p></li><li><p><a href="https://www.cfodive.com/news/synthetic-identity-fraud-surges-criminals-weaponize-ai/822557/">CFO Dive: Synthetic identity fraud surges</a></p></li></ul>]]></content:encoded></item><item><title><![CDATA[Prevent This: Your AI Disappearing Overnight]]></title><description><![CDATA[Anthropic's most powerful AI lasted 72 hours before the government ordered it turned off. Here's what that means for everyone who uses AI.]]></description><link>https://edge.intruvent.com/p/prevent-this-your-ai-disappearing</link><guid isPermaLink="false">https://edge.intruvent.com/p/prevent-this-your-ai-disappearing</guid><dc:creator><![CDATA[Sig Murphy]]></dc:creator><pubDate>Tue, 16 Jun 2026 18:46:33 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!2ZoR!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b72268f-9c15-460d-b3c8-89ad4b92aa4f_1024x1024.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>For those of you who do not know my background: I spent my undergraduate years studying artificial intelligence back when neural networks were all the rage and the kind of AI we use today was still a pipe dream. Fast forward to now, and the core products we build at Intruvent are powered by cutting-edge AI. Our BRACE platform uses AI research agents to capture the latest cyber intelligence across all 16 critical infrastructure sectors. Our dark web monitoring platform tracks threat actors, breaches, and stolen data in that dark, dingy underground. These tools rely on AI to do their jobs, every day, at scale.</p><p><strong>So when Anthropic released Claude Fable 5 and Mythos 5 last week, it was a genuine revelation for us. The leap in capability was obvious within hours.</strong> We immediately started upgrading our core codebases, integrating the newer and far superior technology into the platforms our clients depend on. The improvements were real, and they were significant.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p><p>That all came to a screeching halt on Friday night when the U.S. government pulled the plug.</p><p>We lived this week&#8217;s Prevent This topic. Not because I have a side in the dispute between Anthropic and Washington, but because what happened affects everyone who uses AI for anything that matters, whether you are running a cybersecurity company or asking a chatbot to help with your taxes.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!2ZoR!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b72268f-9c15-460d-b3c8-89ad4b92aa4f_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!2ZoR!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b72268f-9c15-460d-b3c8-89ad4b92aa4f_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!2ZoR!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b72268f-9c15-460d-b3c8-89ad4b92aa4f_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!2ZoR!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b72268f-9c15-460d-b3c8-89ad4b92aa4f_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!2ZoR!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b72268f-9c15-460d-b3c8-89ad4b92aa4f_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!2ZoR!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b72268f-9c15-460d-b3c8-89ad4b92aa4f_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/2b72268f-9c15-460d-b3c8-89ad4b92aa4f_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1061208,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/202314730?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b72268f-9c15-460d-b3c8-89ad4b92aa4f_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!2ZoR!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b72268f-9c15-460d-b3c8-89ad4b92aa4f_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!2ZoR!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b72268f-9c15-460d-b3c8-89ad4b92aa4f_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!2ZoR!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b72268f-9c15-460d-b3c8-89ad4b92aa4f_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!2ZoR!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b72268f-9c15-460d-b3c8-89ad4b92aa4f_1024x1024.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div><hr></div><h2><strong>What Happened</strong></h2><p>On the evening of June 12, the U.S. Commerce Department sent Anthropic a letter invoking emergency national security provisions. <strong>The order: immediately suspend access to Fable 5 and Mythos 5 for all foreign nationals, whether they were overseas or working inside the United States.</strong></p><p>The stated reason was a security concern. A third party reported that a method existed to bypass some of Fable 5&#8217;s safety guardrails, a technique commonly called a &#8220;jailbreak.&#8221; The concern was that this method could allow the AI to help with cyberattack-related tasks it would normally refuse.</p><p>Anthropic disputes the severity. The company says the bypass was narrow, already known, and produced results that other publicly available AI models can generate without any jailbreak at all. In Anthropic&#8217;s view, pulling a model used by hundreds of millions of people over this kind of finding would mean no AI company could ever launch anything.</p><p>The government disagreed. The order came with no expiration date.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!fkAO!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffa9dba12-928b-4f28-b40d-23e987d3f09d_1200x896.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!fkAO!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffa9dba12-928b-4f28-b40d-23e987d3f09d_1200x896.jpeg 424w, https://substackcdn.com/image/fetch/$s_!fkAO!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffa9dba12-928b-4f28-b40d-23e987d3f09d_1200x896.jpeg 848w, https://substackcdn.com/image/fetch/$s_!fkAO!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffa9dba12-928b-4f28-b40d-23e987d3f09d_1200x896.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!fkAO!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffa9dba12-928b-4f28-b40d-23e987d3f09d_1200x896.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!fkAO!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffa9dba12-928b-4f28-b40d-23e987d3f09d_1200x896.jpeg" width="1200" height="896" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/fa9dba12-928b-4f28-b40d-23e987d3f09d_1200x896.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:896,&quot;width&quot;:1200,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:334986,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/202314730?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffa9dba12-928b-4f28-b40d-23e987d3f09d_1200x896.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!fkAO!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffa9dba12-928b-4f28-b40d-23e987d3f09d_1200x896.jpeg 424w, https://substackcdn.com/image/fetch/$s_!fkAO!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffa9dba12-928b-4f28-b40d-23e987d3f09d_1200x896.jpeg 848w, https://substackcdn.com/image/fetch/$s_!fkAO!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffa9dba12-928b-4f28-b40d-23e987d3f09d_1200x896.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!fkAO!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ffa9dba12-928b-4f28-b40d-23e987d3f09d_1200x896.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>Here is the part that matters for you: Anthropic could not figure out how to block foreign nationals while keeping the models running for everyone else. There is no reliable way to verify every user&#8217;s nationality across consumer accounts, business subscriptions, and software integrations in real time. So the company did the only thing it could do to comply: <strong>it turned both models off for everyone, everywhere.</strong></p><p>Fable 5 lasted <strong>72 hours</strong> from launch to shutdown.</p><h2><strong>Why Should You Care?</strong></h2><p>You might be thinking: I barely heard of Fable 5. I was using a different model anyway. This does not affect me.</p><p>Here is why it does.</p><p><strong>This is the first time a government has pulled a commercially available AI model off the market.</strong> Not a weapons system. Not classified technology. A consumer product that millions of people were using for work, school, writing, coding, and daily life, switched off by a letter from Washington with no public hearing, no advance notice, and no expiration date.</p><p>Whether you agree with the government&#8217;s reasoning or think Anthropic should have fixed the problem, the precedent is the same: <strong>the AI tool you rely on can disappear between breakfast and dinner.</strong></p><p>That has never happened before. Now it has.</p><p>And it is not just an Anthropic problem. Every major AI chatbot (ChatGPT, Gemini, Copilot, Claude) runs on servers controlled by a single company. If the government issues a similar order to any of them, the result would be the same. Your tool goes dark. Your conversations, your workflows, your saved prompts: all inaccessible until someone decides to turn it back on.</p><h2><strong>What Actually Went Wrong?</strong></h2><p>The technical details are still emerging, but here is what we know.</p><p>A security researcher (or group of researchers; the specifics have not been made fully public) found a way to get Fable 5 to do things it was designed to refuse. <strong>Specifically, the bypass reportedly allowed the model to analyze software code and identify vulnerabilities in ways that could be useful for building cyberattacks.</strong></p><p>Anthropic says this capability is not unique to Fable 5. Other AI models, including open-source models that anyone can download and run on a laptop, can do the same thing without needing a bypass at all. The company&#8217;s argument: you cannot justify shutting down one product for doing something that dozens of other products do openly.</p><p>The government&#8217;s position is different. Officials have said the jailbreak was serious enough to warrant immediate action, particularly given concerns that the technique may have been accessed by foreign actors.</p><p>Both sides are using the language of safety. Neither has made the full evidence public. What is public is the outcome: a model that was the most capable AI available to consumers on Tuesday was gone by Thursday.</p><h2><strong>What Does This Mean for You?</strong></h2><p>You do not need to pick a side in the Anthropic dispute to take something useful away from this. The lesson is simpler and more practical than that.</p><h3><strong>1. Do not put all your eggs in one AI basket.</strong></h3><p>If your work, your business, or your daily routine depends on a single AI tool, this week proved that tool can vanish without warning. That is not a criticism of any company. It is just how the technology works right now: you are renting access to software that runs on someone else&#8217;s servers, under someone else&#8217;s rules.</p><p><strong>Practical step: try a second AI tool this week.</strong> If you use Claude, try ChatGPT or Gemini for a few tasks. If you use ChatGPT, try Claude or Copilot. You do not need to switch. You just need to know your way around a backup so you are not scrambling if your primary tool goes offline.</p><h3><strong>2. Save your important conversations.</strong></h3><p>When Fable 5 shut down, users lost access to conversations they had started with that specific model. The conversations still exist in their accounts, but they cannot continue them or reference them in new chats the same way.</p><p>If you are using AI for anything you might need later (research, brainstorming, drafting, medical questions, financial planning), <strong>copy the important parts out.</strong> Paste them into a document, a note, an email to yourself. Do not treat your AI chat history as permanent storage. It is not.</p><h3><strong>3. Understand what &#8220;free&#8221; and &#8220;subscription&#8221; actually mean.</strong></h3><p>Anthropic is offering refunds to subscribers who signed up between June 9 and June 14, the window when Fable 5 was live. But the process has been uneven. Some users report getting refunds quickly; others are still waiting. EU customers have had better luck, partly because European consumer protection law gives a 14-day cooling-off period for digital services.</p><p>The broader point: when you pay for an AI subscription, you are paying for access to a service, not ownership of a product. The company can change, downgrade, or remove features at any time. Read the terms of service. Look for what happens if a model or feature is discontinued. Know your refund rights.</p><h3><strong>4. Keep your privacy habits regardless of which tool you use.</strong></h3><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!HxGS!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc03c339e-848f-4005-bb1a-1a1f3e0cd038_1024x1024.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!HxGS!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc03c339e-848f-4005-bb1a-1a1f3e0cd038_1024x1024.jpeg 424w, https://substackcdn.com/image/fetch/$s_!HxGS!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc03c339e-848f-4005-bb1a-1a1f3e0cd038_1024x1024.jpeg 848w, https://substackcdn.com/image/fetch/$s_!HxGS!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc03c339e-848f-4005-bb1a-1a1f3e0cd038_1024x1024.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!HxGS!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc03c339e-848f-4005-bb1a-1a1f3e0cd038_1024x1024.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!HxGS!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc03c339e-848f-4005-bb1a-1a1f3e0cd038_1024x1024.jpeg" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/c03c339e-848f-4005-bb1a-1a1f3e0cd038_1024x1024.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:164666,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/202314730?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0080b5bb-3f98-4e2f-b550-db4c37339841_1024x1024.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!HxGS!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc03c339e-848f-4005-bb1a-1a1f3e0cd038_1024x1024.jpeg 424w, https://substackcdn.com/image/fetch/$s_!HxGS!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc03c339e-848f-4005-bb1a-1a1f3e0cd038_1024x1024.jpeg 848w, https://substackcdn.com/image/fetch/$s_!HxGS!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc03c339e-848f-4005-bb1a-1a1f3e0cd038_1024x1024.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!HxGS!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc03c339e-848f-4005-bb1a-1a1f3e0cd038_1024x1024.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>This is important&#8230;Whether the tool you use is Claude, ChatGPT, Gemini, Copilot, or anything else:</p><ul><li><p><strong>Turn off training data sharing</strong> if you do not want your conversations used to improve the model. Every major AI tool offers this setting. It is usually off by default.</p></li><li><p><strong>Do not share sensitive personal information</strong> (Social Security numbers, passwords, financial account details, medical records) in a chatbot. Treat it like a conversation in a coffee shop: helpful, but not private.</p></li><li><p><strong>Delete conversations you no longer need.</strong> Most tools let you clear your history. Less data stored means less data exposed if something goes wrong.</p></li></ul><p>[PRIVACY CHECKLIST GRAPHIC HERE]</p><p><strong>Quick settings guide:</strong></p><ul><li><p><strong>Claude (Anthropic):</strong> Settings &gt; Privacy &gt; &#8220;Do not train on my conversations&#8221;</p></li><li><p><strong>ChatGPT (OpenAI):</strong> Settings &gt; Data Controls &gt; &#8220;Improve the model for everyone&#8221; (toggle off)</p></li><li><p><strong>Gemini (Google):</strong> myactivity.google.com &gt; Gemini Apps &gt; Turn off activity</p></li><li><p><strong>Copilot (Microsoft):</strong> Settings &gt; Privacy &gt; Review data sharing options</p></li></ul><h2><strong>Will Fable 5 Come Back?</strong></h2><p>Nobody knows, and Anthropic cannot give you a date. The company has said it is working to restore access, but the export control order has no built-in expiration. Lifting it requires a new action from the Commerce Department. That could take days, weeks, or longer.</p><p>In the meantime, all other Claude models (Opus, Sonnet, Haiku) continue to work normally. If you were using Claude before Fable 5 launched, your experience has not changed.</p><h2><strong>The Bottom Line</strong></h2><p>Three days. That is how long the most capable consumer AI model in the world lasted before the government ordered it turned off. Whether you think the government was right to act or Anthropic was right to push back, the practical lesson is the same.</p><p>The AI tools we are all starting to depend on are powerful, useful, and genuinely helpful. They are also rented, centralized, and subject to forces outside your control and outside the company&#8217;s control. That does not mean you should stop using them. It means you should use them with your eyes open.</p><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-your-ai-disappearing?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-your-ai-disappearing?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://edge.intruvent.com/p/prevent-this-your-ai-disappearing?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p>Have a backup. Save your work. Protect your privacy. And do not assume that the tool you opened this morning will still be there tonight.</p><div><hr></div><h2><strong>Sources</strong></h2><ul><li><p><a href="https://www.anthropic.com/news/fable-mythos-access">Anthropic: Statement on the US government directive</a> (June 2026)</p></li><li><p><a href="https://techcrunch.com/2026/06/12/anthropics-safety-warnings-may-have-just-backfired-the-government-has-pulled-the-plug-on-its-most-powerful-ai/">TechCrunch: Government pulls the plug on Anthropic&#8217;s most powerful AI</a> (June 12, 2026)</p></li><li><p><a href="https://time.com/article/2026/06/13/anthropic-fable-mythos-ban-US-security/">Time: Anthropic Pulls Its Most Powerful AI Models After U.S. Bars Foreign Access</a>(June 13, 2026)</p></li><li><p><a href="https://fortune.com/2026/06/13/anthropic-disables-fable-mythos-export-controls-national-security-threat/">Fortune: Anthropic disables Fable and Mythos after U.S. export controls</a> (June 13, 2026)</p></li><li><p><a href="https://www.cnn.com/2026/06/13/business/anthropic-mythos-model-national-security">CNN: Anthropic suspends all access to Mythos model</a> (June 13, 2026)</p></li><li><p><a href="https://snyk.io/blog/fable-mythos-suspension-security-takeaways/">Snyk: What the Fable 5 and Mythos 5 Suspension Means for Security Teams</a></p></li><li><p><a href="https://securityboulevard.com/2026/06/anthropics-claude-fable-5-jailbroken-to-bypass-built-in-safety-guardrails/">Security Boulevard: Claude Fable 5 Jailbroken to Bypass Safety Guardrails</a></p></li><li><p><a href="https://www.tomshardware.com/tech-industry/artificial-intelligence/trump-adviser-david-sacks-says-anthropic-refused-to-fix-fable-5-jailbreak-before-us-export-controls">Tom&#8217;s Hardware: Anthropic reportedly declined to fix jailbreak before export controls</a></p></li><li><p><a href="https://www.techtimes.com/articles/318342/20260613/us-government-pulls-anthropics-fable-5-offline-now-come-refunds-vanished-ai.htm">TechTimes: Refunds for a Vanished AI</a> (June 13, 2026)</p></li><li><p><a href="https://www.techpolicy.press/anthropics-mythos-recall-and-the-white-houses-missing-ai-safety-playbook/">TechPolicy.Press: The White House&#8217;s Missing AI Safety Playbook</a></p></li></ul><div><hr></div><p><em>Prevent This is a weekly cybersecurity newsletter from Intruvent Technologies. Each week, we break down one cyber threat in plain language and give you the tools to protect yourself and the people you care about. For our bi-weekly technical deep dive, check out <a href="https://edge.intruvent.com/">Intruvent Edge</a>.</em></p>]]></content:encoded></item><item><title><![CDATA[Prevent This: Getting Scammed Before the First Whistle Blows]]></title><description><![CDATA[4,300 fake FIFA domains are live right now. One criminal group built pixel-perfect clones in 11 languages. Here's how to protect yourself.]]></description><link>https://edge.intruvent.com/p/prevent-this-getting-scammed-before</link><guid isPermaLink="false">https://edge.intruvent.com/p/prevent-this-getting-scammed-before</guid><dc:creator><![CDATA[Sig Murphy]]></dc:creator><pubDate>Tue, 02 Jun 2026 18:01:01 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!Axut!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1262c1bb-c39e-4058-9087-7ab825496ff8_1024x1024.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Axut!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1262c1bb-c39e-4058-9087-7ab825496ff8_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Axut!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1262c1bb-c39e-4058-9087-7ab825496ff8_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!Axut!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1262c1bb-c39e-4058-9087-7ab825496ff8_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!Axut!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1262c1bb-c39e-4058-9087-7ab825496ff8_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!Axut!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1262c1bb-c39e-4058-9087-7ab825496ff8_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Axut!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1262c1bb-c39e-4058-9087-7ab825496ff8_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/1262c1bb-c39e-4058-9087-7ab825496ff8_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1144993,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/200313305?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1262c1bb-c39e-4058-9087-7ab825496ff8_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!Axut!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1262c1bb-c39e-4058-9087-7ab825496ff8_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!Axut!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1262c1bb-c39e-4058-9087-7ab825496ff8_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!Axut!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1262c1bb-c39e-4058-9087-7ab825496ff8_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!Axut!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F1262c1bb-c39e-4058-9087-7ab825496ff8_1024x1024.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>Welcome to Prevent This, our weekly community newsletter covering cybersecurity for everyone. If you found us through Intruvent Edge, our bi-weekly technical deep dive, welcome. Both live on the same Substack. Feel free to share either one. We&#8217;re glad you&#8217;re here.</p><p><strong>The 2026 FIFA World Cup kicks off June 11 across the United States, Canada, and Mexico.</strong> It is the biggest sporting event on earth, the first World Cup in North America in over 30 years, and scammers have been preparing for it longer than most fans have.</p><p><strong>The FBI issued a <a href="https://www.ic3.gov/PSA/2026/PSA260527">Public Service Announcement</a> last week warning that threat actors have built thousands of fake FIFA websites to steal personal information and sell tickets that do not exist</strong>. Researchers at Group-IB found over <strong>4,300 fraudulent domains</strong> mimicking fifa.com. One criminal group alone, a Chinese-speaking operation called <strong>Ghost Stadium</strong>, built pixel-perfect FIFA replicas across 300+ domains in 11 languages.</p><p>The World Cup is just the latest target. The same playbook runs year-round against anyone buying tickets to concerts, NFL games, festivals, Broadway shows, and anything else that sells out. <strong>One in three Americans</strong> has fallen victim to a ticket scam. If you have ever bought a ticket online, this applies to you.</p><div><hr></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p><div><hr></div><p>Ticket fraud is surging across the board. <strong>Reports of concert ticket scams rose 127% in 2024.</strong> One in eight Americans who bought tickets online in the last two years was defrauded. The average loss: <strong>$303 per person</strong>, according to the Better Business Bureau. For premium events (VIP packages, multi-day festivals, international matches), victims routinely lose over $1,000.</p><p>Every major event creates a spike. The World Cup is producing the largest one researchers have ever seen: over <strong>7,000 World Cup-themed domains</strong> registered in the last five months, more than 1,000 already live and running scams, and over <strong>1,000 fake social media accounts</strong> impersonating FIFA across every major platform. But the tactics are identical whether the target is a World Cup final or a Taylor Swift concert. If you know how to spot the scam once, you can spot it everywhere.</p><h2><strong>How It Works</strong></h2><p>Ticket scams fall into three categories, and they all rely on the same thing: you are in a hurry because the event is selling out, and you skip the step where you verify whether the seller is real.</p><p><strong>Fake websites</strong> account for 38% of ticket fraud reported to the BBB. Scammers build sites that look nearly identical to Ticketmaster, AXS, or an event&#8217;s official page. The URLs are close but not quite right: <code>ticktmaster.com</code> instead of <code>ticketmaster.com</code>, or <code>fiffa.com</code> instead of <code>fifa.com</code>. <strong>The FBI calls this typosquatting.</strong> The sites show real event dates, real venue photos, and real-looking seat maps. When you pay, the money goes to the attacker. The BBB currently lists over <strong>250 reported scams</strong> from fake Ticketmaster sites alone.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!dWeT!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F40d8fa7f-c67c-4210-8aaf-41ad3951ad9a_1200x896.heic" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!dWeT!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F40d8fa7f-c67c-4210-8aaf-41ad3951ad9a_1200x896.heic 424w, https://substackcdn.com/image/fetch/$s_!dWeT!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F40d8fa7f-c67c-4210-8aaf-41ad3951ad9a_1200x896.heic 848w, https://substackcdn.com/image/fetch/$s_!dWeT!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F40d8fa7f-c67c-4210-8aaf-41ad3951ad9a_1200x896.heic 1272w, https://substackcdn.com/image/fetch/$s_!dWeT!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F40d8fa7f-c67c-4210-8aaf-41ad3951ad9a_1200x896.heic 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!dWeT!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F40d8fa7f-c67c-4210-8aaf-41ad3951ad9a_1200x896.heic" width="1200" height="896" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/40d8fa7f-c67c-4210-8aaf-41ad3951ad9a_1200x896.heic&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:896,&quot;width&quot;:1200,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:255825,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/heic&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/200313305?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F40d8fa7f-c67c-4210-8aaf-41ad3951ad9a_1200x896.heic&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!dWeT!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F40d8fa7f-c67c-4210-8aaf-41ad3951ad9a_1200x896.heic 424w, https://substackcdn.com/image/fetch/$s_!dWeT!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F40d8fa7f-c67c-4210-8aaf-41ad3951ad9a_1200x896.heic 848w, https://substackcdn.com/image/fetch/$s_!dWeT!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F40d8fa7f-c67c-4210-8aaf-41ad3951ad9a_1200x896.heic 1272w, https://substackcdn.com/image/fetch/$s_!dWeT!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F40d8fa7f-c67c-4210-8aaf-41ad3951ad9a_1200x896.heic 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><strong>Social media sellers</strong> account for another 52%. Facebook, Instagram, X, TikTok, and resale groups on messaging platforms are flooded with people claiming to have tickets at face value or below. Some post fake screenshots of mobile tickets. Others build trust through comments and DMs over several conversations before sending a payment link. Once you send money through Venmo, Zelle, Cash App, or crypto, it is gone. There is no chargeback. There is no recourse. The seller disappears.</p><p><strong>Account takeovers</strong> target people who already have tickets. Fake login pages for Ticketmaster, AXS, or FIFA steal your credentials. The attacker changes the password, locks you out, transfers the tickets to their own account, and resells them. At Coachella 2026, fans were stranded at the gates after discovering their StubHub accounts had been hacked and their wristbands sold to someone else.</p><h2><strong>Who Gets Hit Hardest</strong></h2><p><strong>Younger buyers. 28% of victims are 25 to 34, and another 26% are 18 to 24.</strong> These are the age groups most likely to buy tickets through social media and peer-to-peer payment apps, which are the two highest-risk channels.</p><p>The Dutch National Police proved how easy it is to fall for this. They built a fake ticket site, ran ads for &#8220;exclusive tickets&#8221; to sold-out concerts, and tracked the results. Out of 7,402 people who visited the site, <strong>3,432 tried to buy tickets</strong>. Nearly half. The site redirected them to a police warning page instead of taking their money. Most real scam sites do not extend that courtesy.</p><h2><strong>What Can You Do?</strong></h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!n46y!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa280c2c1-dd0d-452b-a1ae-897ca1755abb_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!n46y!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa280c2c1-dd0d-452b-a1ae-897ca1755abb_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!n46y!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa280c2c1-dd0d-452b-a1ae-897ca1755abb_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!n46y!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa280c2c1-dd0d-452b-a1ae-897ca1755abb_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!n46y!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa280c2c1-dd0d-452b-a1ae-897ca1755abb_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!n46y!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa280c2c1-dd0d-452b-a1ae-897ca1755abb_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/a280c2c1-dd0d-452b-a1ae-897ca1755abb_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1020711,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/200313305?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0bb163ec-0241-47aa-a43e-73e4f236b622_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!n46y!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa280c2c1-dd0d-452b-a1ae-897ca1755abb_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!n46y!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa280c2c1-dd0d-452b-a1ae-897ca1755abb_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!n46y!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa280c2c1-dd0d-452b-a1ae-897ca1755abb_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!n46y!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa280c2c1-dd0d-452b-a1ae-897ca1755abb_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h3><strong>Before You Buy</strong></h3><ol><li><p><strong>Go directly to the source.</strong> Type the venue or ticketing platform&#8217;s URL into your browser. Do not click search ads, email links, or social media posts. Scammers buy sponsored search results that appear above the real site. If you are buying World Cup tickets, type <code>fifa.com</code>. If you are buying concert tickets, go to the venue&#8217;s website or the official ticketing partner listed there.</p></li><li><p><strong>Verify the URL before entering payment information.</strong> Look for misspellings, extra characters, or unusual domain endings. <code>ticketmaster.com</code> is real. <code>ticktmaster.com</code>, <code>ticketmaster-sales.net</code>, and <code>ticketmasterofficial.org</code> are not.</p></li><li><p><strong>Use authorized resale platforms only.</strong> If the event is sold out, stick to the official resale marketplace (Ticketmaster&#8217;s resale platform, AXS&#8217;s official resale, FIFA&#8217;s resale portal). These verify ticket authenticity before completing the transfer.</p></li></ol><h3><strong>When You Pay</strong></h3><ol><li><p><strong>Pay with a credit card.</strong> Credit cards offer fraud protection and chargeback rights. Debit cards pull directly from your bank account and are harder to dispute. Wire transfers, Zelle, Venmo, Cash App, crypto, and gift cards are irreversible. If a seller will only accept one of those, walk away.</p></li><li><p><strong>Be suspicious of &#8220;deals.&#8221;</strong> Sold-out events do not have discount tickets floating around the internet. If the price is significantly below face value, the tickets do not exist. If the price is significantly above face value and the seller is not on an authorized resale platform, you have no guarantee of authenticity.</p></li></ol><h3><strong>After You Buy</strong></h3><ol><li><p><strong>Lock down your ticketing accounts.</strong> Enable multi-factor authentication on Ticketmaster, AXS, StubHub, and any event-specific account (FIFA, etc.). Use a unique password for each. Account takeovers are how people lose tickets they already paid for.</p></li><li><p><strong>Do not click login links from emails or texts.</strong> Go directly to the platform and log in from there. Phishing emails impersonating ticketing companies are common around major events.</p></li><li><p><strong>Be wary of &#8220;ticket transfer&#8221; messages.</strong> If you receive an unexpected notification that your tickets have been transferred, log into your account immediately (directly, not through the notification link) and check.</p></li></ol><h2><strong>The Bottom Line</strong></h2><p>One in three Americans has been scammed buying tickets. The average loss is $303. <strong>The World Cup is producing the largest ticket fraud operation ever documented online, with thousands of fake websites and organized criminal groups targeting fans worldwide.</strong> But the techniques are the same ones used against concert-goers, football fans, and festival attendees every week of the year. Learn to spot it now and you are protected for everything that comes after.</p><p>The defense is the same whether you are buying World Cup tickets or floor seats to see your favorite artist:</p><ol><li><p><strong>Go to the source.</strong> Type the URL yourself. Never click an ad or a link.</p></li><li><p><strong>Pay with a credit card.</strong> Never Zelle, Venmo, crypto, or gift cards.</p></li><li><p><strong>If it is sold out everywhere except one random website offering a deal, that website is the scam.</strong></p></li></ol><p>Share this with anyone who buys tickets online. That is most of us.</p><div><hr></div><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-getting-scammed-before?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-getting-scammed-before?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://edge.intruvent.com/p/prevent-this-getting-scammed-before?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p></p><div><hr></div><p>If you or someone you know has been victimized:</p><ul><li><p><strong>FBI IC3:</strong> <a href="https://ic3.gov/">ic3.gov</a></p></li><li><p><strong>FTC:</strong> <a href="https://reportfraud.ftc.gov/">ReportFraud.ftc.gov</a> or 877-382-4357</p></li><li><p><strong>Your credit card company:</strong> Dispute the charge immediately</p></li><li><p><strong>BBB Scam Tracker:</strong> <a href="https://www.bbb.org/scamtracker">bbb.org/scamtracker</a></p></li></ul><div><hr></div><h2><strong>Sources</strong></h2><ul><li><p><a href="https://www.ic3.gov/PSA/2026/PSA260527">FBI IC3: Threat Actors Spoofing FIFA Websites</a> (May 27, 2026)</p></li><li><p><a href="https://www.aarp.org/money/scams-fraud/avoid-fake-sports-concert-tickets/">AARP: How to Avoid Sports and Concert Ticket Scams</a></p></li><li><p><a href="https://surfshark.com/research/chart/concert-ticket-fraud">Surfshark: Concert Ticket Fraud Research</a> (127% increase, BBB data)</p></li><li><p><a href="https://www.malwarebytes.com/blog/scams/2026/01/dutch-police-sell-fake-tickets-to-show-how-easily-scams-work">Malwarebytes: Dutch Police Fake Ticket Experiment</a></p></li><li><p><a href="https://therecord.media/chinese-speaking-fraud-gang-fifa-world-cup-scam">The Record: Ghost Stadium / Group-IB</a></p></li><li><p><a href="https://www.ftc.gov/news-events/news/press-releases/2026/04/stubhub-refunding-10-million-fees-consumers-after-deceptive-ticket-pricing">FTC: StubHub $10M Settlement</a> (April 2026)</p></li><li><p><a href="https://cyberfraudhub.org/resource-database/ticket-scams">CyberandFraudHub: Avoiding Ticket Scams</a></p></li><li><p><a href="https://www.bleepingcomputer.com/news/security/fbi-warns-of-fake-fifa-websites-running-world-cup-fraud-schemes/">BleepingComputer: FBI Warns of Fake FIFA Websites</a></p></li></ul><div><hr></div><p><em>Prevent This is a weekly cybersecurity newsletter from Intruvent Technologies. Each week, we break down one cyber threat in plain language and give you the tools to protect yourself and the people you care about. For our bi-weekly technical deep dive, check out <a href="https://edge.intruvent.com/">Intruvent Edge</a>.</em></p><h3></h3>]]></content:encoded></item><item><title><![CDATA[Intruvent Edge: Your Defender Dashboard Says Green. It Might Be Lying]]></title><description><![CDATA[The Nightmare-Eclipse campaign has produced more real-world damage than most APT operations this quarter. The exploits, the IOCs, and what your team should do before June 10.]]></description><link>https://edge.intruvent.com/p/intruvent-edge-your-defender-dashboard</link><guid isPermaLink="false">https://edge.intruvent.com/p/intruvent-edge-your-defender-dashboard</guid><dc:creator><![CDATA[Sig Murphy]]></dc:creator><pubDate>Thu, 28 May 2026 18:08:27 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!qAC8!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F37848753-9f51-4a5b-89fb-92d263141f88_1024x1024.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!qAC8!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F37848753-9f51-4a5b-89fb-92d263141f88_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!qAC8!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F37848753-9f51-4a5b-89fb-92d263141f88_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!qAC8!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F37848753-9f51-4a5b-89fb-92d263141f88_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!qAC8!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F37848753-9f51-4a5b-89fb-92d263141f88_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!qAC8!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F37848753-9f51-4a5b-89fb-92d263141f88_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!qAC8!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F37848753-9f51-4a5b-89fb-92d263141f88_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/37848753-9f51-4a5b-89fb-92d263141f88_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1360537,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/199633651?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F37848753-9f51-4a5b-89fb-92d263141f88_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!qAC8!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F37848753-9f51-4a5b-89fb-92d263141f88_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!qAC8!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F37848753-9f51-4a5b-89fb-92d263141f88_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!qAC8!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F37848753-9f51-4a5b-89fb-92d263141f88_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!qAC8!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F37848753-9f51-4a5b-89fb-92d263141f88_1024x1024.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>Welcome to Intruvent Edge, our bi-weekly technical deep dive into a current cyber threat. If you found us through Prevent This, our weekly community newsletter covering cybersecurity for everyone, you&#8217;re in the right place. Both live on the same Substack. Feel free to share either one. We&#8217;re glad you&#8217;re here.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><h2><strong>The Short Version</strong></h2><p><strong>Since early April, a single anonymous security researcher has released six Windows zero-day exploits targeting Microsoft Defender, BitLocker, and core Windows internals.</strong> Three have been exploited in the wild by threat actors linked to Russian infrastructure. Three have been added to CISA&#8217;s Known Exploited Vulnerabilities catalog. As of this writing, <strong>only three of the six have patches</strong>. The researcher has promised more for June and July.</p><p><strong>The researcher, operating under the alias Nightmare-Eclipse, claims to be a former Microsoft employee who was personally and professionally destroyed by the company.</strong> Whether that justifies dropping weaponizable exploit code on the open internet is a question the security community is actively debating. What is not debatable: the exploits work, attackers are using them, and your Defender-protected endpoints may be less protected than your dashboard suggests.</p><p>This article covers the technical details of each exploit, the observed attack chain, indicators of compromise you can hunt for today, and what is likely coming next.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!lgq3!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4ca0de9d-0c29-4033-a728-988bf6d78bc9_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!lgq3!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4ca0de9d-0c29-4033-a728-988bf6d78bc9_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!lgq3!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4ca0de9d-0c29-4033-a728-988bf6d78bc9_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!lgq3!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4ca0de9d-0c29-4033-a728-988bf6d78bc9_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!lgq3!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4ca0de9d-0c29-4033-a728-988bf6d78bc9_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!lgq3!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4ca0de9d-0c29-4033-a728-988bf6d78bc9_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/4ca0de9d-0c29-4033-a728-988bf6d78bc9_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1586081,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/199633651?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4ca0de9d-0c29-4033-a728-988bf6d78bc9_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!lgq3!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4ca0de9d-0c29-4033-a728-988bf6d78bc9_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!lgq3!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4ca0de9d-0c29-4033-a728-988bf6d78bc9_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!lgq3!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4ca0de9d-0c29-4033-a728-988bf6d78bc9_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!lgq3!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4ca0de9d-0c29-4033-a728-988bf6d78bc9_1024x1024.png 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2><strong>The Backstory</strong></h2><p>On March 27, 2026, an anonymous account appeared on GitHub. Within days, a blog post followed: &#8220;I never wanted to reopen a blog and a new GitHub account to drop code. But someone violated our agreement and left me homeless with nothing.&#8221;</p><p><strong>The author, using the aliases Nightmare-Eclipse, Chaotic Eclipse, and Dead Eclipse, claimed a prior professional relationship with Microsoft that ended in what they describe as deliberate personal destruction</strong>. &#8220;I was told personally by them that they will ruin my life and they did.&#8221; They alleged that Microsoft revoked their MSRC (Microsoft Security Response Center) reporting account, ignored requests for explanation, and &#8220;mopped the floor with me and pulled every childish game they could.&#8221;</p><p>Whether the grievance is legitimate is unknown. <strong>What is clear from the exploit code is that this person has deep, insider-level knowledge of Windows Defender internals, the Cloud Files API, NTFS transactional mechanisms, and MSRC processes.</strong> Multiple security outlets describe them as a &#8220;rumored former Microsoft employee.&#8221; The technical quality of the work is consistent with that assessment.</p><p>What followed was a methodical, escalating campaign: six zero-day exploits released over six weeks, each timed for maximum impact, each targeting a different Windows security surface.</p><h2><strong>The Six Exploits</strong></h2><p></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!OP6i!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F04cd6558-57f1-44cd-be75-cd719b02007d_1024x555.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!OP6i!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F04cd6558-57f1-44cd-be75-cd719b02007d_1024x555.png 424w, https://substackcdn.com/image/fetch/$s_!OP6i!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F04cd6558-57f1-44cd-be75-cd719b02007d_1024x555.png 848w, https://substackcdn.com/image/fetch/$s_!OP6i!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F04cd6558-57f1-44cd-be75-cd719b02007d_1024x555.png 1272w, https://substackcdn.com/image/fetch/$s_!OP6i!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F04cd6558-57f1-44cd-be75-cd719b02007d_1024x555.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!OP6i!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F04cd6558-57f1-44cd-be75-cd719b02007d_1024x555.png" width="1024" height="555" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/04cd6558-57f1-44cd-be75-cd719b02007d_1024x555.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:555,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:487597,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/199633651?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff77827ae-d642-459e-9f2c-ce66bf6065aa_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!OP6i!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F04cd6558-57f1-44cd-be75-cd719b02007d_1024x555.png 424w, https://substackcdn.com/image/fetch/$s_!OP6i!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F04cd6558-57f1-44cd-be75-cd719b02007d_1024x555.png 848w, https://substackcdn.com/image/fetch/$s_!OP6i!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F04cd6558-57f1-44cd-be75-cd719b02007d_1024x555.png 1272w, https://substackcdn.com/image/fetch/$s_!OP6i!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F04cd6558-57f1-44cd-be75-cd719b02007d_1024x555.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h3><strong>1. BlueHammer (CVE-2026-33825) &#8212; April 2</strong></h3><p><strong>Type:</strong> Local Privilege Escalation | <strong>CVSS:</strong> 7.8 | <strong>Status:</strong> Patched (April 14)</p><p>BlueHammer exploits a time-of-check to time-of-use (TOCTOU) race condition in Defender&#8217;s threat remediation engine. When Defender detects a malicious file, it performs a cleanup operation with SYSTEM-level privileges. BlueHammer interrupts that operation at a precise moment using an opportunistic lock (oplock), swaps the target path to a junction pointing at <code>C:\Windows\System32</code>, and lets Defender complete the write into the protected directory.</p><p>The extended chain goes further: it triggers a signature update that tricks Defender into copying the Security Account Manager (SAM) database, extracts NT password hashes, temporarily changes user passwords, and uses the new credentials to escalate to SYSTEM.</p><p>The proof-of-concept binary was distributed as <code>FunnyApp.exe</code>. The filename is trivial to change. Detection must focus on the behavior: Defender writing PE files into System32, NTFS junction creation in user directories targeting protected paths, and non-LSASS processes loading <code>samlib.dll</code>.</p><p><strong>MITRE ATT&amp;CK:</strong> T1068 (Exploitation for Privilege Escalation), T1574 (Hijack Execution Flow)</p><h3><strong>2. UnDefend (CVE-2026-45498) &#8212; April 12</strong></h3><p><strong>Type:</strong> Defense Evasion | <strong>CVSS:</strong> 4.0 | <strong>Status:</strong> Patched (May 19-20)</p><p>UnDefend targets Defender&#8217;s update mechanism rather than escalating privileges directly. It operates in two modes:</p><p><strong>Passive mode</strong> silently blocks all signature updates. Defender keeps running, but its threat intelligence freezes at whatever signatures were current when the exploit ran. New malware walks right past. The telltale indicator: Windows Update Error Code <strong>80070643</strong>appears during signature update attempts.</p><p><strong>Aggressive mode</strong> waits for Microsoft to push a major platform update, then kills Defender entirely. The trigger is Microsoft&#8217;s own update mechanism.</p><p>The critical deception in both modes: Defender still reports itself as healthy to the management console. Dashboards show green. Compliance tools show protected. Everything looks fine while the endpoint is blind.</p><p><strong>MITRE ATT&amp;CK:</strong> T1562.001 (Impair Defenses: Disable or Modify Tools)</p><h3><strong>3. RedSun (CVE-2026-41091) &#8212; April 15-16</strong></h3><p><strong>Type:</strong> Local Privilege Escalation | <strong>CVSS:</strong> Not scored at disclosure | <strong>Status:</strong> Patched (May 19-20)</p><p>RedSun is the most technically sophisticated of the six. It abuses Defender&#8217;s handling of cloud-tagged files via the Windows Cloud Files API.</p><p>The exploit registers a sync root using the provider name <strong>&#8220;SERIOUSLYMSFT&#8221;</strong> (a direct-match IOC reflecting the researcher&#8217;s frustration), drops a decoy executable named <code>TieringEngineService.exe</code> with a reversed EICAR string, converts it to a cloud placeholder, then uses an oplock race condition to redirect Defender&#8217;s rollback operation into <code>C:\Windows\System32</code>. Defender, running as SYSTEM, overwrites the legitimate <code>TieringEngineService.exe</code> with attacker-controlled content.</p><p>The final step activates the Storage Tiers Management Engine via DCOM, which executes the now-replaced binary. The payload detects the SYSTEM context, reads the target session ID from a named pipe (<code>\\.\pipe\REDSUN</code>), and spawns an interactive SYSTEM shell in the user&#8217;s active session.</p><p>Reliability: approximately 100% on fully patched April 2026 systems. No kernel exploit, no driver, no administrator interaction required. Reverse engineering of <code>MpSvc.dll</code>confirmed that no reparse point validation exists anywhere in the write-back chain.</p><p><strong>MITRE ATT&amp;CK:</strong> T1068 (Exploitation for Privilege Escalation), T1574 (Hijack Execution Flow)</p><h3><strong>4. YellowKey (CVE-2026-45585) &#8212; May 12</strong></h3><p><strong>Type:</strong> BitLocker Security Feature Bypass | <strong>CVSS:</strong> 6.8 | <strong>Status:</strong> Mitigation only (no full patch)</p><p>Released one day after May Patch Tuesday, YellowKey exploits NTFS Transactional replay in the Windows Recovery Environment to bypass BitLocker full-disk encryption on machines using TPM-only configuration.</p><p>Specially crafted files in an <code>FsTx</code> directory structure on a USB drive instruct the system to replay NTFS transaction logs during boot. The crafted transactions delete <code>winpeshl.ini</code>from the recovery environment. When WinRE launches, a command prompt appears instead of the normal recovery tools. Because TPM-only mode auto-decrypts on boot without user input, the attacker has unrestricted access to the BitLocker-protected volume.</p><p>The researcher described YellowKey as &#8220;one of the most insane discoveries I ever found&#8221; and claimed TPM+PIN configurations are also vulnerable, but declined to release that proof-of-concept. The current public exploit requires physical access to the original device (stolen drives alone cannot be unlocked because the TPM is bound to the motherboard).</p><p>Microsoft issued mitigation guidance on May 20 but has not released a full patch.</p><h3><strong>5. GreenPlasma (No CVE) &#8212; May 13</strong></h3><p><strong>Type:</strong> Local Privilege Escalation (partial) | <strong>Status:</strong> Unpatched</p><p>Also released the day after May Patch Tuesday. GreenPlasma targets <code>ctfmon.exe</code>, the text input service that runs as SYSTEM in every interactive Windows session. An unprivileged user can create arbitrary memory-section objects within SYSTEM-writable directories by manipulating registry permissions.</p><p>The researcher deliberately released an incomplete version, calling it a &#8220;capture the flag challenge.&#8221; In its current state, it triggers a UAC consent prompt rather than delivering a silent SYSTEM shell. A motivated attacker could complete the final step independently.</p><h3><strong>6. MiniPlasma (No CVE) &#8212; Late May</strong></h3><p><strong>Type:</strong> Local Privilege Escalation | <strong>Status:</strong> Unpatched (fix appears in Insider Canary only)</p><p>MiniPlasma is perhaps the most embarrassing for Microsoft. It targets <code>cldflt.sys</code>, the Windows Cloud Files Mini Filter Driver. The specific flaw, in the <code>HsmOsBlockPlaceholderAccess</code> routine, was originally discovered by Google Project Zero researcher James Forshaw in September 2020. Microsoft assigned it CVE-2020-17103 and reportedly patched it in December 2020.</p><p>Nightmare-Eclipse&#8217;s claim: &#8220;The exact same issue that was reported to Microsoft by Google Project Zero is actually still present, unpatched. I&#8217;m unsure if Microsoft just never patched the issue or the patch was silently rolled back at some point.&#8221;</p><p>BleepingComputer and security researcher Will Dormann independently confirmed that the original 2020 proof-of-concept works on fully patched May 2026 Windows 11. A standard user account gains a SYSTEM-level command prompt. The exploit does not work on Insider Preview Canary builds, suggesting a fix is in development but has not reached production.</p><p>The Cloud Files Mini Filter Driver is present by default on most Windows 11 installations because of OneDrive integration. The attack surface is broadly deployed.</p><h2><strong>The Chain: How They Work Together</strong></h2><p></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!fPKc!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7e1d2a40-176d-49c5-8290-10ca56bc857f_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!fPKc!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7e1d2a40-176d-49c5-8290-10ca56bc857f_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!fPKc!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7e1d2a40-176d-49c5-8290-10ca56bc857f_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!fPKc!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7e1d2a40-176d-49c5-8290-10ca56bc857f_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!fPKc!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7e1d2a40-176d-49c5-8290-10ca56bc857f_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!fPKc!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7e1d2a40-176d-49c5-8290-10ca56bc857f_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/7e1d2a40-176d-49c5-8290-10ca56bc857f_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:990360,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/199633651?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7e1d2a40-176d-49c5-8290-10ca56bc857f_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!fPKc!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7e1d2a40-176d-49c5-8290-10ca56bc857f_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!fPKc!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7e1d2a40-176d-49c5-8290-10ca56bc857f_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!fPKc!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7e1d2a40-176d-49c5-8290-10ca56bc857f_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!fPKc!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7e1d2a40-176d-49c5-8290-10ca56bc857f_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>Individually, each exploit is a serious vulnerability. Combined, they form a complete offensive toolkit:</p><ol><li><p><strong>Blind the guard:</strong> UnDefend freezes Defender&#8217;s signatures or kills it entirely while reporting healthy status to the management console.</p></li><li><p><strong>Escalate to SYSTEM:</strong> BlueHammer, RedSun, or MiniPlasma, three independent paths to SYSTEM-level access through three different Windows subsystems. If one is patched, the attacker has two alternatives.</p></li><li><p><strong>Access encrypted devices:</strong> YellowKey bypasses BitLocker on physically accessible machines.</p></li><li><p><strong>Future persistence:</strong> GreenPlasma provides a fourth SYSTEM path through a different subsystem once the researcher (or someone else) completes the final step.</p></li></ol><p>The sequencing matters. The Huntress-observed attack chain was: enter via stolen VPN credentials, deploy UnDefend to blind Defender, escalate via BlueHammer or RedSun, dump credentials, move laterally, deploy ransomware. First blind the guard dog, then walk through the front door with admin keys.</p><h2><strong>In the Wild: The Huntress Intrusion</strong></h2><p>Huntress Labs published the definitive incident report on April 20, documenting the first confirmed real-world intrusion using Nightmare-Eclipse tooling.</p><p><strong>April 10:</strong> <code>FunnyApp.exe</code> (BlueHammer) staged in <code>C:\Users\[REDACTED]\Pictures\</code>and quarantined by Defender as <code>Exploit:Win32/DfndrPEBluHmr.BZ</code>.</p><p><strong>April 15, 13:44 UTC:</strong> Unauthorized SSL VPN connection from <code>78.29.48[.]29</code>(Russia) to the victim&#8217;s FortiGate firewall using stolen credentials.</p><p><strong>April 16:</strong> RedSun attempted. UnDefend deployed (notably with the misspelled flag <code>-agressive</code>, suggesting the operator was not the author of the tooling). Post-exploitation commands: <code>whoami /priv</code>, <code>cmdkey /list</code>, <code>net group</code>. Then: <code>agent.exe -server staybud.dpdns[.]org:443 -hide</code>, deploying BeigeBurrow, a Go-based tunneling agent using HashiCorp&#8217;s Yamux library for persistent TCP relay.</p><p>An instructive detail: despite executing multiple tools, three of four failed. Defender quarantined BlueHammer. RedSun never produced a result. UnDefend was operated incorrectly. Only BeigeBurrow successfully connected outbound. The attackers had access to sophisticated weaponry and fumbled the execution. That will not always be the case.</p><h2><strong>Indicators of Compromise</strong></h2><h3><strong>File Indicators</strong></h3><ul><li><p><code>FunnyApp.exe</code> (BlueHammer PoC, staged in <code>\Pictures\</code>)</p></li><li><p><code>RedSun.exe</code> (staged in <code>\Downloads\</code>)</p></li><li><p><code>undef.exe</code> / <code>UnDefend.exe</code> (staged in <code>\Downloads\ks\</code> or <code>\Downloads\kk\</code>)</p></li><li><p><code>z.exe</code> (renamed exploit binary)</p></li><li><p><code>agent.exe</code> (BeigeBurrow tunneling agent)</p></li><li><p>Modified <code>TieringEngineService.exe</code> in <code>C:\Windows\System32\</code></p></li></ul><p><strong>BeigeBurrow SHA-256: </strong><code>a2b6c7a9c4490df70de3cdbfa5fc801a3e1cf6a872749259487e354de2876b7c</code></p><p><strong>Defender detection name:</strong> <code>Exploit:Win32/DfndrPEBluHmr.BZ</code></p><h3><strong>Network Indicators</strong></h3><ul><li><p><code>staybud.dpdns[.]org</code> (BeigeBurrow C2, port 443)</p></li><li><p><code>78.29.48[.]29</code> (Russia, initial VPN access)</p></li><li><p><code>212.232.23[.]69</code> (Singapore, follow-on)</p></li><li><p><code>179.43.140[.]214</code> (Switzerland, follow-on)</p></li></ul><h3><strong>Behavioral Indicators</strong></h3><ul><li><p>Cloud sync provider registration using the string <strong>&#8220;SERIOUSLYMSFT&#8221;</strong> (exact-match RedSun indicator)</p></li><li><p>Named pipe creation: <code>\\.\pipe\REDSUN</code></p></li><li><p>Modifications to <code>C:\Windows\System32\TieringEngineService.exe</code></p></li><li><p>Repeated Windows Update <strong>Error Code 80070643</strong> during Defender signature updates (UnDefend passive mode)</p></li><li><p>Defender signature timestamp stale beyond 72 hours despite dashboard showing healthy status</p></li><li><p><code>MsMpEng.exe</code> writing PE/DLL/driver files to paths outside <code>ProgramData\Microsoft\Windows Defender</code></p></li><li><p>NTFS junction creation in user directories targeting <code>C:\Windows\System32</code></p></li><li><p><code>whoami /priv</code>, <code>cmdkey /list</code>, <code>net group</code> spawned from unexpected parent processes</p></li><li><p><code>agent.exe</code> with <code>-server</code> and <code>-hide</code> flags</p></li><li><p>VPN authentication from the same account across multiple countries within short timeframes</p></li></ul><h2><strong>Detection and Hunting Guidance</strong></h2><h3><strong>Priority Action: Verify Defender Is Actually Working</strong></h3><p>Do not trust the dashboard. UnDefend&#8217;s entire purpose is to make Defender appear healthy while it is blind. Query the actual signature timestamp directly across your fleet:</p><pre><code><code>Get-MpComputerStatus | Select-Object AntivirusSignatureLastUpdated</code></code></pre><p>Alert on any host where signatures are older than 72 hours. If multiple endpoints report Error Code 80070643 simultaneously, investigate immediately. Clustered signature update failures are the highest-fidelity indicator currently available for UnDefend in passive mode.</p><h3><strong>Verify Patch Level</strong></h3><p>Confirm Defender Antimalware Platform version <strong>4.18.26040.7</strong> or later is deployed across all endpoints. This version patches BlueHammer, RedSun, and UnDefend. Confirm engine version <strong>1.1.26040.8</strong> or later for the related heap-based buffer overflow (CVE-2026-45584).</p><h3><strong>Sigma Rules</strong></h3><p>The <strong>BlueHammerFix</strong> repository (github.com/technoherder/BlueHammerFix) provides 7 Sigma rules and 4 YARA rules covering the full attack chain. Key rules to deploy:</p><ul><li><p><code>bluehammer_samlib_load.yml</code> &#8212; Non-LSASS process loading <code>samlib.dll</code></p></li><li><p><code>bluehammer_rapid_password_change.yml</code> &#8212; Password change-logon-restore cycle</p></li><li><p><code>bluehammer_junction_basenamed.yml</code> &#8212; Junction to <code>BaseNamedObjects</code></p></li><li><p><code>bluehammer_cloudfiles_abuse.yml</code> &#8212; Cloud Files API invocation by non-provider process</p></li><li><p><code>bluehammer_lsa_bootkey_access.yml</code> &#8212; LSA boot key registry access</p></li></ul><h3><strong>KQL Detection Packs</strong></h3><p>Two community-maintained detection packs for Microsoft Defender XDR and Sentinel are available on GitHub:</p><ul><li><p><strong>Letlaka/redsun-bluehammer-undefend-detection-pack:</strong> Full attack chain queries for all three patched exploits, plus cross-family hunting for BeigeBurrow follow-on activity. Uses <code>DeviceFileEvents</code>, <code>DeviceProcessEvents</code>, and <code>DeviceRegistryEvents</code> tables.</p></li><li><p><strong>3ch0p01nt/RedSun_Undefend:</strong> Hunt queries and defensive recommendations specifically for RedSun and UnDefend.</p></li></ul><h3><strong>Sysmon Event IDs to Monitor</strong></h3><ul><li><p><strong>Event ID 1 (ProcessCreate):</strong> <code>whoami /priv</code>, <code>cmdkey /list</code>, <code>net group</code> from unexpected parents; <code>agent.exe</code> with <code>-server</code>/<code>-hide</code> flags</p></li><li><p><strong>Event ID 11 (FileCreate):</strong> Suspicious filenames in <code>\Pictures\</code> or <code>\Downloads\</code>; modifications to <code>TieringEngineService.exe</code>; Defender writing binaries to non-standard paths</p></li><li><p><strong>Event ID 12/13/14 (Registry):</strong> Registry modifications in DEFAULT hive (MiniPlasma); LSA boot key access (BlueHammer)</p></li><li><p><strong>Defender Operational Log 1116-1117:</strong> Detection and remediation events (correlate with TOCTOU timing)</p></li></ul><h3><strong>YARA and Network Rules</strong></h3><ul><li><p>BeigeBurrow YARA rule: <code>github.com/RussianPanda95/Yara-Rules/blob/main/BeigeBurrow/win_mal_BeigeBurrow.yar</code></p></li><li><p>BlueHammerFix YARA rules: 4 rules available in the technoherder repository</p></li><li><p>Suricata rule SID 2026041701: detects potential RedSun/BlueHammer/UnDefend downloads</p></li></ul><h2><strong>What Should Organizations Do</strong></h2><h3><strong>Immediate Actions</strong></h3><ol><li><p><strong>Verify Defender platform version 4.18.26040.7 or later</strong> on every endpoint. This patches BlueHammer, RedSun, and UnDefend.</p></li><li><p><strong>Query signature freshness directly</strong> using <code>Get-MpComputerStatus</code>. Do not rely on dashboard indicators.</p></li><li><p><strong>Baseline the SHA-256 hash of </strong><code>TieringEngineService.exe</code> on all endpoints. Any modification triggers an immediate investigation.</p></li><li><p><strong>Deploy the Sigma and KQL detection rules</strong> listed above.</p></li><li><p><strong>Apply YellowKey mitigations:</strong> Enforce TPM+PIN for BitLocker (the published exploit only works against TPM-only configurations). Review Microsoft&#8217;s May 20 mitigation guidance for the WinRE registry workaround.</p></li></ol><h3><strong>Ongoing Posture</strong></h3><ol><li><p><strong>Monitor for MiniPlasma:</strong> No patch exists for production Windows. The <code>cldflt.sys</code> driver is present on most Windows 11 installations via OneDrive. Watch for the fix in the June 10 Patch Tuesday.</p></li><li><p><strong>Audit SSL VPN credentials:</strong> The observed intrusion entered through stolen FortiGate VPN credentials. Enforce MFA on all remote access, review for impossible-travel patterns, and rotate credentials for any accounts with unexplained activity.</p></li><li><p><strong>Prepare for June and July:</strong> Nightmare-Eclipse has promised a &#8220;big surprise&#8221; for the June 10 Patch Tuesday and has threatened a major disclosure on July 14. The researcher has followed through on every prior threat. Plan for accelerated patch cycles around those dates.</p></li><li><p><strong>Do not depend solely on Defender:</strong> Three of the six exploits specifically target Defender&#8217;s internal mechanisms. Organizations relying exclusively on Defender for endpoint protection should consider layered defenses: a secondary EDR agent, application whitelisting, or network-level detection.</p></li></ol><h2><strong>The Responsible Disclosure Debate</strong></h2><p><strong>Microsoft&#8217;s MSRC published a blog post calling out the anonymous researcher for bypassing coordinated disclosure: &#8220;The details of these vulnerabilities were not shared with Microsoft prior to release, and the disclosures put our customers at unnecessary risk.&#8221;</strong> Microsoft has described uncoordinated disclosure as &#8220;never justifiable&#8221; and used legal language broad enough to cover &#8220;both actual attackers and researchers who enable them with proof of concepts.&#8221;</p><p>The security community&#8217;s reaction was skeptical. Researchers at SpecterOps and TrustedSec shared their own frustrating experiences with MSRC. Jason Lang, Team Lead of Targeted Operations at TrustedSec, wrote: &#8220;I&#8217;ve heard nothing but horror stories about those submitting to MSRC, so it&#8217;s no surprise that this would be the fallout.&#8221;</p><p>Barracuda Networks took the opposite position, explicitly classifying Nightmare-Eclipse as a &#8220;malicious actor, not a whistleblower, not a responsible disclosure advocate, and not a neutral researcher.&#8221;</p><p>The researcher claims they reported through proper channels first and were rebuffed. At the same time, the Huntress intrusion confirms that real organizations were compromised by real attackers using this exploit code within days of its release. <strong>The grievance may be legitimate. The collateral damage is also real.</strong></p><p>GitHub (owned by Microsoft) banned the researcher&#8217;s account around May 23. GitLab suspended the account days later. Unfortunately, clones spread within hours. The bans may have generated more sympathy for the researcher than the original disclosures did.</p><h2><strong>What Comes Next</strong></h2><p>Nightmare-Eclipse has followed through on every prior threat. The escalation pattern is deliberate: privilege escalation, then defense evasion, then BitLocker bypass, then hints at remote code execution. Each release was timed to maximize embarrassment, landing on or immediately after Patch Tuesday.</p><p>Three things to watch:</p><ul><li><p><strong>June 10 (Patch Tuesday):</strong> The researcher has promised a &#8220;big surprise.&#8221; They have also claimed they will &#8220;drag other companies into this,&#8221; suggesting exploits targeting vendors beyond Microsoft.</p></li><li><p><strong>July 14:</strong> Nightmare-Eclipse has publicly announced a major disclosure on this date. The researcher previously hinted at releasing remote code execution vulnerabilities, which would be a qualitative escalation from the local privilege escalation and defense evasion exploits released so far.</p></li><li><p><strong>The &#8220;dead man&#8217;s switch&#8221;:</strong> The researcher claims to have deployed an automated system that will release additional exploits if certain conditions are met. Security experts note: &#8220;They claim to have a dead man&#8217;s switch with more ready to go. This researcher has followed through on every prior threat.&#8221;</p></li></ul><p>We will continue tracking this story. If the June or July disclosures materialize, expect a follow-up edition.</p><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/intruvent-edge-your-defender-dashboard?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/intruvent-edge-your-defender-dashboard?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://edge.intruvent.com/p/intruvent-edge-your-defender-dashboard?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p></p><div><hr></div><h2><strong>Patch Status Summary</strong></h2><ul><li><p><strong>BlueHammer (CVE-2026-33825):</strong> Patched, April 14. Defender Platform 4.18.26030.3011.</p></li><li><p><strong>UnDefend (CVE-2026-45498):</strong> Patched, May 19-20. Defender Platform 4.18.26040.7.</p></li><li><p><strong>RedSun (CVE-2026-41091):</strong> Patched, May 19-20. Defender Platform 4.18.26040.7.</p></li><li><p><strong>YellowKey (CVE-2026-45585):</strong> Mitigation guidance only. No full patch.</p></li><li><p><strong>GreenPlasma:</strong> Unpatched. No CVE assigned.</p></li><li><p><strong>MiniPlasma:</strong> Unpatched. Fix appears in Insider Canary builds only. Relates to CVE-2020-17103.</p></li></ul><p><strong>Next Patch Tuesday:</strong> June 10, 2026.</p><div><hr></div><h2><strong>Sources</strong></h2><ul><li><p><a href="https://blog.barracuda.com/2026/05/19/nightmare-eclipse-zero-days-grudge">Barracuda Networks: Six Zero-Days, Six Weeks and One Big Grudge</a> (May 19, 2026)</p></li><li><p><a href="https://www.huntress.com/blog/nightmare-eclipse-intrusion">Huntress Labs: Nightmare-Eclipse Tooling in Real-World Intrusion</a> (April 20, 2026)</p></li><li><p><a href="https://www.vectra.ai/blog/when-the-defender-becomes-the-door-bluehammer-redsun-and-undefend-in-the-wild">Vectra AI: When the Defender Becomes the Door</a></p></li><li><p><a href="https://www.picussecurity.com/resource/blog/bluehammer-redsun-windows-defender-cve-2026-33825-zero-day-vulnerability-explained">Picus Security: BlueHammer &amp; RedSun Explained</a></p></li><li><p><a href="https://www.cyderes.com/howler-cell/windows-zero-day-bluehammer">Cyderes: Inside the Windows Zero-Day (BlueHammer)</a></p></li><li><p><a href="https://www.cyderes.com/howler-cell/redsun-zero-day">Cyderes: RedSun Zero-Day</a></p></li><li><p><a href="https://socradar.io/blog/bluehammer-redsun-undefend-windows-defender-0days/">SOCRadar: BlueHammer, RedSun, and UnDefend</a></p></li><li><p><a href="https://www.bleepingcomputer.com/news/security/disgruntled-researcher-leaks-bluehammer-windows-zero-day-exploit/">BleepingComputer: Disgruntled Researcher Leaks BlueHammer</a></p></li><li><p><a href="https://www.bleepingcomputer.com/news/microsoft/new-windows-miniplasma-zero-day-exploit-gives-system-access-poc-released/">BleepingComputer: MiniPlasma Zero-Day Gives SYSTEM Access</a></p></li><li><p><a href="https://www.bleepingcomputer.com/news/security/windows-bitlocker-zero-day-gives-access-to-protected-drives-poc-released/">BleepingComputer: YellowKey BitLocker Bypass</a></p></li><li><p><a href="https://thehackernews.com/2026/05/microsoft-slams-public-zero-day.html">The Hacker News: Microsoft Slams Public Zero-Day Disclosures</a></p></li><li><p><a href="https://thehackernews.com/2026/05/miniplasma-windows-0-day-enables-system.html">The Hacker News: MiniPlasma Windows 0-Day</a></p></li><li><p><a href="https://www.theregister.com/security/2026/05/13/disgruntled-researcher-releases-two-more-microsoft-zero-days/5239758">The Register: Disgruntled Researcher Releases Two More Zero-Days</a></p></li><li><p><a href="https://cybernews.com/security/github-bans-researcher-releasing-windows-zero-days/">CyberNews: GitHub Bans Researcher</a></p></li><li><p><a href="https://www.cisa.gov/news-events/alerts/2026/04/22/cisa-adds-one-known-exploited-vulnerability-catalog">CISA KEV: CVE-2026-33825</a> (April 22, 2026)</p></li><li><p><a href="https://www.cisa.gov/news-events/alerts/2026/05/20/cisa-adds-seven-known-exploited-vulnerabilities-catalog">CISA KEV: CVE-2026-41091 and CVE-2026-45498</a> (May 20, 2026)</p></li><li><p>Intruvent Technologies, Golden CTI Database (Codex), queried May 28, 2026</p></li></ul><div><hr></div><p><em>Intruvent Edge is a bi-weekly threat intelligence newsletter from Intruvent Technologies. For custom, localized cyber threat intelligence, visit <a href="https://intruvent.com/brace">intruvent.com/brace</a>.</em></p>]]></content:encoded></item><item><title><![CDATA[Prevent This: Attackers Stealing Your Phone Number]]></title><description><![CDATA[SIM swapping drained $25.9 million last year. Your carrier can block it for free. Here's how.]]></description><link>https://edge.intruvent.com/p/prevent-this-attackers-stealing-your</link><guid isPermaLink="false">https://edge.intruvent.com/p/prevent-this-attackers-stealing-your</guid><dc:creator><![CDATA[Sig Murphy]]></dc:creator><pubDate>Tue, 26 May 2026 17:30:59 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!zbu6!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa31ee5cf-88b4-4256-abcc-0bafde440c32_1024x1024.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!zbu6!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa31ee5cf-88b4-4256-abcc-0bafde440c32_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!zbu6!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa31ee5cf-88b4-4256-abcc-0bafde440c32_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!zbu6!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa31ee5cf-88b4-4256-abcc-0bafde440c32_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!zbu6!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa31ee5cf-88b4-4256-abcc-0bafde440c32_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!zbu6!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa31ee5cf-88b4-4256-abcc-0bafde440c32_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!zbu6!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa31ee5cf-88b4-4256-abcc-0bafde440c32_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/a31ee5cf-88b4-4256-abcc-0bafde440c32_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1554941,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/199348493?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa31ee5cf-88b4-4256-abcc-0bafde440c32_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!zbu6!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa31ee5cf-88b4-4256-abcc-0bafde440c32_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!zbu6!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa31ee5cf-88b4-4256-abcc-0bafde440c32_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!zbu6!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa31ee5cf-88b4-4256-abcc-0bafde440c32_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!zbu6!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa31ee5cf-88b4-4256-abcc-0bafde440c32_1024x1024.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>Welcome to Prevent This, our weekly community newsletter covering cybersecurity for everyone. If you found us through Intruvent Edge, our bi-weekly technical deep dive, welcome. Both live on the same Substack. Feel free to share either one. We&#8217;re glad you&#8217;re here.</p><p><strong>One phone call to your carrier. Fifteen minutes. That is all it takes for someone to reroute your entire digital life to a device you have never seen.</strong></p><div><hr></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p><p>Justin Chan woke up to a dead phone.</p><p><strong>No signal. No texts. No calls. It was the middle of the night, and his Xfinity Mobile number had been transferred to a device he did not own.</strong> Over the next three hours, while he slept, someone used his phone number to intercept two-factor authentication codes, reset his banking passwords, and initiate three wire transfers. <strong>By morning, $38,000 was gone</strong>. The joint account he shared with his sister, the one they used to pay for their elderly mother&#8217;s care, was empty.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!p7Fp!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff12a8e48-c586-4311-ac10-5cb9ef6f2edb_1376x768.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!p7Fp!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff12a8e48-c586-4311-ac10-5cb9ef6f2edb_1376x768.jpeg 424w, https://substackcdn.com/image/fetch/$s_!p7Fp!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff12a8e48-c586-4311-ac10-5cb9ef6f2edb_1376x768.jpeg 848w, https://substackcdn.com/image/fetch/$s_!p7Fp!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff12a8e48-c586-4311-ac10-5cb9ef6f2edb_1376x768.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!p7Fp!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff12a8e48-c586-4311-ac10-5cb9ef6f2edb_1376x768.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!p7Fp!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff12a8e48-c586-4311-ac10-5cb9ef6f2edb_1376x768.jpeg" width="1376" height="768" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/f12a8e48-c586-4311-ac10-5cb9ef6f2edb_1376x768.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:768,&quot;width&quot;:1376,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:460888,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/199348493?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff12a8e48-c586-4311-ac10-5cb9ef6f2edb_1376x768.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!p7Fp!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff12a8e48-c586-4311-ac10-5cb9ef6f2edb_1376x768.jpeg 424w, https://substackcdn.com/image/fetch/$s_!p7Fp!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff12a8e48-c586-4311-ac10-5cb9ef6f2edb_1376x768.jpeg 848w, https://substackcdn.com/image/fetch/$s_!p7Fp!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff12a8e48-c586-4311-ac10-5cb9ef6f2edb_1376x768.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!p7Fp!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff12a8e48-c586-4311-ac10-5cb9ef6f2edb_1376x768.jpeg 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>Bank of America closed its fraud investigation and told him the transactions were authorized. It took months of fighting, and a local news investigation, before the bank reopened the case.</p><p>In Florida, Patricia Escriva watched thousands disappear within minutes of losing control of her number. In Miami, Wei Shen&#8217;s T-Mobile number was quietly transferred while she went about her day. By the time she noticed her phone had gone silent, three wire transfers totaling <strong>$68,625</strong> had cleared. Citibank denied her fraud claim, telling her she failed to &#8220;take adequate steps to safeguard her accounts.&#8221;</p><p>The attack that hit all three of them has a name: <strong>SIM swapping</strong>. And the fix takes about 15 minutes.</p><h2><strong>How It Works</strong></h2><p>The attacker calls your mobile carrier and claims to be you. They say their phone was lost or damaged and ask for the number to be moved to a new SIM. To pass the identity check, they provide personal details gathered from data breaches, social media, and data broker sites: your name, address, date of birth, the last four digits of your Social Security number. If the answers match, the swap goes through. In some cases, attackers bribe carrier store employees directly, paying as little as <strong>$300 per swap</strong> to skip the verification entirely.</p><p>Once your number is on their device, every SMS verification code meant for you goes to them. They reset your email password first. Then banking. Then crypto. Then everything else. <strong>The average swap completes in under 15 minutes, and most of the damage happens within the first hour.</strong></p><p>A cybercrime group called <strong>Scattered Spider</strong> industrialized SIM swapping to steal at least <strong>$8 million</strong> in cryptocurrency. Their second member, Tyler Robert Buchanan, pled guilty in April 2026 and faces up to 22 years in prison. Another member is already serving a 10-year sentence. The group&#8217;s broader victim list includes MGM Resorts, Caesars Entertainment, Twilio, LastPass, and Transport for London. In a separate case, T-Mobile was ordered to pay <strong>$33 million</strong> after a single SIM swap drained a customer&#8217;s crypto wallet.</p><h2><strong>Why Should You Care?</strong></h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!OFCM!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa83a84cd-81de-40de-a263-7662dd0924e4_1017x365.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!OFCM!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa83a84cd-81de-40de-a263-7662dd0924e4_1017x365.png 424w, https://substackcdn.com/image/fetch/$s_!OFCM!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa83a84cd-81de-40de-a263-7662dd0924e4_1017x365.png 848w, https://substackcdn.com/image/fetch/$s_!OFCM!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa83a84cd-81de-40de-a263-7662dd0924e4_1017x365.png 1272w, https://substackcdn.com/image/fetch/$s_!OFCM!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa83a84cd-81de-40de-a263-7662dd0924e4_1017x365.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!OFCM!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa83a84cd-81de-40de-a263-7662dd0924e4_1017x365.png" width="1017" height="365" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/a83a84cd-81de-40de-a263-7662dd0924e4_1017x365.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:365,&quot;width&quot;:1017,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:248184,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/199348493?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F01146c6a-b544-49c6-a322-ab730fbe2d02_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!OFCM!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa83a84cd-81de-40de-a263-7662dd0924e4_1017x365.png 424w, https://substackcdn.com/image/fetch/$s_!OFCM!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa83a84cd-81de-40de-a263-7662dd0924e4_1017x365.png 848w, https://substackcdn.com/image/fetch/$s_!OFCM!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa83a84cd-81de-40de-a263-7662dd0924e4_1017x365.png 1272w, https://substackcdn.com/image/fetch/$s_!OFCM!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa83a84cd-81de-40de-a263-7662dd0924e4_1017x365.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>The FBI logged <strong>982 SIM swap complaints</strong> and <strong>$25.9 million in losses</strong> in 2024. Those numbers only reflect what victims voluntarily reported. The real volume is higher. Globally, the UK saw a <strong>1,055% year-over-year increase</strong> in SIM swap cases, and Australia reported a <strong>240% surge</strong>, with 90% of attacks occurring without any interaction from the victim.</p><p>The people most at risk may not be who you expect. <strong>29% of all account takeover victims are now 61 or older</strong>, a 90% year-over-year increase for that age group. If you have parents or grandparents who use their phone for banking, this applies directly to them.</p><p>The good news: every major U.S. carrier now offers free tools to block this attack. The bad news: <strong>none of them are turned on by default.</strong></p><h2><strong>What Can You Do?</strong></h2><h3><strong>Step 1: Lock Your Number (Do This Today)</strong></h3><p><strong>Note: If you do switch carriers or upgrade your device, you will need to temporarily disable these protections first. Turn them back on as soon as the change is complete.</strong></p><ul><li><p><strong>Verizon:</strong> My Verizon app &gt; Account &gt; Security Settings. Enable <strong>Number Lock</strong>(blocks port-outs to other carriers) and <strong>SIM Protection</strong> (blocks SIM swaps within Verizon). Both free.</p></li><li><p><strong>T-Mobile:</strong> T-Life app &gt; Account &gt; Add-ons. Enable <strong>Port Out Protection</strong>. Free for all customers. You must add it to each line individually.</p></li><li><p><strong>AT&amp;T:</strong> myAT&amp;T app. Enable <strong>Wireless Account Lock</strong>. Blocks port-outs and sensitive account changes.</p></li><li><p><strong>Other carriers:</strong> Call and ask for both a <strong>port freeze</strong> (blocks transfers to other carriers) and a <strong>SIM lock</strong> (blocks device swaps within your carrier). You want both.</p></li></ul><p>Then set a <strong>strong account PIN</strong>. Not your birthday. Not the last four of your SSN. A random 6 to 8 digit number stored in your password manager.</p><h3><strong>Step 2: Move Your Important Accounts Off SMS</strong></h3><p>SIM swapping only works because SMS verification codes travel with your phone number. Move these accounts to an authenticator app or passkey and the attack loses its power:</p><ol><li><p><strong>Email</strong> (Gmail, iCloud, Outlook). This is the master key. If an attacker controls your email, they can reset every other password.</p></li><li><p><strong>Banking and financial accounts.</strong> Most major banks now support authenticator apps.</p></li><li><p><strong>Cryptocurrency exchanges.</strong> The single highest-risk category for SIM swap theft.</p></li><li><p><strong>Social media</strong> (Facebook, Instagram, LinkedIn).</p></li></ol><p>What to use instead of SMS:</p><ul><li><p><strong>Best:</strong> Passkeys (Apple, Google, Microsoft) or a hardware security key like YubiKey. Phishing-resistant and immune to SIM swaps.</p></li><li><p><strong>Good:</strong> An authenticator app (Apple Passwords, Google Authenticator, Microsoft Authenticator). Codes stay on your device.</p></li><li><p><strong>Acceptable:</strong> SMS. Still better than nothing. If it is your only option, keep it on while you upgrade.</p></li></ul><h3><strong>Step 3: Know the Warning Sign</strong></h3><p>The first sign of a SIM swap is <strong>sudden loss of cell service</strong>. Your phone shows &#8220;No Service&#8221; or &#8220;SOS Only&#8221; for no apparent reason (I.E. you are in a place where you usually have strong service)</p><p>If this happens, treat it as an emergency:</p><ol><li><p><strong>Call your carrier immediately</strong> from another phone or over Wi-Fi. Tell them you suspect a SIM swap and ask them to investigate it.</p><p></p><p><strong>If #1 confirms an attempted SIM Swap attack:</strong></p></li><li><p><strong>Call your bank</strong> and request a temporary freeze on transactions.</p></li><li><p><strong>Change your email password</strong> from a device you control, before the attacker does.</p></li><li><p><strong>Check for unauthorized activity</strong> on every account tied to your phone number.</p></li></ol><h2><strong>The Bottom Line</strong></h2><p>SIM swapping is one of the few attacks where the victim does nothing wrong and still loses. You do not click a link, open an attachment, or visit a malicious website. Someone convinces your carrier to hand over your phone number, and your digital life follows.</p><p>The fix is free and takes 15 minutes:</p><ol><li><p><strong>Enable Number Lock and SIM Protection</strong> on your carrier account.</p></li><li><p><strong>Set a strong, random account PIN.</strong></p></li><li><p><strong>Move your email and banking off SMS</strong> to an authenticator app or passkey.</p></li><li><p><strong>Help one family member do the same this week.</strong></p></li></ol><p>The people who steal phone numbers are counting on you to put this off until tomorrow. Don&#8217;t.</p><div><hr></div><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-attackers-stealing-your?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-attackers-stealing-your?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://edge.intruvent.com/p/prevent-this-attackers-stealing-your?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p>If you or someone you know has been targeted:</p><ul><li><p><strong>FBI IC3:</strong> <a href="https://ic3.gov/">ic3.gov</a></p></li><li><p><strong>FTC:</strong> <a href="https://reportfraud.ftc.gov/">ReportFraud.ftc.gov</a> or 877-382-4357</p></li><li><p><strong>Your carrier&#8217;s fraud department</strong> (call the number on the back of your bill, not a number from a text or email)</p></li><li><p><strong>Your bank&#8217;s fraud line</strong> (call the number on the back of your debit or credit card)</p></li></ul><div><hr></div><h2><strong>Sources</strong></h2><ul><li><p><a href="https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf">FBI IC3, 2024 Annual Report</a> (982 SIM swap complaints, $25.9M in losses)</p></li><li><p><a href="https://www.fcc.gov/document/fcc-adopts-rules-protect-consumers-sim-swapping-and-port-out-fraud">FCC: SIM Swap and Port-Out Fraud Protection Rules</a> (effective 2024)</p></li><li><p><a href="https://krebsonsecurity.com/2026/04/scattered-spider-member-tylerb-pleads-guilty/">Krebs on Security: Scattered Spider Member &#8216;Tylerb&#8217; Pleads Guilty</a> (April 2026)</p></li><li><p><a href="https://www.10news.com/news/we-follow-through/sim-swapping-victim-gets-38-000-back-after-months-long-fight-with-bank-of-america">10News San Diego: SIM Swapping Victim Gets $38,000 Back</a> (Justin Chan case)</p></li><li><p><a href="https://www.foxnews.com/tech/sim-swap-scam-drained-florida-womans-bank-account-minutes">Fox News: SIM Swap Scam Drained Florida Woman&#8217;s Account</a> (Patricia Escriva, May 2026)</p></li><li><p><a href="https://www.nbcmiami.com/responds/woman-loses-life-savings-in-sim-swap-scam/2845044/">NBC Miami: Woman Loses Life Savings in SIM Swap Scam</a> (Wei Shen case)</p></li><li><p><a href="https://www.efani.com/blog/sim-swap-fraud-statistics-2026">Efani: SIM Swap Fraud Statistics 2026</a></p></li><li><p><a href="https://www.cifas.org.uk/">Cifas (UK): National Fraud Database 2024</a> (1,055% YoY increase)</p></li><li><p><a href="https://www.group-ib.com/blog/the-evolution-of-sim-swapping-fraud-how-fraudsters-bypass-security-layers/">Group-IB: The Evolution of SIM Swapping Fraud</a></p></li><li><p><a href="https://www.thomsonreuters.com/en-us/posts/corporates/sim-swap-fraud/">Thomson Reuters Institute: A Deep Dive Into SIM Swap Fraud</a></p></li></ul>]]></content:encoded></item><item><title><![CDATA[Prevent This: Your Car Selling Your Driving Data]]></title><description><![CDATA[Welcome to Prevent This, our weekly community newsletter covering cybersecurity for everyone.]]></description><link>https://edge.intruvent.com/p/prevent-this-your-car-selling-your</link><guid isPermaLink="false">https://edge.intruvent.com/p/prevent-this-your-car-selling-your</guid><dc:creator><![CDATA[Sig Murphy]]></dc:creator><pubDate>Tue, 19 May 2026 16:48:49 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!kByA!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F260172d2-6f39-40e2-a27f-42a180dd203d_1200x896.heic" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>Welcome to Prevent This, our weekly community newsletter covering cybersecurity for everyone. If you found us through Intruvent Edge, our bi-weekly technical deep dive, welcome. Both live on the same Substack. Feel free to share either one. We&#8217;re glad you&#8217;re here.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p><p>Your car knows where you go, how fast you drive, how hard you brake, and what time you get home at night. And in millions of cases, your car manufacturer has been quietly selling that information to data brokers, who pass it to insurance companies, who use it to raise your premiums.</p><p>You probably did not agree to this. You may not even know it is happening. <strong>82% of connected car drivers have no idea how much data their vehicle collects.</strong> The FTC just took action against General Motors for doing exactly this. And GM is far from the only brand involved.</p><h2><strong>What Happened?</strong></h2><p>On January 14, 2026, the Federal Trade Commission finalized a consent order against General Motors and its OnStar subsidiary. The FTC found that GM had been collecting detailed driving behavior data from more than <strong>14 million vehicles</strong> and selling it to data brokers, specifically Verisk Analytics and LexisNexis Risk Solutions. Those data brokers then made the information available to insurance companies.</p><p>The data was granular. OnStar recorded <strong>precise geolocation every 3 seconds</strong>, hard braking, hard acceleration, speeding (anything over 80 mph was flagged), late-night driving patterns, trip times, and seatbelt usage. GM earned approximately <strong>$20 million </strong>from selling this data. Honda sold similar data for about $0.26 per car. The financial incentive for the manufacturer is modest. The financial impact on the driver can be anything but.</p><p>Your car is not the only device in your life with this problem. Smart TVs, fitness trackers, doorbell cameras, thermostats, and yes, even smart refrigerators collect data about your daily habits and routines. Your car just happens to be the one the FTC caught selling it to your insurance company. The principle is the same across every connected device you own: if it is connected to the internet, it is collecting data. The question is who else is seeing it.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!kByA!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F260172d2-6f39-40e2-a27f-42a180dd203d_1200x896.heic" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!kByA!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F260172d2-6f39-40e2-a27f-42a180dd203d_1200x896.heic 424w, https://substackcdn.com/image/fetch/$s_!kByA!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F260172d2-6f39-40e2-a27f-42a180dd203d_1200x896.heic 848w, https://substackcdn.com/image/fetch/$s_!kByA!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F260172d2-6f39-40e2-a27f-42a180dd203d_1200x896.heic 1272w, https://substackcdn.com/image/fetch/$s_!kByA!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F260172d2-6f39-40e2-a27f-42a180dd203d_1200x896.heic 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!kByA!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F260172d2-6f39-40e2-a27f-42a180dd203d_1200x896.heic" width="1200" height="896" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/260172d2-6f39-40e2-a27f-42a180dd203d_1200x896.heic&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:896,&quot;width&quot;:1200,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:292063,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/heic&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/198411709?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F260172d2-6f39-40e2-a27f-42a180dd203d_1200x896.heic&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!kByA!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F260172d2-6f39-40e2-a27f-42a180dd203d_1200x896.heic 424w, https://substackcdn.com/image/fetch/$s_!kByA!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F260172d2-6f39-40e2-a27f-42a180dd203d_1200x896.heic 848w, https://substackcdn.com/image/fetch/$s_!kByA!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F260172d2-6f39-40e2-a27f-42a180dd203d_1200x896.heic 1272w, https://substackcdn.com/image/fetch/$s_!kByA!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F260172d2-6f39-40e2-a27f-42a180dd203d_1200x896.heic 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h3><strong>What Happened to Real People</strong></h3><p>When the New York Times investigated in 2024, they found consumers whose insurance premiums had increased by <strong>21% and 80%</strong> after their driving data was shared without their knowledge. One driver reported being <strong>rejected by seven insurers</strong>. Another discovered a <strong>258-page LexisNexis report</strong> documenting every trip they had taken for months.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!6L41!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdcfc040d-9748-4c92-a3fe-b57463883361_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!6L41!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdcfc040d-9748-4c92-a3fe-b57463883361_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!6L41!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdcfc040d-9748-4c92-a3fe-b57463883361_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!6L41!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdcfc040d-9748-4c92-a3fe-b57463883361_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!6L41!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdcfc040d-9748-4c92-a3fe-b57463883361_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!6L41!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdcfc040d-9748-4c92-a3fe-b57463883361_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/dcfc040d-9748-4c92-a3fe-b57463883361_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:958957,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/198411709?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdcfc040d-9748-4c92-a3fe-b57463883361_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!6L41!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdcfc040d-9748-4c92-a3fe-b57463883361_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!6L41!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdcfc040d-9748-4c92-a3fe-b57463883361_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!6L41!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdcfc040d-9748-4c92-a3fe-b57463883361_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!6L41!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdcfc040d-9748-4c92-a3fe-b57463883361_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>A 2024 study found that only <strong>31% of drivers who participated in telematics programs</strong> (voluntarily or not) saw lower premiums. <strong>24% paid more.</strong> The rest saw no change, meaning the data collection provided no benefit to them but still created a permanent record of their driving behavior in a third-party database.</p><h2><strong>Why Should You Care?</strong></h2><p>This affects most people who drive a car manufactured in roughly the last decade. The Mozilla Foundation evaluated 25 major car brands for privacy in 2023. <strong>Every single one failed. </strong>Mozilla called cars &#8220;the worst product category for privacy we have ever reviewed.&#8221; For example, Nissan&#8217;s privacy policy claims the right to collect &#8220;sexual activity&#8221; and &#8220;genetic data.&#8221; Most brands reserve the right to share data with law enforcement without a warrant.</p><ul><li><p><strong>82%</strong> of connected car drivers don&#8217;t know how much data their car collects</p></li><li><p><strong>40%</strong> don&#8217;t even know they have connected services active in their vehicle</p></li><li><p><strong>96%</strong> of consumers say they should own the data their car generates</p></li><li><p>A modern connected car transmits <strong>1 to 1.5 gigabytes per day</strong> to the manufacturer&#8217;s cloud</p></li></ul><h2><strong>How Does This Work?</strong></h2><p>Think of your car as a smartphone on wheels. It has a cellular connection, a GPS receiver, and dozens of sensors. Every time you drive, the car records where you went, how you got there, and how you drove along the way. That data is transmitted to the manufacturer through the car&#8217;s built-in cellular connection.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!B5f0!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdad57975-a68a-4155-a5f9-e7e77bee40f9_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!B5f0!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdad57975-a68a-4155-a5f9-e7e77bee40f9_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!B5f0!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdad57975-a68a-4155-a5f9-e7e77bee40f9_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!B5f0!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdad57975-a68a-4155-a5f9-e7e77bee40f9_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!B5f0!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdad57975-a68a-4155-a5f9-e7e77bee40f9_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!B5f0!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdad57975-a68a-4155-a5f9-e7e77bee40f9_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/dad57975-a68a-4155-a5f9-e7e77bee40f9_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1028360,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/198411709?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdad57975-a68a-4155-a5f9-e7e77bee40f9_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!B5f0!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdad57975-a68a-4155-a5f9-e7e77bee40f9_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!B5f0!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdad57975-a68a-4155-a5f9-e7e77bee40f9_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!B5f0!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdad57975-a68a-4155-a5f9-e7e77bee40f9_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!B5f0!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdad57975-a68a-4155-a5f9-e7e77bee40f9_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>Historically, this data was used for services like navigation, crash detection, and remote diagnostics. Those are legitimate functions. The problem is that manufacturers began selling the same data to third parties, particularly data brokers who aggregate driving records and sell &#8220;risk profiles&#8221; to insurers.</p><p>Here is how the pipeline works:</p><ol><li><p><strong>Your car collects driving data</strong> (speed, braking, location, time of day) and transmits it to the manufacturer&#8217;s cloud.</p></li><li><p><strong>The manufacturer sells or shares the data</strong> with a data broker like Verisk or LexisNexis.</p></li><li><p><strong>The data broker builds a driving profile</strong> on you, which may include a risk score, trip history, and behavioral patterns.</p></li><li><p><strong>Your insurance company purchases or accesses the profile</strong> and uses it to adjust your premium at renewal, sometimes without telling you why your rate changed.</p></li></ol><p>The consent you gave was typically buried in the terms of service you accepted when you set up OnStar, FordPass, or Toyota Connected Services. The FTC found that GM&#8217;s enrollment process was designed to obscure the data-sharing, with consent bundled into multi-step flows that most consumers clicked through without reading.</p><h3><strong>Which Brands Are Doing This?</strong></h3><p>The brands that have been <strong>confirmed</strong> selling or sharing driving data with insurance-related data brokers include:</p><ul><li><p><strong>General Motors</strong> (OnStar, sold to Verisk and LexisNexis)</p></li><li><p><strong>Honda</strong> (sold to Verisk)</p></li><li><p><strong>Hyundai</strong> (shared with Verisk)</p></li><li><p><strong>Kia</strong> (shared with LexisNexis)</p></li><li><p><strong>Subaru</strong> (shared with LexisNexis)</p></li><li><p><strong>Mitsubishi</strong> (shared with LexisNexis)</p></li><li><p><strong>Ford</strong> (shared with Verisk)</p></li></ul><p>Verisk announced in early 2025 that it would stop collecting driving data from automakers. LexisNexis continues to operate its driving data program.</p><p>Toyota, Tesla, BMW, Mercedes-Benz, and other brands collect extensive driving data but the specifics of their third-party sharing arrangements are less well-documented. Their privacy policies broadly reserve the right to share data with &#8220;business partners&#8221; and &#8220;affiliates.&#8221;</p><h2><strong>What Can You Do?</strong></h2><h3><strong>Step 1: Find Out What Data Brokers Already Have on You</strong></h3><p>You have a legal right under the Fair Credit Reporting Act to request a free copy of your consumer file from data brokers. Two reports to request:</p><ul><li><p><strong>LexisNexis Consumer Disclosure:</strong> <a href="https://consumer.risk.lexisnexis.com/request">consumer.risk.lexisnexis.com/request</a>. This is the report that has documented 258-page driving histories for some consumers. Request it and see what they have.</p></li><li><p><strong>Verisk Consumer Report:</strong> <a href="https://fcra.verisk.com/">fcra.verisk.com</a>. Even though Verisk says they stopped collecting new data from automakers, they may still have your historical records.</p></li></ul><p>Both reports are free. They take about 15 minutes to request and typically arrive within 30 days.</p><h3><strong>Step 2: Check Your Vehicle&#8217;s Privacy Settings</strong></h3><p>You can also check what your specific car is sharing using <strong>Privacy4Cars</strong>, a free tool at <a href="https://vehicleprivacyreport.com/">VehiclePrivacyReport.com</a>. Enter your VIN and it tells you what data your car collects and shares.</p><h3><strong>Step 3: Opt Out of Data Sharing</strong></h3><p>Most manufacturers provide a way to opt out, though they do not make it easy. Here is how to do it for the most common brands:</p><ul><li><p><strong>GM/OnStar:</strong> Call OnStar (1-888-466-7827) or go to your OnStar account settings and disable &#8220;Connected Vehicle Data Sharing.&#8221; Under the FTC consent order, GM must now provide clear opt-out mechanisms and honor deletion requests.</p></li><li><p><strong>Ford:</strong> Open the FordPass app, go to Settings, then Privacy, and disable data sharing. You can also call Ford customer service.</p></li><li><p><strong>Toyota:</strong> Call Toyota Connected Services (1-800-331-4331) and request deactivation of data sharing. You can also manage settings through the Toyota app.</p></li><li><p><strong>Honda:</strong> Call 1-800-999-1009 and request opt-out from data sharing programs.</p></li><li><p><strong>Tesla:</strong> Go to Controls &gt; Software &gt; Data Sharing on the touchscreen and toggle off.</p></li><li><p><strong>Hyundai/Kia:</strong> Call Hyundai (1-800-633-5151) or Kia (1-800-333-4542) and request opt-out. You can also manage through the Bluelink or Kia Connect apps.</p></li></ul><p>A word of caution: opting out of data sharing may disable some connected features you use, like remote start, stolen vehicle tracking, or automatic crash notification. You will need to decide which features are worth the trade-off.</p><h3><strong>Step 4: Dispute Inaccurate Driving Data With Your Insurer</strong></h3><p>If you discover that a data broker has inaccurate driving data about you, or if your insurance premium increased and you suspect it was based on vehicle telematics data, you have the right to dispute it. Under the FCRA, both the data broker and the insurer must investigate disputes and correct inaccuracies. Contact your insurance company and ask directly: &#8220;Are you using telematics or driving behavior data in my rate calculation?&#8221;</p><h3><strong>Step 5: Wipe Your Data When You Sell Your Car</strong></h3><p>When you sell or trade in your vehicle, your personal data goes with it unless you manually remove it. Connected cars can store saved addresses (including your home and workplace), Wi-Fi passwords, contacts synced from your phone, garage door codes, credit card information from in-car payment systems, and your complete trip history.</p><p>Before handing over the keys:</p><ol><li><p>Perform a factory reset through the car&#8217;s settings menu</p></li><li><p>Remove the car from your manufacturer account (OnStar, FordPass, Toyota app, etc.)</p></li><li><p>Un-pair your phone from the Bluetooth system</p></li><li><p>Delete your home address and saved locations from the navigation system</p></li><li><p>Remove any stored garage door opener codes</p></li></ol><h2><strong>A Note on the Law</strong></h2><p>Three states have now banned this practice outright: <strong>Maryland</strong> (2024), <strong>Oregon </strong>(January 2026), and <strong>Virginia</strong> (effective July 2026). California imposed a $12.75 million CCPA penalty on GM, the largest CCPA penalty ever. The Texas Attorney General sued multiple automakers over data collection affecting 45 million Americans. There is no federal law prohibiting this. If you do not live in one of those three states, opting out directly with the manufacturer is your only protection.</p><p><strong>One more thing: rental cars.</strong> Roughly 90% of rental vehicles have GPS tracking and store the data for months. When you return a rental, disconnect your phone from Bluetooth, delete your navigation history, and sign out of any accounts on the infotainment system.</p><h2><strong>The Bottom Line</strong></h2><p>Your car is one of the most prolific data collectors in your life, and until recently, most manufacturers were sharing that data without meaningful consent. The FTC&#8217;s action against GM is a start, but it only covers one company. The driving data that has already been collected and sold is sitting in broker databases and may already be influencing your insurance rates.</p><p>Four things to do to address this:</p><ol><li><p><strong>Request your LexisNexis report</strong> at <a href="https://consumer.risk.lexisnexis.com/request">consumer.risk.lexisnexis.com/request</a>. Find out what they have on you. It is free.</p></li><li><p><strong>Check your car&#8217;s privacy settings</strong> using <a href="https://vehicleprivacyreport.com/">VehiclePrivacyReport.com</a>. Enter your VIN.</p></li><li><p><strong>Opt out of data sharing</strong> through your manufacturer&#8217;s app or by calling them directly.</p></li><li><p><strong>Ask your insurer</strong> whether they are using telematics or driving behavior data in your rate calculation.</p></li></ol><p>You probably gave your car permission to do this when you tapped &#8220;Agree&#8221; on a screen during setup. Now you know what you agreed to. Share this with anyone who drives.</p><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-your-car-selling-your?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-your-car-selling-your?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://edge.intruvent.com/p/prevent-this-your-car-selling-your?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p></p><div><hr></div><h2><strong>Sources</strong></h2><ul><li><p><a href="https://www.ftc.gov/news-events/news/press-releases/2026/01/ftc-finalizes-order-settling-allegations-gm-onstar-collected-sold-geolocation-data-without-consumers">FTC: Order settling GM/OnStar geolocation data allegations</a> (January 14, 2026)</p></li><li><p><a href="https://foundation.mozilla.org/en/privacynotincluded/categories/cars/">Mozilla Foundation: Privacy Not Included, Cars</a> (2023)</p></li><li><p><a href="https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html">New York Times: Carmakers Are Sharing Driver Data With Insurers</a> (March 2024)</p></li><li><p><a href="https://consumer.risk.lexisnexis.com/request">LexisNexis: Consumer Disclosure Request</a></p></li><li><p><a href="https://fcra.verisk.com/">Verisk: Consumer Report Request</a></p></li><li><p><a href="https://vehicleprivacyreport.com/">Privacy4Cars: Vehicle Privacy Report</a></p></li><li><p><a href="https://consumer.ftc.gov/consumer-alerts/2026/05/new-trends-reports-imposter-scams">FTC: New Trends in Imposter Scams</a> (May 7, 2026)</p></li></ul><div><hr></div><p><em>Prevent This is a weekly cybersecurity newsletter from Intruvent Technologies. Each week, we break down one cyber threat in plain language and give you the tools to protect yourself and the people you care about. For our bi-weekly technical deep dive, check out <a href="https://edge.intruvent.com/">Intruvent Edge</a>.</em></p>]]></content:encoded></item><item><title><![CDATA[Intruvent EDGE: The First AI-Generated Zero-Day Just Dropped. Here’s What We Know.]]></title><description><![CDATA[A zero-day discovered by AI, written by AI, and deployed in the wild. Welcome to the new timeline.]]></description><link>https://edge.intruvent.com/p/intruvent-edge-the-first-ai-generated</link><guid isPermaLink="false">https://edge.intruvent.com/p/intruvent-edge-the-first-ai-generated</guid><dc:creator><![CDATA[Sig Murphy]]></dc:creator><pubDate>Thu, 14 May 2026 19:31:03 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!Z4-8!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9585abd1-41b1-4754-a84d-77ea2417a560_1024x1024.heic" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>Welcome to Intruvent Edge, our bi-weekly technical deep dive into a current cyber threat. If you found us through Prevent This, our weekly community newsletter covering cybersecurity for everyone, you&#8217;re in the right place. Both live on the same Substack. Feel free to share either one. We&#8217;re glad you&#8217;re here.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p><strong>The Short Version</strong></p><p><strong>For the first time, a criminal hacking group used artificial intelligence to find a security flaw that nobody knew existed, write the code to exploit it, and deploy that code against real targets.</strong> The AI tool handled the entire exploit lifecycle by itself.  Google&#8217;s security team caught it, worked with the affected software vendor to fix the flaw, and shut the operation down.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Z4-8!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9585abd1-41b1-4754-a84d-77ea2417a560_1024x1024.heic" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Z4-8!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9585abd1-41b1-4754-a84d-77ea2417a560_1024x1024.heic 424w, https://substackcdn.com/image/fetch/$s_!Z4-8!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9585abd1-41b1-4754-a84d-77ea2417a560_1024x1024.heic 848w, https://substackcdn.com/image/fetch/$s_!Z4-8!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9585abd1-41b1-4754-a84d-77ea2417a560_1024x1024.heic 1272w, https://substackcdn.com/image/fetch/$s_!Z4-8!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9585abd1-41b1-4754-a84d-77ea2417a560_1024x1024.heic 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Z4-8!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9585abd1-41b1-4754-a84d-77ea2417a560_1024x1024.heic" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/9585abd1-41b1-4754-a84d-77ea2417a560_1024x1024.heic&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:138304,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/heic&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/197729511?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9585abd1-41b1-4754-a84d-77ea2417a560_1024x1024.heic&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!Z4-8!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9585abd1-41b1-4754-a84d-77ea2417a560_1024x1024.heic 424w, https://substackcdn.com/image/fetch/$s_!Z4-8!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9585abd1-41b1-4754-a84d-77ea2417a560_1024x1024.heic 848w, https://substackcdn.com/image/fetch/$s_!Z4-8!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9585abd1-41b1-4754-a84d-77ea2417a560_1024x1024.heic 1272w, https://substackcdn.com/image/fetch/$s_!Z4-8!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9585abd1-41b1-4754-a84d-77ea2417a560_1024x1024.heic 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><strong>This matters because it changes the math on how quickly attackers can move. Finding and exploiting unknown security flaws used to require deep expertise and significant time. AI compresses both</strong>. If you run a business, manage IT infrastructure, or make decisions about technology risk, this article explains what happened, what it means, and what you should be paying attention to going forward.</p><h2><strong>Some Quick Definitions</strong></h2><p>Before we go further, a few terms that will come up throughout:</p><ul><li><p><strong>Zero-day:</strong> A security flaw in software that the software maker does not yet know about. The name comes from the idea that developers have had &#8220;zero days&#8221; to fix it. These are the most dangerous type of vulnerability because there is no patch available when attackers start using them.</p></li><li><p><strong>Exploit:</strong> A piece of code designed to take advantage of a specific flaw. Think of the flaw as an unlocked window. The exploit is the burglar who knows exactly which window and how to climb through it.</p></li><li><p><strong>Two-factor authentication (2FA):</strong> The second verification step when you log in, typically a code sent to your phone or generated by an app. The flaw in this case allowed attackers to skip that second step entirely.</p></li><li><p><strong>CVE:</strong> A standardized ID number assigned to known security flaws, like a case number. When the security community refers to &#8220;CVE-2026-31431,&#8221; everyone knows exactly which flaw is being discussed.</p></li><li><p><strong>APT (Advanced Persistent Threat):</strong> A government-sponsored hacking team. These are professional, well-funded groups that conduct cyber operations on behalf of nation-states. They are named and tracked by the security industry the way intelligence agencies track foreign operatives.</p></li></ul><h2><strong>What Happened</strong></h2><p>On May 11, 2026, Google&#8217;s Threat Intelligence Group (their security research division, often shortened to GTIG) published a report tracking how threat actors are using AI. Among dozens of findings, one stood out: <strong>a criminal hacking group used an AI model to discover a previously unknown security flaw and write a working exploit for it.</strong></p><p>The exploit is a Python script that bypasses two-factor authentication on a popular, widely used system administration tool. The underlying flaw is a hard-coded trust assumption in the software&#8217;s login process. In plain terms: the software was programmed to trust certain login attempts automatically, skipping the second verification step. The AI found that blind spot and wrote the code to walk through it.</p><p>Google identified the exploit in active use, coordinated with the software vendor to get the flaw patched, and disrupted the operation before it could spread further.</p><h3><strong>How Did Google Know AI Was Involved?</strong></h3><p>The exploit code contained telltale signs of AI authorship, the digital equivalent of a forged painting that uses pigments that did not exist when the original was supposedly created. Specifically:</p><ul><li><p><strong>Excessive documentation:</strong> The code included detailed explanatory notes throughout, the kind a teacher would write for a student. Real attackers do not document their exploits. They want their code to be hard to understand, not easy.</p></li><li><p><strong>A fabricated severity score:</strong> The code included a CVSS score (a standardized severity rating, like a hurricane category for software flaws) that the AI made up. The score did not correspond to any real entry in the vulnerability database.</p></li><li><p><strong>Textbook code structure:</strong> The code was organized with a precision and readability that prioritized clarity over stealth. Human exploit developers optimize for evasion. AI optimizes for correctness.</p></li><li><p><strong>Built-in help menus:</strong> The exploit included usage instructions. No human attacker builds a help menu into their attack tool.</p></li></ul><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Jfie!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F290dfe27-5353-4392-8e62-4d27385a1bbc_1024x1024.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Jfie!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F290dfe27-5353-4392-8e62-4d27385a1bbc_1024x1024.jpeg 424w, https://substackcdn.com/image/fetch/$s_!Jfie!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F290dfe27-5353-4392-8e62-4d27385a1bbc_1024x1024.jpeg 848w, https://substackcdn.com/image/fetch/$s_!Jfie!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F290dfe27-5353-4392-8e62-4d27385a1bbc_1024x1024.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!Jfie!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F290dfe27-5353-4392-8e62-4d27385a1bbc_1024x1024.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Jfie!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F290dfe27-5353-4392-8e62-4d27385a1bbc_1024x1024.jpeg" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/290dfe27-5353-4392-8e62-4d27385a1bbc_1024x1024.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:367240,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/197729511?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F290dfe27-5353-4392-8e62-4d27385a1bbc_1024x1024.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!Jfie!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F290dfe27-5353-4392-8e62-4d27385a1bbc_1024x1024.jpeg 424w, https://substackcdn.com/image/fetch/$s_!Jfie!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F290dfe27-5353-4392-8e62-4d27385a1bbc_1024x1024.jpeg 848w, https://substackcdn.com/image/fetch/$s_!Jfie!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F290dfe27-5353-4392-8e62-4d27385a1bbc_1024x1024.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!Jfie!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F290dfe27-5353-4392-8e62-4d27385a1bbc_1024x1024.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>Google stated there was no evidence that its own Gemini AI was used, and assessed with high confidence that an AI model was involved. The specific model and the specific group remain undisclosed.</p><h2><strong>Three Findings, Three Actors: Getting the Story Right</strong></h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!dpbP!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f431a0f-f318-4a45-bc6b-e2fd0a523621_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!dpbP!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f431a0f-f318-4a45-bc6b-e2fd0a523621_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!dpbP!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f431a0f-f318-4a45-bc6b-e2fd0a523621_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!dpbP!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f431a0f-f318-4a45-bc6b-e2fd0a523621_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!dpbP!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f431a0f-f318-4a45-bc6b-e2fd0a523621_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!dpbP!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f431a0f-f318-4a45-bc6b-e2fd0a523621_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/6f431a0f-f318-4a45-bc6b-e2fd0a523621_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1030672,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/197729511?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f431a0f-f318-4a45-bc6b-e2fd0a523621_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!dpbP!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f431a0f-f318-4a45-bc6b-e2fd0a523621_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!dpbP!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f431a0f-f318-4a45-bc6b-e2fd0a523621_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!dpbP!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f431a0f-f318-4a45-bc6b-e2fd0a523621_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!dpbP!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6f431a0f-f318-4a45-bc6b-e2fd0a523621_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>Several publications reported this story as &#8220;North Korea used AI to build a zero-day.&#8221; That is not what Google said. The GTIG report contains three distinct findings involving three different groups doing three different things. Conflating them creates a misleading picture. Here is what actually happened:</p><p><strong>Finding 1: The AI-generated zero-day.</strong> An unnamed group of cybercrime actors used an AI model to discover a zero-day and write a working exploit. Google caught it in active use and shut it down. The group, the model, and the target product remain undisclosed. This is the headline finding.</p><p><strong>Finding 2: North Korea&#8217;s APT45 using AI to research vulnerabilities at scale. </strong>Separately, Google found that a North Korean government hacking team called APT45 (also known as Andariel) sent &#8220;thousands of repetitive prompts&#8221; to AI models, asking them to analyze known security flaws and validate whether existing proof-of-concept exploits actually work. Think of it as using AI to do the research grunt work: reading thousands of vulnerability reports and testing whether the published attack code is functional. This is a serious capability, but it is vulnerability research, not zero-day creation. APT45 did not produce the AI-generated zero-day in Finding 1.</p><p><strong>Finding 3: China&#8217;s APT27 using AI to build operational tools.</strong> A Chinese government hacking team called APT27 (also known as Threat Group-3390) used Google&#8217;s Gemini to write a fleet management application for their proxy network. A proxy network is a series of relay points that attackers route their traffic through to hide their real location, like forwarding mail through multiple PO boxes so the return address cannot be traced. APT27 used AI to build the software that manages those relay points. This is software engineering, not exploit development.</p><p><strong>The distinction matters.</strong> One unnamed criminal group created an AI-generated zero-day. A North Korean government team is using AI to accelerate vulnerability research. A Chinese government team is using AI to build infrastructure tools. All three are significant. None of them should be described as the same thing.</p><h2><strong>Why This Matters</strong></h2><p>The security industry has debated whether AI would be used for exploit development since ChatGPT launched in late 2022. That debate is settled. The question now is how fast this scales.</p><p>Three dynamics make this consequential for anyone who manages technology risk:</p><h3><strong>1. The Clock Is Faster Now</strong></h3><p>When a security flaw is discovered and publicly disclosed, a race begins. Defenders race to install the patch. Attackers race to build an exploit before the patch is applied. Historically, building a working exploit took days to weeks of skilled manual work. AI compresses that timeline.</p><p>In April, a security research team demonstrated this directly: they used AI-assisted analysis to turn a newly disclosed Linux kernel vulnerability (the &#8220;Copy Fail&#8221; flaw we covered in our <a href="https://edge.intruvent.com/p/intruvent-edge-732-bytes-to-root-a">April 30 newsletter</a>) into a complete attack chain in approximately one hour. Google&#8217;s finding confirms that criminal groups are achieving similar speeds.</p><p>For organizations that patch on a monthly cycle, this is a problem. When the time from disclosure to exploit drops from weeks to hours, a monthly patch schedule means spending most of the month exposed.</p><h3><strong>2. The Expertise Barrier Is Lower</strong></h3><p>Building exploits used to require rare, specialized skills. Google&#8217;s report describes APT45&#8217;s approach as &#8220;thousands of repetitive prompts&#8221; rather than sophisticated engineering. That is not an elite technique. It is a volume play, like running a thousand internet searches instead of crafting one perfect query.</p><p>The AI artifacts in the zero-day exploit (the help menus, the documentation, the fabricated severity score) suggest the developer leaned heavily on the AI&#8217;s raw output rather than refining it. That implies someone with moderate technical skills, not a world-class exploit developer, produced a working zero-day with AI assistance.</p><p>The analogy in other fields: it is the difference between needing a board-certified specialist for a procedure versus a general practitioner with the right diagnostic tool. The tool does not replace expertise entirely, but it lowers the bar for who can produce a competent result.</p><h3><strong>3. The Trajectory Is Clear and Accelerating</strong></h3><p>Google has now published three AI Threat Tracker reports. Each one documents capabilities that were theoretical in the previous edition:</p><ul><li><p><strong>Early 2024:</strong> Attackers used AI mostly for writing phishing emails and generating basic code. Think of this as using AI as a research assistant.</p></li><li><p><strong>November 2025:</strong> Google discovered experimental malware called PROMPTFLUX that queried an AI model to rewrite its own code hourly, changing its appearance to avoid detection. The malware was still in testing, but it proved the concept of using AI as a live mutation engine.</p></li><li><p><strong>April 7, 2026:</strong> Anthropic (the company behind the Claude AI) disclosed that its Mythos model discovered over 2,000 previously unknown security flaws in seven weeks during internal testing, including bugs that had gone undetected for 17 and 27 years. Anthropic restricted Mythos&#8217;s release because of its offensive potential.</p></li><li><p><strong>May 11, 2026:</strong> Google confirmed the first AI-assisted zero-day exploit used in a real-world criminal operation.</p></li></ul><p>Each milestone arrived faster than the previous one. The gap between Anthropic&#8217;s controlled testing disclosure and a real-world AI-generated exploit in the wild was approximately one month.</p><h2><strong>What Else Was in the Report</strong></h2><p>The zero-day was the headline, but Google&#8217;s full report documents AI being integrated across every phase of cyberattack operations:</p><ul><li><p><strong>Autonomous phone malware:</strong> Android malware called PROMPTSPY uses an AI model to navigate a phone&#8217;s screen and replay biometric data without human guidance. This is malware that can operate your phone by itself.</p></li><li><p><strong>AI-generated decoy documents:</strong> Russian-linked actors are using AI to produce convincing fake documents for phishing campaigns targeting Ukraine. AI makes the lure material faster and more believable at scale.</p></li><li><p><strong>AI voice cloning for impersonation:</strong> A pro-Russia influence operation used AI-generated voice clones to impersonate journalists.</p></li><li><p><strong>Software supply chain attacks:</strong> A group called TeamPCP compromised popular security scanning tools (Trivy, Checkmarx, LiteLLM), affecting over 1,000 business software environments.</p></li><li><p><strong>Autonomous reconnaissance:</strong> Chinese actors deployed AI-powered tools called Hexstrike and Strix that can scan and map target networks without human direction.</p></li></ul><p>The pattern is consistent. AI is not being used for one thing. It is being used for everything: research, reconnaissance, exploit development, malware creation, phishing, impersonation, and infrastructure management.</p><h2><strong>The Actors Behind This</strong></h2><h3><strong>APT45 / Andariel (North Korea)</strong></h3><p>APT45 is a hacking team that operates under North Korea&#8217;s military intelligence agency, the Reconnaissance General Bureau. The security industry also tracks them as Andariel, Silent Chollima, and Onyx Sleet. They are a sub-unit of the Lazarus Group, the umbrella organization behind North Korea&#8217;s most prominent cyber operations (Intruvent Codex; MITRE ATT&amp;CK G0138).</p><p>APT45 has been active since at least 2015. Their primary mission is generating revenue for North Korea&#8217;s weapons programs through ransomware, cryptocurrency theft, and extortion. They target defense contractors, financial institutions, and government agencies. They have also targeted hospitals with ransomware (the Maui campaign) and conducted espionage against nuclear research programs.</p><p>Google&#8217;s report reveals that APT45 is now using AI at an industrial scale to analyze security flaws and test whether published exploits actually work. Their approach (sending thousands of repetitive prompts, using automated testing tools in practice environments) suggests they have built AI into their standard research workflow. This is not an experiment. It is how they operate now.</p><h3><strong>APT27 / Threat Group-3390 (China)</strong></h3><p>APT27 is a Chinese government espionage group that has been active since at least 2010. The security industry tracks them under a long list of names: Threat Group-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse (Intruvent Codex; MITRE ATT&amp;CK G0027). The US Department of Justice indicted members of the group in 2020.</p><p>APT27 is one of the more technically sophisticated state-sponsored groups. The Intruvent Codex maps them to 57 distinct attack techniques and 24 malware families. They target defense, government, energy, manufacturing, and technology organizations.</p><p>Google&#8217;s finding that APT27 used Gemini to build a proxy network management tool is significant because it shows AI being used for operational plumbing, not just flashy capabilities. They needed a piece of software to manage their network of relay servers (which disguise the origin of their attacks by routing traffic through multiple hops, including consumer-grade 4G/5G connections). Instead of writing it from scratch, they had an AI build it. It is the cyber equivalent of hiring a contractor through an app instead of building the addition yourself.</p><h2><strong>What Should Organizations Do?</strong></h2><h3><strong>Patch Faster</strong></h3><p>If your organization patches software on a monthly cycle, this report is a signal to reassess. When AI can analyze a published security flaw and produce an exploit in hours, a 30-day patch window means spending most of the month with a known, exploitable weakness. For systems that face the internet (web servers, VPNs, email gateways, login portals), the target should be patching critical flaws within 24 to 72 hours of disclosure, not 30 days.</p><h3><strong>Know What AI-Written Exploits Look Like</strong></h3><p>The AI fingerprints Google identified (excessive documentation, fabricated severity scores, textbook code structure, help menus) are a temporary detection opportunity. If your security team investigates an incident and finds exploit code on a compromised system, these patterns can help determine whether AI was involved. Think of it like identifying a counterfeiter: the first generation of AI-generated exploits has tells that experienced analysts can spot. Those tells will fade as attackers learn to clean up after their AI, but right now, they are useful.</p><h3><strong>Audit Your Two-Factor Authentication</strong></h3><p>The specific zero-day exploited a flaw in how a product implemented two-factor authentication. The software had a built-in exception that trusted certain login attempts without requiring the second step. These kinds of shortcuts are common in software development (they make testing easier, or they accommodate legacy systems), and they are exactly the kind of subtle flaw that AI is good at finding.</p><p>Ask your IT team or security vendor: are there any conditions under which our two-factor authentication can be bypassed? Is there a fallback path that skips the second factor? Are there API endpoints (programmatic access points) that do not enforce it?</p><h3><strong>Prepare for More Exploits, Faster</strong></h3><p>APT45&#8217;s &#8220;thousands of repetitive prompts&#8221; approach is a preview. When vulnerability research becomes a volume game played by AI, the number of working exploits for known flaws will increase and the time between a flaw being disclosed and an exploit being available will decrease. Your security team should be planning for a world where every major vulnerability has a working exploit within days of disclosure, not weeks or months.</p><h2><strong>The Bigger Picture</strong></h2><p>The security industry has spent three years debating whether AI would be used to build cyberweapons. Google&#8217;s report ends that debate. It is happening. The first AI-assisted zero-day was caught in active use. The next one may not be caught at all.</p><p>The trajectory from Anthropic&#8217;s controlled disclosure of 2,000+ AI-discovered flaws in April to a real-world AI-generated exploit in May is a one-month gap. The trajectory from APT45&#8217;s brute-force approach to something more refined is measured in AI model generations, not years. The models themselves are improving faster than defensive tooling is adapting.</p><p>There is a silver lining. The exploit Google caught was identifiable precisely because AI leaves fingerprints that human developers do not. The help menus, the documentation, the fabricated scores: these are artifacts of an AI trying to be helpful in a context where helpfulness is a tell. That detection window is real, but it is closing. As models improve and attackers learn to strip the artifacts, the fingerprints will fade.</p><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/intruvent-edge-the-first-ai-generated?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/intruvent-edge-the-first-ai-generated?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://edge.intruvent.com/p/intruvent-edge-the-first-ai-generated?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p>For decision-makers, the takeaway is straightforward: the speed and scale at which attackers can find and exploit security flaws just changed. The organizations that adapt their patching speed, their detection capabilities, and their risk models to reflect this new reality will be in a stronger position than those that treat it as a future problem. The future arrived last Sunday.</p><div><hr></div><h2><strong>Sources</strong></h2><ul><li><p><a href="https://thehackernews.com/2026/05/hackers-used-ai-to-develop-first-known.html">The Hacker News: Hackers Used AI to Develop First Known Zero-Day 2FA Bypass for Mass Exploitation</a> (May 11, 2026)</p></li><li><p>Google Threat Intelligence Group, <em>AI Threat Tracker, Third Edition</em> (May 11, 2026)</p></li><li><p><a href="https://thehackernews.com/2025/11/google-uncovers-promptflux-malware-that.html">The Hacker News: Google Uncovers PROMPTFLUX Malware That Uses Gemini AI to Rewrite Its Code Hourly</a> (November 5, 2025)</p></li><li><p><a href="https://thehackernews.com/2026/04/anthropics-claude-mythos-finds.html">The Hacker News: Anthropic&#8217;s Claude Mythos Finds Thousands of Zero-Day Flaws</a>(April 7, 2026)</p></li><li><p>Intruvent Technologies, <em>Golden CTI Database (Codex)</em>: Andariel (G0138), Threat Group-3390 (G0027), Lazarus Group (G0032), queried May 14, 2026</p></li><li><p>MITRE ATT&amp;CK: <a href="https://attack.mitre.org/groups/G0138/">Andariel (G0138)</a>, <a href="https://attack.mitre.org/groups/G0027/">Threat Group-3390 (G0027)</a></p></li><li><p><a href="https://xint.io/blog/copy-fail-linux-distributions">Xint Code: Copy Fail, 732 Bytes to Root</a> (April 29, 2026)</p></li></ul>]]></content:encoded></item><item><title><![CDATA[Prevent This: The Phishing Email That Actually Comes From Apple]]></title><description><![CDATA[Scammers found a way to send phishing emails from Apple's own servers. Here's how to spot them.]]></description><link>https://edge.intruvent.com/p/prevent-this-the-phishing-email-that</link><guid isPermaLink="false">https://edge.intruvent.com/p/prevent-this-the-phishing-email-that</guid><dc:creator><![CDATA[Sig Murphy]]></dc:creator><pubDate>Tue, 12 May 2026 16:30:51 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!KXqy!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcaed697-f2ef-4eb6-8be3-565bc0e1ccbd_1024x1024.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p><strong>Welcome to Prevent This, our weekly community newsletter covering cybersecurity for everyone.</strong> If you found us through Intruvent Edge, our bi-weekly technical deep dive, welcome. Both live on the same Substack. Feel free to share either one. We&#8217;re glad you&#8217;re here.  Please share this newsletter if you find it useful.</p><div><hr></div><p>You know the drill. <strong>You get a suspicious email, you check the sender address, and if it looks fake, you delete it.</strong> That one simple habit has protected millions of people from phishing scams for years.</p><p><strong>It doesn&#8217;t work anymore.</strong></p><p>Scammers have figured out how to send phishing emails that genuinely come from Apple&#8217;s own servers. The sender address is real. The email authentication checks all pass. Your spam filter waves it right through. And the message inside tells you that someone just bought an $899 iPhone with your Apple account.</p><p></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p>Your heart rate spikes. You call the number in the email. And now you&#8217;re talking to a scammer.</p><h2><strong>What Happened?</strong></h2><p>In April 2026, security researchers at BleepingComputer and Malwarebytes documented a phishing technique that abuses Apple&#8217;s own notification system to deliver scam emails from Apple&#8217;s legitimate email address: <strong>appleid@id.apple.com</strong>.</p><p><strong>These emails are not spoofed. They are not faked. They are real Apple notifications, triggered by real Apple systems, delivered from real Apple servers.</strong> Every email authentication check (SPF, DKIM, DMARC, for the technically curious) passes with flying colors. Gmail, Outlook, Yahoo, and every other email provider treat them as legitimate because they are.</p><p>The scam has already cost people real money. Dorothy, a woman in her 60s, received one of these emails in early April. A scammer who already knew her personal details convinced her over the phone that her accounts had been compromised. He coached her through a series of steps and told her to drive to the bank to withdraw $15,000. A bank teller recognized the signs and intervened before Dorothy handed over the cash.</p><p>Not everyone is that lucky.</p><h2><strong>Why Should You Care?</strong></h2><ul><li><p>Apple has <strong>2.5 billion active devices</strong> worldwide. If you own an iPhone, iPad, Mac, or Apple Watch, you are a potential target.</p></li><li><p>Apple is now the <strong>#2 most impersonated brand</strong> in phishing attacks, accounting for 11% of all phishing attempts in Q1 2026 (Check Point Research).</p></li><li><p>At least <strong>five distinct Apple scam campaigns</strong> were running concurrently in April 2026.</p></li><li><p>Tech support scams (the category this falls into) cost Americans <strong>$924.5 million in 2023</strong> alone (FTC). Vishing (voice phishing) attacks increased <strong>442%</strong> in 2024.</p></li><li><p>Apple has <strong>not acknowledged or patched</strong> the flaw that makes this possible.</p></li></ul><h2><strong>How Does This Work?</strong></h2><p>Think of Apple&#8217;s notification system like an automated receptionist. When you update your account information, the receptionist sends you a polite confirmation email: &#8220;Hi [Your Name], your Apple Account was updated.&#8221;</p><p>The receptionist doesn&#8217;t check what your name actually says. It just reads whatever is in the name field and puts it in the email.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!KXqy!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcaed697-f2ef-4eb6-8be3-565bc0e1ccbd_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!KXqy!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcaed697-f2ef-4eb6-8be3-565bc0e1ccbd_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!KXqy!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcaed697-f2ef-4eb6-8be3-565bc0e1ccbd_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!KXqy!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcaed697-f2ef-4eb6-8be3-565bc0e1ccbd_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!KXqy!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcaed697-f2ef-4eb6-8be3-565bc0e1ccbd_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!KXqy!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcaed697-f2ef-4eb6-8be3-565bc0e1ccbd_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/bcaed697-f2ef-4eb6-8be3-565bc0e1ccbd_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:968195,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/197356027?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcaed697-f2ef-4eb6-8be3-565bc0e1ccbd_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!KXqy!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcaed697-f2ef-4eb6-8be3-565bc0e1ccbd_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!KXqy!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcaed697-f2ef-4eb6-8be3-565bc0e1ccbd_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!KXqy!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcaed697-f2ef-4eb6-8be3-565bc0e1ccbd_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!KXqy!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbcaed697-f2ef-4eb6-8be3-565bc0e1ccbd_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>Scammers figured this out. Here&#8217;s what they do:</p><ol><li><p><strong>Create a new Apple ID</strong> using a throwaway email address.</p></li><li><p><strong>Set the first name</strong> to something like: &#8220;User 899 USD iPhone Purchase Via&#8221;</p></li><li><p><strong>Set the last name</strong> to something like: &#8220;Pay-Pal To Cancel Call 1-802-353-0761&#8221;</p></li><li><p><strong>Change the shipping address</strong> on the account. This triggers Apple&#8217;s automated notification system.</p></li><li><p>Apple&#8217;s servers dutifully send out an email that reads: <strong>&#8220;Dear User 899 USD iPhone Purchase Via Pay-Pal To Cancel Call 1-802-353-0761, your Apple Account was used to sign in...&#8221;</strong></p></li></ol><p>The email lands in your inbox looking like a legitimate Apple alert. Because it is one. The scam message is smuggled inside Apple&#8217;s own greeting line.</p><p>If you call the number, you reach a scammer running a tech support con. They will tell you your account has been compromised. They will ask you to install remote access software, hand over login credentials, or (like Dorothy&#8217;s case) withdraw cash.</p><p><strong>The reason this works so well is that it weaponizes the one thing you were taught to trust: the sender address.</strong> Every guide, every tip sheet, every cybersecurity awareness training tells you to &#8220;check the sender.&#8221; When the sender is actually Apple, that advice breaks down.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!1VcC!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa669002a-cdd3-4f6a-9d58-5667c2237ef6_1024x1024.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!1VcC!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa669002a-cdd3-4f6a-9d58-5667c2237ef6_1024x1024.jpeg 424w, https://substackcdn.com/image/fetch/$s_!1VcC!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa669002a-cdd3-4f6a-9d58-5667c2237ef6_1024x1024.jpeg 848w, https://substackcdn.com/image/fetch/$s_!1VcC!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa669002a-cdd3-4f6a-9d58-5667c2237ef6_1024x1024.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!1VcC!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa669002a-cdd3-4f6a-9d58-5667c2237ef6_1024x1024.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!1VcC!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa669002a-cdd3-4f6a-9d58-5667c2237ef6_1024x1024.jpeg" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/a669002a-cdd3-4f6a-9d58-5667c2237ef6_1024x1024.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:313414,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/197356027?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa669002a-cdd3-4f6a-9d58-5667c2237ef6_1024x1024.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!1VcC!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa669002a-cdd3-4f6a-9d58-5667c2237ef6_1024x1024.jpeg 424w, https://substackcdn.com/image/fetch/$s_!1VcC!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa669002a-cdd3-4f6a-9d58-5667c2237ef6_1024x1024.jpeg 848w, https://substackcdn.com/image/fetch/$s_!1VcC!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa669002a-cdd3-4f6a-9d58-5667c2237ef6_1024x1024.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!1VcC!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa669002a-cdd3-4f6a-9d58-5667c2237ef6_1024x1024.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2><strong>What Can You Do?</strong></h2><h3><strong>Step 1: Never Call a Phone Number From an Email</strong></h3><p>This is the single most important rule. Apple will <strong>never</strong> put a phone number in an email and ask you to call it. Neither will your bank, the IRS, or any legitimate company. If an email includes a phone number and urgency, treat it as a scam by default. If you want to call Apple, go to <a href="https://support.apple.com/">support.apple.com</a> and find the number yourself.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!I3hH!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4fde6287-3ec0-4a5c-b581-f1cccda8ba96_1024x1024.heic" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!I3hH!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4fde6287-3ec0-4a5c-b581-f1cccda8ba96_1024x1024.heic 424w, https://substackcdn.com/image/fetch/$s_!I3hH!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4fde6287-3ec0-4a5c-b581-f1cccda8ba96_1024x1024.heic 848w, https://substackcdn.com/image/fetch/$s_!I3hH!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4fde6287-3ec0-4a5c-b581-f1cccda8ba96_1024x1024.heic 1272w, https://substackcdn.com/image/fetch/$s_!I3hH!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4fde6287-3ec0-4a5c-b581-f1cccda8ba96_1024x1024.heic 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!I3hH!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4fde6287-3ec0-4a5c-b581-f1cccda8ba96_1024x1024.heic" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/4fde6287-3ec0-4a5c-b581-f1cccda8ba96_1024x1024.heic&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:50223,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/heic&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/197356027?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4fde6287-3ec0-4a5c-b581-f1cccda8ba96_1024x1024.heic&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!I3hH!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4fde6287-3ec0-4a5c-b581-f1cccda8ba96_1024x1024.heic 424w, https://substackcdn.com/image/fetch/$s_!I3hH!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4fde6287-3ec0-4a5c-b581-f1cccda8ba96_1024x1024.heic 848w, https://substackcdn.com/image/fetch/$s_!I3hH!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4fde6287-3ec0-4a5c-b581-f1cccda8ba96_1024x1024.heic 1272w, https://substackcdn.com/image/fetch/$s_!I3hH!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4fde6287-3ec0-4a5c-b581-f1cccda8ba96_1024x1024.heic 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h3><strong>Step 2: Check Your Actual Purchases</strong></h3><p>If you get an email claiming someone bought a $899 iPhone with your account, do not click anything in the email. Instead:</p><ul><li><p><strong>On your iPhone or iPad:</strong> Open Settings, tap your name at the top, tap Subscriptions or Media &amp; Purchases. Check your purchase history directly.</p></li><li><p><strong>On a computer:</strong> Go to <a href="https://reportaproblem.apple.com/">reportaproblem.apple.com</a> and sign in. This shows every real purchase on your account.</p></li><li><p><strong>Check your bank or credit card statement.</strong> If there&#8217;s no $899 charge, there was no $899 purchase. Close the email.</p></li></ul><h3><strong>Step 3: Read the Email Carefully</strong></h3><p>Even though these emails come from a real Apple address, the scam text is stuffed into the greeting line. Legitimate Apple emails address you by your actual name. If the greeting reads like a sentence fragment about a purchase or a phone number to call, that is the tell. Real Apple notifications say &#8220;Dear [Your Name],&#8221; not &#8220;Dear User 899 USD iPhone Purchase Via Pay-Pal.&#8221;</p><h3><strong>Step 4: Turn On Two-Factor Authentication</strong></h3><p>If you have not already, enable two-factor authentication on your Apple account. This protects you even if a scammer somehow gets your password.</p><ul><li><p><strong>iPhone/iPad:</strong> Settings &#8594; [Your Name] &#8594; Sign-In &amp; Security &#8594; Two-Factor Authentication</p></li><li><p><strong>Mac:</strong> System Settings &#8594; [Your Name] &#8594; Sign-In &amp; Security &#8594; Two-Factor Authentication</p></li></ul><h3><strong>Step 5: Report It</strong></h3><p>Forward phishing emails to <strong>reportphishing@apple.com</strong>. Apple does investigate these reports, and enough reports from users may push them to fix the name-field vulnerability that makes this attack possible.</p><p>You can also report the scam to the FTC at <a href="https://reportfraud.ftc.gov/">reportfraud.ftc.gov</a>.</p><h2><strong>The Bottom Line</strong></h2><p>&#8220;Check the sender address&#8221; used to be reliable advice. For this scam, the sender address is legitimate. The email is legitimate. The only thing that is fake is the message smuggled into the greeting line.</p><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-the-phishing-email-that?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-the-phishing-email-that?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://edge.intruvent.com/p/prevent-this-the-phishing-email-that?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p>Three things to remember:</p><ol><li><p><strong>Never call a phone number from a suspicious email.</strong> Look up the number yourself.</p></li><li><p><strong>Verify purchases directly.</strong> Check your account or your bank statement, not the email.</p></li><li><p><strong>Read the greeting line.</strong> If your name looks like a sentence about a purchase, delete the email.</p></li></ol><p>Apple has 2.5 billion devices in the world and has not yet fixed this flaw. Until they do, you are your own last line of defense. Share this with anyone who uses Apple products.</p><div><hr></div><h2><strong>Sources</strong></h2><ul><li><p><a href="https://www.bleepingcomputer.com/news/security/apple-account-change-alerts-abused-to-send-phishing-emails/">BleepingComputer: Apple account change alerts abused to send phishing emails</a> (April 2026)</p></li><li><p><a href="https://www.malwarebytes.com/blog/news/2026/04/real-apple-notifications-are-being-used-to-drive-tech-support-scams">Malwarebytes: Real Apple notifications used to drive tech support scams</a> (April 2026)</p></li><li><p><a href="https://www.tomsguide.com/computing/online-security/scammers-are-weaponizing-apples-own-notifications-in-a-dangerous-new-phishing-attack-dont-fall-for-this">Tom&#8217;s Guide: Scammers weaponizing Apple&#8217;s own notifications</a> (April 2026)</p></li><li><p><a href="https://www.techrepublic.com/article/news-apple-phishing-scam-fake-899-iphone-purchase-alert/">TechRepublic: Apple phishing scam, fake $899 iPhone purchase alert</a> (April 2026)</p></li><li><p><a href="https://www.foxnews.com/tech/apple-pay-text-scam-almost-cost-15000">Fox News: Apple Pay scam nearly cost woman $15,000</a> (April 8, 2026)</p></li><li><p><a href="https://blog.checkpoint.com/research/the-phishing-paradox-the-worlds-most-trusted-brands-are-cyber-criminals-entry-point-of-choice">Check Point Research: Most impersonated brands Q1 2026</a></p></li><li><p><a href="https://support.apple.com/en-us/102568">Apple Support: Recognize and avoid phishing</a></p></li><li><p><a href="https://www.ftc.gov/news-events/news/press-releases/2025/08/ftc-data-show-more-four-fold-increase-reports-impersonation-scammers-stealing-tens-even-hundreds">FTC: Impersonation scam losses</a></p></li></ul><div><hr></div><p><em>Prevent This is a weekly cybersecurity newsletter from Intruvent Technologies. Each week, we break down one cyber threat in plain language and give you the tools to protect yourself and the people you care about. For our bi-weekly technical deep dive, check out <a href="https://edge.intruvent.com/">Intruvent Edge</a>.</em></p>]]></content:encoded></item><item><title><![CDATA[Prevent This: Someone Just Stole Your Kid's School Records]]></title><description><![CDATA[The Canvas breach is big. The real risk is the phishing that comes next.]]></description><link>https://edge.intruvent.com/p/prevent-this-someone-just-stole-your</link><guid isPermaLink="false">https://edge.intruvent.com/p/prevent-this-someone-just-stole-your</guid><dc:creator><![CDATA[Sig Murphy]]></dc:creator><pubDate>Tue, 05 May 2026 17:25:37 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!pu6J!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7f9ab7a8-ed02-49c5-84f9-2ebaa2016322_1024x792.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!pu6J!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7f9ab7a8-ed02-49c5-84f9-2ebaa2016322_1024x792.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!pu6J!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7f9ab7a8-ed02-49c5-84f9-2ebaa2016322_1024x792.png 424w, https://substackcdn.com/image/fetch/$s_!pu6J!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7f9ab7a8-ed02-49c5-84f9-2ebaa2016322_1024x792.png 848w, https://substackcdn.com/image/fetch/$s_!pu6J!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7f9ab7a8-ed02-49c5-84f9-2ebaa2016322_1024x792.png 1272w, https://substackcdn.com/image/fetch/$s_!pu6J!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7f9ab7a8-ed02-49c5-84f9-2ebaa2016322_1024x792.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!pu6J!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7f9ab7a8-ed02-49c5-84f9-2ebaa2016322_1024x792.png" width="1024" height="792" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/7f9ab7a8-ed02-49c5-84f9-2ebaa2016322_1024x792.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:792,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1322391,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/196563238?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9b6fd164-539f-40cb-a7b0-74ee32fb7630_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!pu6J!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7f9ab7a8-ed02-49c5-84f9-2ebaa2016322_1024x792.png 424w, https://substackcdn.com/image/fetch/$s_!pu6J!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7f9ab7a8-ed02-49c5-84f9-2ebaa2016322_1024x792.png 848w, https://substackcdn.com/image/fetch/$s_!pu6J!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7f9ab7a8-ed02-49c5-84f9-2ebaa2016322_1024x792.png 1272w, https://substackcdn.com/image/fetch/$s_!pu6J!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7f9ab7a8-ed02-49c5-84f9-2ebaa2016322_1024x792.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>If your child has done homework online in the past few years, there is a good chance they used Canvas. It is one of the most widely used learning management systems in the country and the dominant platform in higher education, where it holds nearly 40% market share. Teachers post assignments on it. Students submit work through it. Parents log in to check grades. And <strong>last week, hackers broke into Canvas, stealing student data and school information.</strong></p><p>The <strong>hackers claim the breach affects 275 million users across roughly 9,000 schools.</strong> <strong>Instructure, the company that owns Canvas, has confirmed the breach</strong> but has not confirmed those numbers. What we know for certain is that <strong>the stolen data includes names, email addresses, student IDs, and private messages.</strong> If you are reading this newsletter and have a school aged child, there is a real probability that your family&#8217;s data is in that pile.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p>Here is the good news: your passwords, Social Security numbers, and credit card information were almost certainly not taken. Here is the bad news: what the hackers did get might be more useful to them than you think.</p><h2><strong>What Happened?</strong></h2><p>On April 30, 2026, Instructure (the company that owns Canvas) detected service disruptions on their platform. By May 1, their Chief Information Security Officer confirmed that a criminal threat actor had breached their network. <strong>On May 3, a hacking group called ShinyHunters claimed responsibility, posting a sample of the stolen data on their leak site</strong> and giving Instructure until May 6 to respond before publishing everything.</p><p>ShinyHunters claims to have stolen <strong>3.65 terabytes</strong> of data. TechCrunch independently verified a sample of the stolen data, confirming records from at least two U.S. schools (one in Massachusetts, one in Tennessee) containing names, email addresses, phone numbers, and student messages. <strong>ShinyHunters describes the message archive as &#8220;several billion&#8221; private messages exchanged between students, teachers, and parents within the Canvas platform.</strong></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!I_7-!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F852fe6e9-7993-44e7-9efd-8989f6c41381_1024x1024.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!I_7-!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F852fe6e9-7993-44e7-9efd-8989f6c41381_1024x1024.jpeg 424w, https://substackcdn.com/image/fetch/$s_!I_7-!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F852fe6e9-7993-44e7-9efd-8989f6c41381_1024x1024.jpeg 848w, https://substackcdn.com/image/fetch/$s_!I_7-!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F852fe6e9-7993-44e7-9efd-8989f6c41381_1024x1024.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!I_7-!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F852fe6e9-7993-44e7-9efd-8989f6c41381_1024x1024.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!I_7-!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F852fe6e9-7993-44e7-9efd-8989f6c41381_1024x1024.jpeg" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/852fe6e9-7993-44e7-9efd-8989f6c41381_1024x1024.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:434805,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/196563238?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F852fe6e9-7993-44e7-9efd-8989f6c41381_1024x1024.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!I_7-!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F852fe6e9-7993-44e7-9efd-8989f6c41381_1024x1024.jpeg 424w, https://substackcdn.com/image/fetch/$s_!I_7-!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F852fe6e9-7993-44e7-9efd-8989f6c41381_1024x1024.jpeg 848w, https://substackcdn.com/image/fetch/$s_!I_7-!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F852fe6e9-7993-44e7-9efd-8989f6c41381_1024x1024.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!I_7-!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F852fe6e9-7993-44e7-9efd-8989f6c41381_1024x1024.jpeg 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>This is not the first time Instructure has been hit. In September 2025, the same group, ShinyHunters, compromised Instructure&#8217;s Salesforce instance through social engineering. That breach exposed customer support data. This time, the attackers accessed the Canvas platform itself. Two breaches by the same group in eight months.</p><p>Instructure has confirmed the breach and published guidance at their <a href="https://www.instructure.com/security-incident">security incident page</a>. A law firm has already opened a class action investigation.</p><h2><strong>The Good News (What Was Not Taken)</strong></h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!9Svy!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7c66765b-eca7-4765-a6be-aee72f8370f8_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!9Svy!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7c66765b-eca7-4765-a6be-aee72f8370f8_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!9Svy!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7c66765b-eca7-4765-a6be-aee72f8370f8_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!9Svy!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7c66765b-eca7-4765-a6be-aee72f8370f8_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!9Svy!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7c66765b-eca7-4765-a6be-aee72f8370f8_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!9Svy!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7c66765b-eca7-4765-a6be-aee72f8370f8_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/7c66765b-eca7-4765-a6be-aee72f8370f8_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:976131,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/196563238?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7c66765b-eca7-4765-a6be-aee72f8370f8_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!9Svy!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7c66765b-eca7-4765-a6be-aee72f8370f8_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!9Svy!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7c66765b-eca7-4765-a6be-aee72f8370f8_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!9Svy!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7c66765b-eca7-4765-a6be-aee72f8370f8_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!9Svy!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7c66765b-eca7-4765-a6be-aee72f8370f8_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>Before the panic sets in, here is what Instructure says the hackers <strong>did not</strong> get:</p><ul><li><p><strong>Passwords.</strong> <strong>Canvas did not store your child&#8217;s password in a way the attackers could access.</strong> Many school districts use what is called Single Sign-On (SSO), meaning students log into Canvas through their school&#8217;s Google or Microsoft account. Canvas never sees or stores that password. If your child logs into Canvas through a Google or Clever login page, their password was never in Canvas&#8217;s system to begin with. <strong>However, see the important caveat about student IDs below.</strong></p></li><li><p><strong>Social Security numbers.</strong> Schools store SSNs in their Student Information Systems (PowerSchool, Infinite Campus, etc.), not in Canvas. Canvas is a learning tool, not an enrollment database.</p></li><li><p><strong>Financial information.</strong> Canvas does not process payments. If your school charges fees, that goes through a separate payment system.</p></li><li><p><strong>Dates of birth.</strong> Also stored in the student information system, not Canvas.</p></li></ul><p><strong>So the most sensitive categories of personal data appear to be out of scope. That matters, and it is worth taking a breath over.</strong></p><h3><strong>One Important Caveat: Student IDs Are More Than ID Numbers</strong></h3><p>Here is where the &#8220;good news&#8221; gets complicated. In many school districts, especially K-12, <strong>the student ID number is not just an identifier. It is the username.</strong> Your child might log into Canvas, PowerSchool, the lunch payment system, the library catalog, and the school&#8217;s Chromebook with the same student ID as their username.</p><p>And in a lot of districts, particularly for younger students, the password is something the district assigned using a predictable pattern: the child&#8217;s birthday, their initials plus a number, or (in the worst cases) the student ID itself with a simple modification. Teachers have to manage 25 to 30 kids who forget their passwords constantly, so many districts default to something simple and consistent.</p><p><strong>That means the exposed student ID might effectively be half the login credentials for every system your child&#8217;s school district uses.</strong> Not because Canvas stored passwords, but because the student ID is the key that unlocks the front door, and the password behind that door might be guessable if an attacker knows the district&#8217;s pattern.</p><p>This does not mean every student is at risk. Districts that use SSO through Google or Microsoft, where the child has a unique password managed through the district&#8217;s identity system, are in a much better position. But districts that still rely on student-ID-as-username with simple assigned passwords should be treating this breach as a credential exposure event, not just a data exposure event.</p><h2><strong>The Bad News (What Was Taken, and Why It Matters)</strong></h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!RrpB!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9e3b42a8-54f9-4a5b-b401-15040fa8c776_1024x864.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!RrpB!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9e3b42a8-54f9-4a5b-b401-15040fa8c776_1024x864.png 424w, https://substackcdn.com/image/fetch/$s_!RrpB!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9e3b42a8-54f9-4a5b-b401-15040fa8c776_1024x864.png 848w, https://substackcdn.com/image/fetch/$s_!RrpB!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9e3b42a8-54f9-4a5b-b401-15040fa8c776_1024x864.png 1272w, https://substackcdn.com/image/fetch/$s_!RrpB!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9e3b42a8-54f9-4a5b-b401-15040fa8c776_1024x864.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!RrpB!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9e3b42a8-54f9-4a5b-b401-15040fa8c776_1024x864.png" width="1024" height="864" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/9e3b42a8-54f9-4a5b-b401-15040fa8c776_1024x864.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:864,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1096864,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/196563238?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa79059a8-aa62-412e-96cd-030b1fcf5354_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!RrpB!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9e3b42a8-54f9-4a5b-b401-15040fa8c776_1024x864.png 424w, https://substackcdn.com/image/fetch/$s_!RrpB!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9e3b42a8-54f9-4a5b-b401-15040fa8c776_1024x864.png 848w, https://substackcdn.com/image/fetch/$s_!RrpB!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9e3b42a8-54f9-4a5b-b401-15040fa8c776_1024x864.png 1272w, https://substackcdn.com/image/fetch/$s_!RrpB!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9e3b42a8-54f9-4a5b-b401-15040fa8c776_1024x864.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>What the hackers did get is a different kind of valuable. Instructure confirmed the breach exposed:</p><ul><li><p><strong>Names</strong> (student, teacher, and parent/observer names)</p></li><li><p><strong>Email addresses</strong> (institutional and, <strong>for parents, sometimes personal</strong>)</p></li><li><p><strong>Student ID numbers</strong></p></li><li><p><strong>Private messages</strong> (conversations between students, teachers, and parents within Canvas)</p></li></ul><p>On the surface, names and school email addresses might not sound alarming. But this data becomes dangerous when it is combined and used creatively. Here is what a motivated attacker can do with it:</p><h3><strong>1. Hyper-Targeted Phishing That Looks Like Your Child&#8217;s School</strong></h3><p><strong>Imagine getting an email from what appears to be your child&#8217;s teacher: &#8220;Hi [your name], I noticed [your child&#8217;s name] hasn&#8217;t submitted their assignment for [actual class name]. Please log in to review their grade.&#8221;</strong> That email contains your real name, your child&#8217;s real name, and a real class. The link goes to a fake login page that steals your Google or Microsoft credentials.</p><p>This is the difference between a generic phishing email and one that references your actual life. Because the hackers have access to real messages, real class names, and real teacher names, they can build phishing emails that are nearly impossible to distinguish from legitimate school communications.</p><h3><strong>2. Social Engineering Parents</strong></h3><p>Armed with parent email addresses, student names, school names, and teacher names, a scammer can impersonate school administrators. &#8220;We are updating our payment system for school lunch accounts. Please verify your payment method.&#8221; The email comes with enough real details about your child&#8217;s school that it feels trustworthy.</p><h3><strong>3. Child Identity Theft (The Longer-Term Risk)</strong></h3><p>A child&#8217;s name and student ID number, combined with their school and approximate age, gives an identity thief a building block. To be clear: <strong>this data alone is not enough to open a credit card or take out a loan</strong>. That requires a Social Security number, which was not exposed in this breach. But it is one more piece in a puzzle that gets assembled over time as breaches accumulate, and children are attractive targets because nobody checks their credit for years.</p><p>Javelin Strategy &amp; Research found that approximately <strong>1 in 50 children</strong> (about 1.25 million kids) experience identity fraud each year in the United States, costing families roughly $1 billion annually. Most of that fraud involves someone the child knows, not a hacker with breach data. But for older students, especially college students whose names, school emails, and course information are now exposed alongside years of private messages, the risk profile is more direct. A college student&#8217;s identity is closer to fully formed and more immediately useful to a thief.</p><h3><strong>4. Private Message Exposure</strong></h3><p>Canvas stores every message sent between users on the platform. For college students, this could include conversations about academic struggles, accommodation requests, personal disclosures to advisors, or sensitive communications with professors. For younger students, the content may be less sensitive, but the principle remains: private conversations between children and their teachers were never meant to be public.</p><h2><strong>What Can You Do?</strong></h2><h3><strong>Step 1: Find Out If Your School Uses Canvas</strong></h3><p>If you are not sure, ask your school&#8217;s front office or check your child&#8217;s school website. Look for references to &#8220;Canvas,&#8221; &#8220;Instructure,&#8221; or a login link that goes to a <strong>.instructure.com </strong>domain. Canvas is used by roughly 4,000 K-12 districts and 5,000 colleges in the United States. Chances are reasonable that at least one school your family has interacted with uses it.</p><h3><strong>Step 2: Ask Your District How Your Child Logs In</strong></h3><p>This is the most important step and it takes one phone call or email. Contact your school&#8217;s front office or IT department and ask two questions:</p><ol><li><p><strong>&#8220;Does my child&#8217;s student ID serve as their username for any school systems?&#8221;</strong></p></li><li><p><strong>&#8220;Are student passwords assigned by the district using a standard pattern, or does each student set their own?&#8221;</strong></p></li></ol><p>If the answer to both is yes, the student IDs exposed in this breach are effectively half a set of login credentials. Ask the district to <strong>reset your child&#8217;s password</strong> across all systems and, if possible, move to a unique password that does not follow a predictable pattern. If your district uses Google or Microsoft SSO with individual passwords, you are in better shape, but change that password anyway.</p><h3><strong>Step 3: Change the Passwords Around Canvas</strong></h3><p>Even if Canvas passwords were not directly compromised, secure the accounts connected to your child&#8217;s school life:</p><ul><li><p><strong>Your child&#8217;s school Google or Microsoft account.</strong> If their school uses SSO, this is the password that unlocks everything. Change it.</p></li><li><p><strong>Your parent portal account</strong> for your school district (PowerSchool, Infinite Campus, etc.). Change it.</p></li><li><p><strong>Your personal email</strong> if it is the same one linked to your parent/observer Canvas account.</p></li></ul><p>If any of these passwords are reused across other sites, change those too.</p><h3><strong>Step 4: If the Student is 18+, Consider Freezing Credit (Good Practice, Not Urgent)</strong></h3><p>This breach did not expose Social Security numbers, so it does not give attackers what they need to open accounts in your child&#8217;s name right now. But a credit freeze is one of the best long-term protections against child identity theft from any source, and it is free. If you have not done this already, this is a reasonable time to take care of it.</p><p><strong>For college students (18+):</strong> This is more directly relevant. Their identities are more fully formed and more immediately useful to a thief. They should freeze their own credit at all three bureaus:</p><ul><li><p><strong>Equifax:</strong> <a href="https://www.equifax.com/personal/credit-report-services/credit-freeze/">equifax.com/personal/credit-report-services/credit-freeze</a></p></li><li><p><strong>Experian:</strong> <a href="https://www.experian.com/freeze/center.html">experian.com/freeze/center.html</a></p></li><li><p><strong>TransUnion:</strong> <a href="https://www.transunion.com/credit-freeze">transunion.com/credit-freeze</a></p></li></ul><h3><strong>Step 5: Watch for Phishing Emails From &#8220;School&#8221;</strong></h3><p>For the next several months, treat any email that appears to come from your child&#8217;s school with extra caution, especially if it asks you to click a link, log in, update payment information, or download an attachment. If something looks off, call the school directly using the phone number from their website, not from the email.</p><p>This is especially true for end-of-year emails about report cards, summer programs, or registration for next year. Scammers will time their phishing to match the school calendar.</p><h3><strong>Step 6: Talk to Your Kids (Especially Teens and College Students)</strong></h3><p>Older students need to know that their Canvas messages may have been exposed. If your college student sent sensitive messages through Canvas (academic concerns, personal issues, accommodation requests), they should be aware that this information could surface. They should also watch for phishing emails impersonating their university and avoid clicking links in any email that references their courses by name.</p><h2><strong>A Note on FERPA</strong></h2><p>Student education records are protected under FERPA (the Family Educational Rights and Privacy Act). When those records are breached, your child&#8217;s <strong>school district</strong> holds the notification obligation, not Instructure. <strong>If your school uses Canvas, your district should be communicating with you about this breach and what they are doing about it. If they have not, ask them.</strong> You have a right to know.</p><h2><strong>The Bottom Line</strong></h2><p>The Canvas breach is real, large, and affects a population that deserves extra protection: children. The good news is that the most dangerous data categories (passwords, SSNs, financial info) were not part of it. The bad news is that the data that was taken (names, emails, student IDs, and private messages) gives attackers the raw material for highly convincing phishing campaigns targeting families.</p><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-someone-just-stole-your?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-someone-just-stole-your?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://edge.intruvent.com/p/prevent-this-someone-just-stole-your?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p>Three things to do this week:</p><ol><li><p><strong>Be skeptical of school emails</strong> that ask you to click, log in, or pay, especially if they reference your child by name and class. That specificity is exactly what this breach enables. Call the school directly to verify.</p></li><li><p><strong>Ask your district</strong> if your child&#8217;s student ID is used as a username, and whether passwords follow a standard pattern. If yes, request a password reset.</p></li><li><p><strong>Change the passwords</strong> on your child&#8217;s school Google/Microsoft account and your parent portal.</p></li></ol><p>This breach hit the system our kids use every single day. Share this with other parents at your school. They need to know.</p><div><hr></div><h2><strong>Sources</strong></h2><ul><li><p><a href="https://www.bleepingcomputer.com/news/security/instructure-confirms-data-breach-shinyhunters-claims-attack/">BleepingComputer: Instructure confirms data breach, ShinyHunters claims attack</a>(May 2026)</p></li><li><p><a href="https://techcrunch.com/2026/05/05/hackers-steal-students-data-during-breach-at-education-tech-giant-instructure/">TechCrunch: Hackers steal students&#8217; data during breach at Instructure</a> (May 2026)</p></li><li><p><a href="https://www.securityweek.com/edtech-firm-instructure-discloses-data-breach/">SecurityWeek: Edtech firm Instructure discloses data breach</a> (May 2026)</p></li><li><p><a href="https://www.fox9.com/news/canvas-data-breach-hackers-claim-info-275-million-users-across-9000-schools">FOX 9: Canvas data breach, hackers claim info of 275 million users</a> (May 2026)</p></li><li><p><a href="https://javelinstrategy.com/press-release/child-identity-fraud-costs-nearly-1-billion-annually-according-new-study-javelin">Javelin Strategy &amp; Research: Child Identity Fraud Study</a> (2021)</p></li><li><p><a href="https://www.equifax.com/personal/credit-report-services/credit-freeze/">Equifax: Credit Freeze</a></p></li><li><p><a href="https://studentprivacy.ed.gov/faq/what-ferpa">U.S. Department of Education: FERPA FAQ</a></p></li></ul><div><hr></div><p><em>Prevent This is a weekly cybersecurity newsletter from Intruvent Technologies. Each week, we break down one cyber threat in plain language and give you the tools to protect yourself and the people you care about. For any feedback or if your company is experiencing a breach and you need help, contact us at contact@intruvent.com</em></p><p></p>]]></content:encoded></item><item><title><![CDATA[Intruvent EDGE: 732 Bytes to Root. A Nine-Year Linux Kernel Bug Just Went Public]]></title><description><![CDATA[CVE-2026-31431 turns nine years of Linux kernels into a one-command root shell]]></description><link>https://edge.intruvent.com/p/intruvent-edge-732-bytes-to-root</link><guid isPermaLink="false">https://edge.intruvent.com/p/intruvent-edge-732-bytes-to-root</guid><dc:creator><![CDATA[Sig Murphy]]></dc:creator><pubDate>Thu, 30 Apr 2026 19:56:50 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!KKJv!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd2112898-d147-480c-a2d0-d2b667a3a358_1024x1024.heic" length="0" type="image/jpeg"/><content:encoded><![CDATA[<p>Welcome to Intruvent Edge, our bi-weekly technical deep dive into a current cyber threat. If you found us through Prevent This, our weekly community newsletter covering cybersecurity for everyone, you&#8217;re in the right place. Both live on the same Substack. Feel free to share either one. We&#8217;re glad you&#8217;re here!</p><h2><strong>The Vulnerability</strong></h2><p>Yesterday, security researchers at Theori published a complete privilege escalation exploit for CVE-2026-31431, a logic bug in the Linux kernel&#8217;s cryptographic subsystem that has existed since August 2017. <strong>The exploit is a 10-line Python script. It requires no compiled payloads, no version-specific offsets, and no race conditions. It works on every major Linux distribution released in the past nine years.</strong></p><p><strong>Every. Major. Linux. Distribution. </strong></p><p>Linux runs approximately 96% of the world&#8217;s top one million web servers, the majority of cloud infrastructure, most containers and Kubernetes clusters, and billions of IoT and embedded devices. <strong>Conservative estimates place the affected device count in the billions.  With a B.</strong></p><p><strong>This one is bad, and needs your attention.</strong></p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p>The vulnerability, nicknamed &#8220;Copy Fail,&#8221; allows any unprivileged local user to gain a root shell in seconds. On a multi-tenant system, a shared Kubernetes cluster, or a CI/CD runner, that means any user with shell access can take complete control of the host.</p><p>A fully weaponized proof-of-concept is already public on GitHub. Exploitation at scale is now a matter of when, not if.  If your home or work uses any affected systems, please read on.  Please forward this to anybody who needs it.</p><h2><strong>How It Works</strong></h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!KKJv!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd2112898-d147-480c-a2d0-d2b667a3a358_1024x1024.heic" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!KKJv!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd2112898-d147-480c-a2d0-d2b667a3a358_1024x1024.heic 424w, https://substackcdn.com/image/fetch/$s_!KKJv!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd2112898-d147-480c-a2d0-d2b667a3a358_1024x1024.heic 848w, https://substackcdn.com/image/fetch/$s_!KKJv!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd2112898-d147-480c-a2d0-d2b667a3a358_1024x1024.heic 1272w, https://substackcdn.com/image/fetch/$s_!KKJv!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd2112898-d147-480c-a2d0-d2b667a3a358_1024x1024.heic 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!KKJv!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd2112898-d147-480c-a2d0-d2b667a3a358_1024x1024.heic" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/d2112898-d147-480c-a2d0-d2b667a3a358_1024x1024.heic&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:44379,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/heic&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/196020095?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd2112898-d147-480c-a2d0-d2b667a3a358_1024x1024.heic&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!KKJv!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd2112898-d147-480c-a2d0-d2b667a3a358_1024x1024.heic 424w, https://substackcdn.com/image/fetch/$s_!KKJv!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd2112898-d147-480c-a2d0-d2b667a3a358_1024x1024.heic 848w, https://substackcdn.com/image/fetch/$s_!KKJv!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd2112898-d147-480c-a2d0-d2b667a3a358_1024x1024.heic 1272w, https://substackcdn.com/image/fetch/$s_!KKJv!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd2112898-d147-480c-a2d0-d2b667a3a358_1024x1024.heic 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><br>Caption suggestion: &#8220;CVE-2026-31431 exploitation flow: from AF_ALG socket to root shell in six steps.&#8221;</p><p>The bug lives in <code>algif_aead.c</code>, a component of the Linux kernel&#8217;s AF_ALG cryptographic socket interface. Specifically, it affects the <code>authencesn</code> algorithm, which handles authenticated encryption with sequence numbers for IPsec.</p><p>Three individually reasonable kernel changes created the vulnerability:</p><ol><li><p><strong>2011:</strong> The <code>authencesn</code> cryptographic wrapper was added for IPsec support</p></li><li><p><strong>2015:</strong> AF_ALG gained AEAD (Authenticated Encryption with Associated Data) socket support, allowing userspace programs to invoke kernel crypto operations</p></li><li><p><strong>2017 (kernel 4.14):</strong> An in-place optimization in commit <code>72548b093ee3</code> placed page cache pages directly into a writable scatterlist</p></li></ol><p>That third change is the fatal one. When the kernel performs an AEAD decrypt operation, <code>authencesn</code> writes a 4-byte sequence number (<code>seqno_lo</code>) past the output buffer boundary via <code>scatterwalk_map_and_copy()</code>. Because the optimization placed page cache pages in the writable scatterlist, those 4 bytes land directly in the page cache.</p><p>The page cache is the kernel&#8217;s in-memory copy of file contents. Every executable you run, every library you load, comes from the page cache. If you can write arbitrary bytes into it, you can corrupt any readable file&#8217;s in-memory representation without touching the on-disk copy.</p><p>The exploit sequence:</p><ol><li><p>Open an AF_ALG socket bound to <code>authencesn(hmac(sha256),cbc(aes))</code></p></li><li><p>Use <code>splice()</code> to feed page cache pages of a setuid binary (such as <code>/usr/bin/su</code>) into the crypto pipeline</p></li><li><p>Construct <code>sendmsg()</code> with shellcode bytes positioned in the AAD at offsets 4 through 7</p></li><li><p>Issue <code>recvmsg()</code>, which triggers AEAD decrypt. The <code>authencesn</code> algorithm writes past the output boundary into the mapped page cache page</p></li><li><p>The HMAC verification fails and returns <code>EBADMSG</code>, but the write has already occurred and persists</p></li><li><p>Execute the corrupted setuid binary. The kernel loads it from page cache. Shellcode runs as root.</p></li></ol><p>The entire sequence fits in 732 bytes of Python using only the <code>os</code>, <code>socket</code>, and <code>zlib</code>standard library modules.</p><h2><strong>Why This Is Worse Than Dirty Pipe</strong></h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!a8mU!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F71ac4e87-90d7-46e1-9b0f-a086c75afb9f_1024x1024.heic" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!a8mU!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F71ac4e87-90d7-46e1-9b0f-a086c75afb9f_1024x1024.heic 424w, https://substackcdn.com/image/fetch/$s_!a8mU!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F71ac4e87-90d7-46e1-9b0f-a086c75afb9f_1024x1024.heic 848w, https://substackcdn.com/image/fetch/$s_!a8mU!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F71ac4e87-90d7-46e1-9b0f-a086c75afb9f_1024x1024.heic 1272w, https://substackcdn.com/image/fetch/$s_!a8mU!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F71ac4e87-90d7-46e1-9b0f-a086c75afb9f_1024x1024.heic 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!a8mU!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F71ac4e87-90d7-46e1-9b0f-a086c75afb9f_1024x1024.heic" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/71ac4e87-90d7-46e1-9b0f-a086c75afb9f_1024x1024.heic&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:76213,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/heic&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/196020095?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F71ac4e87-90d7-46e1-9b0f-a086c75afb9f_1024x1024.heic&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!a8mU!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F71ac4e87-90d7-46e1-9b0f-a086c75afb9f_1024x1024.heic 424w, https://substackcdn.com/image/fetch/$s_!a8mU!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F71ac4e87-90d7-46e1-9b0f-a086c75afb9f_1024x1024.heic 848w, https://substackcdn.com/image/fetch/$s_!a8mU!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F71ac4e87-90d7-46e1-9b0f-a086c75afb9f_1024x1024.heic 1272w, https://substackcdn.com/image/fetch/$s_!a8mU!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F71ac4e87-90d7-46e1-9b0f-a086c75afb9f_1024x1024.heic 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>Security professionals will immediately compare CVE-2026-31431 to Dirty Pipe (CVE-2022-0847) and Dirty COW (CVE-2016-5195), the two most notorious Linux kernel privilege escalation vulnerabilities of the past decade. Copy Fail is worse than both.</p><p><strong>Dirty COW</strong> required winning a race condition. Exploitation was probabilistic and often crashed the target system. Copy Fail has no race condition. The exploit is deterministic and 100% reliable.</p><p><strong>Dirty Pipe</strong> required knowledge of specific kernel version offsets and was limited to kernels 5.8 through 5.16 (roughly an 18-month window). Copy Fail requires no offsets and works across a nine-year window of kernel versions, from 4.14 through current mainline.</p><p><strong>Both</strong> left forensic evidence that file integrity monitoring tools could detect. Copy Fail corrupts only the in-memory page cache. The page is never marked dirty for writeback, so the on-disk file remains pristine. Inotify sees nothing. AIDE sees nothing. OSSEC sees nothing. Tripwire sees nothing.</p><p>One additional dimension makes this especially dangerous in modern infrastructure: the page cache is shared across the entire host, including all containers running on that host. A process inside a Kubernetes pod can corrupt the page cache entry of a setuid binary on the host filesystem. Copy Fail functions as a container escape primitive that bypasses namespace isolation entirely.</p><h2><strong>What&#8217;s Affected</strong></h2><p>Every Linux distribution shipping a kernel from version 4.14 (August 2017) onward is vulnerable unless patched. Confirmed affected systems include:</p><ul><li><p><strong>Ubuntu 24.04 LTS</strong> (kernel 6.17.0-1007-aws)</p></li><li><p><strong>Amazon Linux 2023</strong> (kernel 6.18.8-9.213.amzn2023)</p></li><li><p><strong>RHEL 10.1</strong> (kernel 6.12.0-124.45.1.el10_1)</p></li><li><p><strong>SUSE 16</strong> (kernel 6.12.0-160000.9-default)</p></li><li><p><strong>Rocky Linux 9.7</strong> (confirmed independently by Solar Designer)</p></li><li><p><strong>Debian, Arch Linux, Fedora, Oracle Linux</strong></p></li><li><p>Embedded Linux distributions used in IoT, networking equipment, and industrial systems</p></li></ul><p><strong>Not affected:</strong> RHEL 6 and 7 (kernel versions predate the vulnerable commit), and Ubuntu 26.04 (Resolute) which ships a patched kernel.</p><p>Linux runs approximately 96% of the world&#8217;s top one million web servers, the majority of cloud infrastructure, most containers and Kubernetes clusters, and billions of IoT and embedded devices. Conservative estimates place the affected device count in the billions.</p><h2><strong>Detection Is Hard</strong></h2><p>Traditional security tooling is largely blind to this attack. The corruption happens entirely in kernel memory, with no disk writes, no file modifications, and no network traffic.</p><p><strong>Will NOT detect exploitation:</strong></p><ul><li><p>File integrity monitoring (AIDE, OSSEC, Tripwire, Samhain)</p></li><li><p>Inotify-based watchers</p></li><li><p>Hash-based allowlisting tools</p></li><li><p>Standard auditd file access rules</p></li></ul><p><strong>CAN detect exploitation:</strong></p><ul><li><p><strong>eBPF-based monitoring</strong> that tracks AF_ALG socket creation and <code>splice()</code> calls targeting setuid binaries</p></li><li><p><strong>Falco/Sysdig rules</strong> detecting SOCK_SEQPACKET AF_ALG socket creation from unexpected processes</p></li><li><p><strong>Auditd rules</strong> configured to audit <code>socket()</code> calls with AF_ALG family (family 38)</p></li><li><p><strong>Behavioral detection</strong> looking for <code>EBADMSG</code> return codes from AEAD operations followed by execution of setuid binaries</p></li></ul><p>A community detection toolkit is already available on <a href="https://github.com/kadir/copy-fail-CVE-2026-31431-IOC">GitHub</a>, including Falco rules, auditd configurations, and an eBPF monitor.</p><p>The key behavioral sequence to detect:</p><ol><li><p>AF_ALG socket creation by a non-root, non-crypto process</p></li><li><p><code>splice()</code> calls feeding a setuid binary into that socket</p></li><li><p><code>recvmsg()</code> returning EBADMSG</p></li><li><p><code>execve()</code> of the same setuid binary shortly after</p></li></ol><p>Any security operations team monitoring Linux hosts should deploy at minimum the auditd rule for AF_ALG socket creation today.</p><h2><strong>Patch and Mitigation</strong></h2><h3><strong>The Fix</strong></h3><p>The upstream kernel team committed the fix on April 1, 2026 (commit <code>a664bf3d603d</code>). The patch reverts <code>algif_aead.c</code> to out-of-place AEAD operation, permanently separating the TX scatterlist from the RX scatterlist so that page cache pages can never be placed in a writable context.</p><p>Patched kernel versions: 7.0+, 6.19.12+, 6.18.22+.</p><p>As of today, Debian, Ubuntu, and SUSE have issued patched packages. Red Hat initially deferred the patch but has since reversed course.</p><h3><strong>Interim Mitigation (If You Cannot Patch Immediately)</strong></h3><p>The simplest and most effective mitigation is to disable the <code>algif_aead</code> kernel module:</p><pre><code><code># Prevent the module from loading
echo "install algif_aead /bin/false" &gt; /etc/modprobe.d/disable-algif-aead.conf

# Unload if currently loaded
sudo rmmod algif_aead 2&gt;/dev/null</code></code></pre><p>This does NOT affect dm-crypt/LUKS, kTLS, IPsec/XFRM, OpenSSL, GnuTLS, NSS, or SSH. Most systems never load this module at all. The only software that uses AF_ALG AEAD sockets is <code>libkcapi</code> and a small number of specialized cryptographic testing tools.</p><p><strong>For containerized environments:</strong> Block AF_ALG socket creation via seccomp profiles on all pods, CI/CD runners, and container workloads. The exploit requires opening an AF_ALG socket as its first step; blocking that syscall prevents exploitation entirely.</p><pre><code><code>{
  "names": ["socket"],
  "action": "SCMP_ACT_ERRNO",
  "args": [
    {
      "index": 0,
      "value": 38,
      "op": "SCMP_CMP_EQ"
    }
  ]
}</code></code></pre><p>This blocks <code>socket(AF_ALG, ...)</code> calls. AF_ALG is protocol family 38.</p><h2><strong>Timeline</strong></h2><p><strong>DateEvent</strong>August 2017Vulnerable commit introduced in kernel 4.14March 23, 2026Theori reports vulnerability to Linux kernel security teamMarch 24, 2026Kernel team acknowledges the reportMarch 25, 2026Patches proposed and reviewedApril 1, 2026Fix committed to mainlineApril 22, 2026CVE-2026-31431 assignedApril 23, 2026NVD publishes CVE detailsApril 29, 2026Full public disclosure with proof-of-conceptApril 30, 2026CERT-EU publishes Security Advisory 2026-005</p><p>The 37-day window between the fix commit and public disclosure gave major distributions time to prepare patches. Whether your organization has applied them is another question.</p><h2><strong>Who Found It</strong></h2><p>Taeyang Lee of Theori, a South Korean security research firm, discovered the vulnerability. The Xint Code Research Team subsequently used AI-assisted analysis to scale the initial finding into a complete exploitation chain in approximately one hour, demonstrating how quickly modern tooling can weaponize a vulnerability once the root cause is understood.</p><p>Alexander Peslyak (Solar Designer), founder of the Openwall Project and one of the most respected voices in Linux security, independently confirmed exploitation on Rocky Linux 9.7.</p><h2><strong>What You Should Do Today</strong></h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!fYuV!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4652020a-b032-4264-93b8-7ac9e55657b7_1024x1024.heic" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!fYuV!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4652020a-b032-4264-93b8-7ac9e55657b7_1024x1024.heic 424w, https://substackcdn.com/image/fetch/$s_!fYuV!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4652020a-b032-4264-93b8-7ac9e55657b7_1024x1024.heic 848w, https://substackcdn.com/image/fetch/$s_!fYuV!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4652020a-b032-4264-93b8-7ac9e55657b7_1024x1024.heic 1272w, https://substackcdn.com/image/fetch/$s_!fYuV!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4652020a-b032-4264-93b8-7ac9e55657b7_1024x1024.heic 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!fYuV!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4652020a-b032-4264-93b8-7ac9e55657b7_1024x1024.heic" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/4652020a-b032-4264-93b8-7ac9e55657b7_1024x1024.heic&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:78667,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/heic&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/196020095?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4652020a-b032-4264-93b8-7ac9e55657b7_1024x1024.heic&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!fYuV!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4652020a-b032-4264-93b8-7ac9e55657b7_1024x1024.heic 424w, https://substackcdn.com/image/fetch/$s_!fYuV!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4652020a-b032-4264-93b8-7ac9e55657b7_1024x1024.heic 848w, https://substackcdn.com/image/fetch/$s_!fYuV!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4652020a-b032-4264-93b8-7ac9e55657b7_1024x1024.heic 1272w, https://substackcdn.com/image/fetch/$s_!fYuV!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4652020a-b032-4264-93b8-7ac9e55657b7_1024x1024.heic 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p><strong>1. Check if you&#8217;re affected.</strong> Any system running a kernel from 4.14 onward that has not applied the latest security updates is vulnerable. Run <code>uname -r</code> and check against your distribution&#8217;s security advisory.</p><p><strong>2. Apply patches if available.</strong> Debian, Ubuntu, and SUSE have issued fixes. If patched packages are available, apply them immediately. A public PoC exists and exploitation is trivial.</p><p><strong>3. Deploy the module mitigation on unpatched systems.</strong> If you cannot patch within 24 hours, disable <code>algif_aead</code> with the modprobe rule above. This closes the attack vector at negligible operational cost.</p><p><strong>4. Harden container workloads.</strong> Add AF_ALG socket blocking to your seccomp profiles. If you operate Kubernetes clusters, update your PodSecurityPolicies or OPA/Gatekeeper constraints to block protocol family 38.</p><p><strong>5. Deploy detection.</strong> At minimum, add an auditd rule for AF_ALG socket creation. For higher-fidelity detection, deploy the eBPF monitor from the community toolkit.</p><p><strong>6. Audit multi-tenant systems first.</strong> Shared hosting environments, CI/CD runners, Kubernetes clusters, and any system where untrusted users have shell access are the highest-priority targets. The vulnerability requires only local access.</p><p><strong>7. Do not rely on file integrity monitoring.</strong> If your security strategy for Linux hosts depends primarily on hash-based FIM tools, this vulnerability bypasses that layer entirely. Update your detection architecture.</p><h2><strong>The Bigger Picture</strong></h2><p>Copy Fail is a reminder that kernel attack surface accumulates invisibly over time. The three code changes that created this vulnerability were each reasonable in isolation. The dangerous interaction between them went undetected for nine years, hidden behind a kernel subsystem that most security researchers never examine because &#8220;it&#8217;s just crypto plumbing.&#8221;</p><p>The exploit&#8217;s simplicity is the real story. A 10-line Python script with no dependencies achieving deterministic root on nine years of kernels is the kind of vulnerability that shifts the risk calculus for any organization running multi-tenant Linux infrastructure. Patch today.</p><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/intruvent-edge-732-bytes-to-root?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/intruvent-edge-732-bytes-to-root?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://edge.intruvent.com/p/intruvent-edge-732-bytes-to-root?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p><strong>Sources</strong></p><ul><li><p><a href="https://xint.io/blog/copy-fail-linux-distributions">Xint Code: &#8220;Copy Fail: 732 Bytes to Root on Every Major Linux Distribution&#8221;</a> (original technical disclosure)</p></li><li><p><a href="https://cert.europa.eu/publications/security-advisories/2026-005/">CERT-EU Security Advisory 2026-005</a></p></li><li><p><a href="https://nvd.nist.gov/vuln/detail/CVE-2026-31431">NVD: CVE-2026-31431</a></p></li><li><p><a href="https://www.sysdig.com/blog/cve-2026-31431-copy-fail-linux-kernel-flaw-lets-local-users-gain-root-in-seconds">Sysdig: CVE-2026-31431 Analysis</a></p></li><li><p><a href="https://www.helpnetsecurity.com/2026/04/30/copyfail-linux-lpe-vulnerability-cve-2026-31431/">Help Net Security: Nine-year-old Linux kernel flaw</a></p></li><li><p><a href="https://www.theregister.com/2026/04/30/linux_cryptographic_code_flaw/">The Register: Linux cryptographic code flaw offers fast route to root</a></p></li><li><p><a href="https://socradar.io/blog/cve-2026-31431-copy-fail-nine-year-linux-bug/">SOCRadar: CVE-2026-31431 Copy Fail Analysis</a></p></li><li><p><a href="https://www.bugcrowd.com/blog/what-we-know-about-copy-fail-cve-2026-31431/">Bugcrowd: What We Know About Copy Fail</a></p></li><li><p><a href="https://github.com/kadir/copy-fail-CVE-2026-31431-IOC">Community Detection Toolkit (GitHub)</a></p></li><li><p><a href="https://github.com/theori-io/copy-fail-CVE-2026-31431">Theori PoC Repository (GitHub)</a></p></li></ul><div><hr></div><h2><strong>Free Linux Security Assessment</strong></h2><p>Copy Fail is the latest in a growing list of Linux kernel privilege escalations (Dirty COW, Dirty Pipe, StackRot, and now Copy Fail) that bypass traditional detection. If your organization relies on Linux for production workloads, we can help you assess your exposure.</p><p><strong>Shoot us an email at: contact@intruvent.com to book a 30 minute assessment discussion.</strong></p><p>We also offer:</p><ul><li><p>Linux kernel vulnerability exposure assessments</p></li><li><p>Container security and Kubernetes hardening reviews</p></li><li><p>Detection engineering for kernel-level threats</p></li><li><p>Managed threat hunting across your Linux infrastructure</p></li></ul>]]></content:encoded></item><item><title><![CDATA[Prevent This: Life Event Scams]]></title><description><![CDATA[Grief, divorce, illness, job loss. Scammers have a playbook for all of them. We have a playbook to counter it.]]></description><link>https://edge.intruvent.com/p/prevent-this-life-event-scams</link><guid isPermaLink="false">https://edge.intruvent.com/p/prevent-this-life-event-scams</guid><dc:creator><![CDATA[Sig Murphy]]></dc:creator><pubDate>Tue, 28 Apr 2026 19:14:35 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!w8OP!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0852b8f6-02d6-41df-a390-9d033b746cb6_1024x679.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!w8OP!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0852b8f6-02d6-41df-a390-9d033b746cb6_1024x679.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!w8OP!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0852b8f6-02d6-41df-a390-9d033b746cb6_1024x679.jpeg 424w, https://substackcdn.com/image/fetch/$s_!w8OP!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0852b8f6-02d6-41df-a390-9d033b746cb6_1024x679.jpeg 848w, https://substackcdn.com/image/fetch/$s_!w8OP!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0852b8f6-02d6-41df-a390-9d033b746cb6_1024x679.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!w8OP!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0852b8f6-02d6-41df-a390-9d033b746cb6_1024x679.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!w8OP!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0852b8f6-02d6-41df-a390-9d033b746cb6_1024x679.jpeg" width="1024" height="679" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/0852b8f6-02d6-41df-a390-9d033b746cb6_1024x679.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:679,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:119085,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/195785838?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fcba9b8ef-b0ee-4909-a1f7-a57ad9f1616b_1024x1024.heic&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!w8OP!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0852b8f6-02d6-41df-a390-9d033b746cb6_1024x679.jpeg 424w, https://substackcdn.com/image/fetch/$s_!w8OP!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0852b8f6-02d6-41df-a390-9d033b746cb6_1024x679.jpeg 848w, https://substackcdn.com/image/fetch/$s_!w8OP!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0852b8f6-02d6-41df-a390-9d033b746cb6_1024x679.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!w8OP!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0852b8f6-02d6-41df-a390-9d033b746cb6_1024x679.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>A reader of this newsletter reached out to me this week with two stories that really hit home with me.</p><p>The first: <strong>several of her friends, all women in their 70s and 80s, have been targeted by scammers after their husbands passed away</strong>. Accounts taken over. Identities stolen. Fraud that started within days of the obituary going live. She wanted to know if this was a known pattern or just terrible luck.</p><p>It is a known pattern. A well-documented, growing, and organized one. We will get into the details below.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p>The second: <strong>she received a suspicious email claiming a close friend was in the hospital and needed help. When she responded, the person on the other end seemed to know a lot about her friend, enough that it felt real</strong>. They described the injury, referenced details that checked out. Then they asked her to send DoorDash gift cards to help cover expenses while her friend recovered.</p><p>That is where her training kicked in. As a reader of Prevent This, she recognized the gift card request for what it was: the unmistakable fingerprint of a scam. No hospital, no doctor, no friend in genuine need has ever asked for DoorDash gift cards. She did not send them.</p><p>But the experience shook her. <em>The scammer knew too much. The story was too specific</em>. <strong>And she asked the question that inspired this edition: what can I do right now, today, to make sure I do not become an actual victim?</strong></p><p>This newsletter is the answer. <strong>Part 1 covers the bereavement scam</strong> pattern and what to do if you or someone you love is going through a loss. <strong>Part 2 is a quick-start security checkup</strong>, the essentials that anyone can knock out today to raise their baseline protection.</p><p>Her friends&#8217; experiences are far from unique. Here is what the pattern looks like when it shows up in the news.</p><div><hr></div><h2>What Happened?</h2><p>A suburban Chicago widow published her husband&#8217;s obituary in January. By April, someone had quietly forwarded her mail to an unknown Chicago address without her knowledge. Fraudulent credit card charges started appearing: a hotel in Atlanta, tickets to the Atlanta Aquarium, $200 for cleaning services she never ordered. Scammers also attempted to open new credit cards in her name.</p><p><strong>She caught it. Many do not</strong>.</p><p>The U.S. Postal Inspection Service reversed the mail forwarding and opened an investigation, but the damage extended beyond dollars. As the victim told NBC Chicago: &#8220;The emotional impact of this, even though there wasn&#8217;t any financial impact, is not going to go away for a while.&#8221;</p><p>She is far from alone. A 77-year-old widow named Marjorie Bloom received a call from someone claiming to be a &#8220;fraud investigator&#8221; at her bank. Over the following weeks, at the caller&#8217;s instruction, she liquidated everything: savings, stocks, an annuity. The total: $661,000. The scammer told her not to tell anyone, including her children, claiming secrecy was necessary to protect the investigation. By the time she realized what had happened, her entire nest egg was gone.</p><p>In Georgia, identity thieves used an obituary to redirect a deceased man&#8217;s mail just two days after his death, then opened new lines of credit in his name before his family had finished planning the funeral.</p><p>These are not isolated incidents. They are a pattern, and the pattern is accelerating.</p><div><hr></div><h2>Why Should You Care?</h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!plkT!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9017ebf5-ef7d-4087-b294-e8cd52c0e196_1024x1024.heic" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!plkT!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9017ebf5-ef7d-4087-b294-e8cd52c0e196_1024x1024.heic 424w, https://substackcdn.com/image/fetch/$s_!plkT!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9017ebf5-ef7d-4087-b294-e8cd52c0e196_1024x1024.heic 848w, https://substackcdn.com/image/fetch/$s_!plkT!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9017ebf5-ef7d-4087-b294-e8cd52c0e196_1024x1024.heic 1272w, https://substackcdn.com/image/fetch/$s_!plkT!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9017ebf5-ef7d-4087-b294-e8cd52c0e196_1024x1024.heic 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!plkT!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9017ebf5-ef7d-4087-b294-e8cd52c0e196_1024x1024.heic" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/9017ebf5-ef7d-4087-b294-e8cd52c0e196_1024x1024.heic&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:78678,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/heic&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/195785838?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9017ebf5-ef7d-4087-b294-e8cd52c0e196_1024x1024.heic&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!plkT!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9017ebf5-ef7d-4087-b294-e8cd52c0e196_1024x1024.heic 424w, https://substackcdn.com/image/fetch/$s_!plkT!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9017ebf5-ef7d-4087-b294-e8cd52c0e196_1024x1024.heic 848w, https://substackcdn.com/image/fetch/$s_!plkT!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9017ebf5-ef7d-4087-b294-e8cd52c0e196_1024x1024.heic 1272w, https://substackcdn.com/image/fetch/$s_!plkT!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F9017ebf5-ef7d-4087-b294-e8cd52c0e196_1024x1024.heic 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>The numbers tell a grim story:</p><ul><li><p>$7.7 billion lost by Americans 60 and older to internet crime in 2025, up 60% from 2024 (FBI IC3)</p></li><li><p>2.5 million deceased Americans have their identities stolen annually (ID Analytics study, corroborated by TIME and NBC News)</p></li><li><p>167% increase in fraudulent mail forwarding between 2020 and 2021 (U.S. Postal Inspection Service)</p></li><li><p>$584 million in romance and confidence scam losses targeting older adults in 2025 alone (FBI IC3)</p></li><li><p>The FTC estimates actual elder fraud losses may reach $81.5 billion per year when accounting for unreported cases</p></li></ul><p>The FBI, FTC, AARP, multiple state attorneys general, and the VA have all issued specific warnings about scams targeting the recently bereaved. The FBI&#8217;s El Paso field office published a dedicated alert on &#8220;bereavement scams.&#8221; Michigan&#8217;s Attorney General warned the public about &#8220;obituary pirates&#8221; who scrape death notices. The LA County District Attorney&#8217;s office issued a fraud alert specifically about obituary-based targeting.</p><p>The pattern is organized, documented, and growing. And the people hit hardest are those least equipped to fight back: elderly widows navigating finances alone, often for the first time, during the worst period of their lives.</p><div><hr></div><h2>How Does This Work?</h2><p><strong>Think of it like reconnaissance before a burglary, except the reconnaissance is public and free.</strong></p><p><strong>The obituary is ground zero. A typical obituary contains the deceased&#8217;s full name, date and place of birth, mother&#8217;s maiden name, home city, surviving family members, workplace history, church and club memberships, and the date, time, and location of funeral services.</strong> That is enough information to answer most security questions, build a complete social engineering profile, and even plan a physical burglary of a home that will be empty during the service.</p><p>The Better Business Bureau has warned directly: &#8220;They&#8217;re putting too much info into obituaries, especially mother&#8217;s maiden names and things like that actually needed for identity theft.&#8221;</p><p>But obituaries are only the start. Scammers have multiple channels feeding them targets:</p><p><strong>Data brokers sell lists of the recently widowed</strong>. According to reporting from Komando.com and the Brennan Center for Justice, data brokers compile and sell categorized lists that include &#8220;Suffering Seniors&#8221; and lists sorted by life events, including bereavement. Scammers buy these lists because, as one analysis noted, &#8220;they assume there&#8217;s a life insurance payout and someone navigating money alone for the first time.&#8221; The CFPB proposed a rule in 2024 to restrict these sales. It was withdrawn in 2025. There is currently no federal regulation preventing this practice.</p><p><strong>Probate records are public.</strong> In most U.S. jurisdictions, probate filings include heir names and addresses, detailed asset inventories, property descriptions, and executor contact information. Scammers monitor these filings to build target lists.</p><p>Social media fills in the gaps. Memorial posts, condolence threads, and tribute pages provide additional personal details that supplement what the obituary reveals. They also give romance scammers a way to identify and contact the surviving spouse.</p><p><strong>AI makes all of this worse. According to Blackbird.AI research, threat actors now use language models to extract personal data from obituaries at scale</strong>, cross-reference it with news articles and social media, generate complete character profiles of plausible friends or acquaintances of the deceased, and craft messages with fabricated but contextually accurate &#8220;shared memories.&#8221; The FBI&#8217;s 2025 IC3 report documented over $893 million in AI-linked fraud losses, with older adults accounting for $352 million.</p><p>Once a target is identified, the attacks come in several forms:</p><p>&#8220;Ghosting&#8221; the deceased: Opening credit cards, taking loans, or filing tax returns using the dead person&#8217;s identity before financial institutions are notified. There is a gap between the time of death and when SSN databases are updated, and scammers exploit it.</p><p>Account takeover of the surviving spouse: Redirecting mail, resetting passwords, and draining accounts using obituary-sourced personal details and security question answers.</p><p>The Phantom Hacker: A three-phase scam where the victim is contacted first by a fake tech support agent, then by a fake bank representative, and finally by a fake government official, each reinforcing the last. This scam has stolen over $1 billion from seniors since 2024.</p><p>Romance scams: Scammers identify recently widowed individuals and initiate contact through dating sites, Facebook, or even &#8220;condolence&#8221; emails. They build emotional dependency over weeks or months before introducing financial requests.</p><p>Fake debt collectors: Callers claim the deceased had outstanding debts and pressure the surviving spouse for payment. In reality, the estate (not the survivor) generally bears liability for a deceased person&#8217;s debts unless the survivor was a co-signer or joint account holder.</p><div><hr></div><h2>What Can You Do?</h2><p>Whether you are the person grieving, or you are looking out for someone who is, these steps can close the gaps that scammers exploit.</p><h4>If You (or Someone You Know) Have Recently Lost a Loved One</h4><h4>In the first week:</h4><p>1. Contact the Social Security Administration (800-772-1213) to report the death. This starts the process of flagging the SSN.</p><p>2. Notify all three credit bureaus and request a death notice on the deceased&#8217;s credit file:</p><p>   Equifax: 800-525-6285</p><p>   Experian: 888-397-3742</p><p>   TransUnion: 800-680-7289</p><p>3. Notify every financial institution where the deceased held an account: banks, credit cards, investment accounts, insurance companies. Ask that closed accounts be listed as &#8220;Closed: Account holder is deceased.&#8221;</p><p>4. Send a copy of the death certificate to the IRS to flag the deceased&#8217;s tax account against fraudulent returns.</p><p>5. Secure the mail. Lock the mailbox. Monitor for unexpected forwarding notices. Consider a P.O. Box for sensitive mail during the transition.</p><p>6. Cancel the deceased&#8217;s driver&#8217;s license with the DMV to prevent it from being used as identification.</p><h4>In the first month:</h4><p>7. Pull a credit report for the deceased and review it for unfamiliar accounts. Pull another one in three to six months.</p><p>8. Monitor or memorialize the deceased&#8217;s social media accounts. Unmonitored accounts leak personal information and become targets for impersonation.</p><p>9. Close or secure the deceased&#8217;s email accounts. An active, unmonitored email address is a gateway to password resets on every linked service.</p><h4>Protect the Surviving Spouse</h4><p>10. Enable multi-factor authentication on every account: email, banking, social media. Authenticator apps are better than SMS, but SMS is better than nothing.</p><p>11. Set up credit monitoring and fraud alerts on your own accounts, not just the deceased&#8217;s.</p><p>12. Remove personal information from data broker sites. Services like DeleteMe or Privacy Duck handle this, or you can manually opt out from sites like Spokeo, WhitePages, and BeenVerified.</p><p>13. Treat every unsolicited contact with suspicion, especially anyone referencing the deceased, claiming to be from a bank, or presenting an urgent financial situation.</p><p>14. Never allow remote access to your computer based on a phone call, pop-up, or email you did not initiate.</p><p>15. Designate a &#8220;verification buddy.&#8221; Any financial request, transaction, or decision gets run past a trusted family member before you act. Scammers rely on isolation and secrecy; a second opinion breaks that cycle.</p><h4>Write a Safer Obituary</h4><p>16. Leave out: date of birth, mother&#8217;s maiden name, home address, specific funeral times and locations (use &#8220;private services&#8221; or share details only with those who call the funeral home directly).</p><p>17. Include instead: the person&#8217;s life story, accomplishments, and character. None of that information helps a scammer.</p><h4>For Family Members: Have the Conversation Now</h4><p>Do not wait until someone dies. Talk to your parents, grandparents, aunts, and uncles about these scams now, while the conversation is calm and theoretical.</p><p>Agree on a verification process for unexpected financial contacts.</p><p>Offer to review the obituary before it is published.</p><p>Set up monitoring on shared or connected accounts.</p><p>Know the reporting numbers (below) so you are not searching for them during a crisis.</p><div><hr></div><h2>Part 2: The Essentials, a Quick-Start Security Checkup</h2><p>This is the part our reader was really asking about. She spotted the DoorDash gift card scam because she knew the signs. But the fact that the scammer knew so much about her friend bothered her. Where did they get those details? How personalized can these attacks get? And what can she do right now to reduce the chances that she, or someone she cares about, becomes the next target?</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!7bM4!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff495d0bc-4dc8-498f-a8d0-584d0f6d11ff_1200x896.heic" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!7bM4!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff495d0bc-4dc8-498f-a8d0-584d0f6d11ff_1200x896.heic 424w, https://substackcdn.com/image/fetch/$s_!7bM4!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff495d0bc-4dc8-498f-a8d0-584d0f6d11ff_1200x896.heic 848w, https://substackcdn.com/image/fetch/$s_!7bM4!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff495d0bc-4dc8-498f-a8d0-584d0f6d11ff_1200x896.heic 1272w, https://substackcdn.com/image/fetch/$s_!7bM4!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff495d0bc-4dc8-498f-a8d0-584d0f6d11ff_1200x896.heic 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!7bM4!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff495d0bc-4dc8-498f-a8d0-584d0f6d11ff_1200x896.heic" width="1200" height="896" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/f495d0bc-4dc8-498f-a8d0-584d0f6d11ff_1200x896.heic&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:896,&quot;width&quot;:1200,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:320016,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/heic&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/195785838?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff495d0bc-4dc8-498f-a8d0-584d0f6d11ff_1200x896.heic&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!7bM4!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff495d0bc-4dc8-498f-a8d0-584d0f6d11ff_1200x896.heic 424w, https://substackcdn.com/image/fetch/$s_!7bM4!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff495d0bc-4dc8-498f-a8d0-584d0f6d11ff_1200x896.heic 848w, https://substackcdn.com/image/fetch/$s_!7bM4!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff495d0bc-4dc8-498f-a8d0-584d0f6d11ff_1200x896.heic 1272w, https://substackcdn.com/image/fetch/$s_!7bM4!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Ff495d0bc-4dc8-498f-a8d0-584d0f6d11ff_1200x896.heic 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>The honest answer: there is no single checklist that makes you bulletproof. Digital security is layered, and a full lockdown covers far more ground than we can fit in one newsletter. But most account takeovers succeed not because the attacker was sophisticated, but because the victim reused a password from a breach they never knew about, or never turned on two-factor authentication. Those are basics, and basics matter.</p><p><strong>What follows are the highest-impact steps you can take today. Think of it as tightening the locks on the front door, not installing a full alarm system.</strong> It will not stop every threat, but it will stop the most common ones and make you a harder target than the person who skipped this section.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!PBUP!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F348857a1-81fe-4894-a32f-09f993224217_1024x1024.heic" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!PBUP!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F348857a1-81fe-4894-a32f-09f993224217_1024x1024.heic 424w, https://substackcdn.com/image/fetch/$s_!PBUP!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F348857a1-81fe-4894-a32f-09f993224217_1024x1024.heic 848w, https://substackcdn.com/image/fetch/$s_!PBUP!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F348857a1-81fe-4894-a32f-09f993224217_1024x1024.heic 1272w, https://substackcdn.com/image/fetch/$s_!PBUP!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F348857a1-81fe-4894-a32f-09f993224217_1024x1024.heic 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!PBUP!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F348857a1-81fe-4894-a32f-09f993224217_1024x1024.heic" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/348857a1-81fe-4894-a32f-09f993224217_1024x1024.heic&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:132637,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/heic&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/195785838?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F348857a1-81fe-4894-a32f-09f993224217_1024x1024.heic&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!PBUP!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F348857a1-81fe-4894-a32f-09f993224217_1024x1024.heic 424w, https://substackcdn.com/image/fetch/$s_!PBUP!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F348857a1-81fe-4894-a32f-09f993224217_1024x1024.heic 848w, https://substackcdn.com/image/fetch/$s_!PBUP!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F348857a1-81fe-4894-a32f-09f993224217_1024x1024.heic 1272w, https://substackcdn.com/image/fetch/$s_!PBUP!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F348857a1-81fe-4894-a32f-09f993224217_1024x1024.heic 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><h3>Step 1: Check Your Passwords for Breaches</h3><p>If you use an iPhone, iPad, or Mac, Apple has a built-in tool that does this for you. No downloads, no subscriptions required.</p><p>How to use Apple Passwords:</p><p>1. Open the Passwords app (iOS 18+ and macOS Sequoia) or go to Settings &gt; Passwords on older devices.</p><p>2. Look for the Security section at the top. Apple automatically flags three categories:</p><p>   Compromised Passwords: These appeared in a known data breach. Change them immediately.</p><p>   Reused Passwords: The same password used on multiple sites. If one site is breached, every account sharing that password is exposed.</p><p>   Weak Passwords: Short, predictable, or commonly used passwords that are easy to guess.</p><p>3. Tap any flagged entry. Apple provides a Change Password link that takes you directly to the site&#8217;s password reset page.</p><p>4. When you create the replacement, let Apple generate a strong password for you. It saves automatically to your keychain and syncs across your devices.</p><p>Not an Apple user? Google Password Manager (built into Chrome) has the same feature at passwords.google.com. Go to Password Checkup and it will flag compromised, reused, and weak passwords. Samsung users can check via Samsung Pass in device settings.</p><div><hr></div><h3>Step 2: Change Any Password Older Than One Year</h3><p>Even if a password has not appeared in a known breach, old passwords carry risk. Breaches are not always disclosed immediately, and some are never made public at all. A password that looks clean today may have been compromised months ago.</p><p>Work through your password manager and sort by &#8220;last changed&#8221; date. Any password older than 12 months should be updated. Prioritize these accounts first:</p><ul><li><p>Email (this is the master key to everything else; password resets flow through it)</p></li><li><p>Banking and financial accounts</p></li><li><p>Health insurance and medical portals</p></li><li><p>Government accounts (SSA, IRS, state tax portals)</p></li><li><p>Social media (Facebook, Instagram, LinkedIn)</p><p></p><p>Let your password manager generate each new password. Long, random, and unique to every site.</p></li></ul><div><hr></div><h3>Step 3: Turn On Two-Factor Authentication Everywhere</h3><p>A strong password alone is not enough. Two-factor authentication (2FA) adds a second layer: even if someone steals your password, they cannot get in without the second factor.</p><h4>Where to enable it (in priority order):</h4><p>1. Email (Gmail, iCloud, Outlook, Yahoo)</p><p>2. Banking and financial apps</p><p>3. Social media (Facebook, Instagram, LinkedIn, X)</p><p>4. Shopping accounts that store payment information (Amazon, PayPal)</p><p>5. Cloud storage (iCloud, Google Drive, Dropbox)</p><h4>Which 2FA method to use:</h4><p>Best: A hardware security key (YubiKey) or passkeys (supported by Apple, Google, and Microsoft). These are phishing-resistant.</p><p>Good: An authenticator app (Apple&#8217;s built-in Passwords app supports verification codes, as do Google Authenticator and Microsoft Authenticator).</p><p>Acceptable: SMS text codes. Vulnerable to SIM-swapping attacks, but still far better than no 2FA at all.</p><p>Apple Passwords tip: When you set up 2FA for a site, Apple Passwords can store and auto-fill your verification codes. During the 2FA setup process, choose &#8220;Set Up Verification Code&#8221; when you scan the QR code, and your codes will auto-fill alongside your passwords going forward. No separate authenticator app needed.</p><div><hr></div><h3>Step 4: Scan Your Devices for Malicious Software</h3><p>Scammers do not always ask for your information directly. Malware, keyloggers, and spyware can quietly capture passwords, banking credentials, and personal data in the background.</p><h4>On a Mac:</h4><p>Make sure your operating system is up to date (System Settings &gt; General &gt; Software Update). macOS includes built-in malware protection (XProtect) that updates silently, but it only works if your system is current.</p><p>Review your installed applications (Finder &gt; Applications). If you see anything you do not recognize or did not install, research it before keeping it.</p><p>Consider running a scan with Malwarebytes for Mac (free version available). It catches threats that slip past built-in protections.</p><h4>On an iPhone/iPad:</h4><p>Keep iOS updated (Settings &gt; General &gt; Software Update).</p><p>Review installed apps and delete anything unfamiliar.</p><p>Check Settings &gt; General &gt; VPN &amp; Device Management for any profiles you did not install. Unknown profiles can be a sign of compromise.</p><h4>On Windows:</h4><p>Run Windows Security &gt; Virus &amp; threat protection &gt; Quick scan.</p><p>Make sure Real-time protection is turned on.</p><p>Check your browser extensions and remove any you do not recognize.</p><p>For everyone:</p><p>Check your browser extensions (in Chrome: three dots menu &gt; Extensions; in Safari: Settings &gt; Extensions). Remove anything you did not install or no longer use. Malicious browser extensions are one of the most common ways attackers capture credentials.</p><div><hr></div><h3>The Quick-Start Checklist</h3><p>These are the essentials. Print this out. Tape it to the fridge. Hand it to your parents next time you visit.</p><ol><li><p><strong>Open Apple Passwords (or your password manager) and fix every flagged password</strong></p></li><li><p><strong>Change any password you have not updated in the past 12 months</strong></p></li><li><p><strong>Turn on two-factor authentication for email, banking, and social media</strong></p></li><li><p><strong>Run a malware scan on your computer</strong></p></li><li><p><strong>Review and remove unfamiliar browser extensions</strong></p></li><li><p><strong>Delete apps you no longer use from your phone</strong></p></li><li><p><strong>Check for unknown device management profiles on your phone</strong></p></li></ol><p>This is not a complete security overhaul. There is more you can do: removing your information from data broker sites, setting up credit monitoring and fraud alerts, reviewing your privacy settings on social media, and hardening your home network. We will cover those in future editions.</p><p>But these seven steps hit the highest-impact areas. Most attacks succeed because one of these basics was left undone. Fifteen minutes now raises the bar for anyone trying to get in.</p><p>Thanks for reading, I hope this newsletter helped you.  If it did, or if you know anyone who needs this info, please forward this to them!</p><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-life-event-scams?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-life-event-scams?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://edge.intruvent.com/p/prevent-this-life-event-scams?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><div><hr></div><p>Research Sources:</p><p>Intruvent CTI Cloud</p><p>FBI Internet Crime Complaint Center, 2025 Annual Report ($7.7B in elder fraud losses)</p><p>FBI El Paso Field Office, &#8220;Bereavement Scams&#8221; public warning</p><p>FTC, &#8220;Protecting Older Consumers 2024-2025&#8221; report to Congress</p><p>AARP Fraud Watch Network, &#8220;Obituary Scams Target Grieving Loved Ones&#8221;</p><p>Blackbird.AI, &#8220;AI-Powered Obituary Scams &amp; Targeted Phishing&#8221;</p><p>NBC Chicago, &#8220;Obit Scam: Illinois Widow Targeted&#8221; (case study)</p><p>CNBC, &#8220;How One Retired Woman Lost Her Life Savings&#8221; (Marjorie Bloom case)</p><p>Experian, &#8220;What You Need to Know About Obituaries and Identity Theft&#8221;</p><p>Komando.com / Brennan Center for Justice, data broker targeting practices</p><p>ID Analytics / TIME / NBC News, 2012 study on deceased identity theft (2.5M annually)</p><p>New York Department of State, &#8220;Ghosting&#8221; identity theft of the deceased</p><p>Aura, &#8220;Identity Theft of a Deceased Person&#8221; (Georgia widow case)</p><p>Michigan Attorney General, &#8220;Obituary Pirates&#8221; warning</p><p>LA County District Attorney, &#8220;Obituary Scams Target Grieving Families&#8221;</p><p>U.S. Department of Veterans Affairs, surviving family member scam warnings</p><p>Malwarebytes, &#8220;Data Broker Protection Rule Quietly Withdrawn by CFPB&#8221;</p><p>USPS Office of Inspector General, change-of-address fraud report (167% increase, 2020-2021)</p><p>Apple, &#8220;Passwords app&#8221; and iCloud Keychain documentation</p><p>Last Updated: April 28, 2026</p><p></p>]]></content:encoded></item><item><title><![CDATA[Prevent This: They Stole Everything. They Encrypted Nothing]]></title><description><![CDATA[Ransomware attacks without ransomware. Data theft without detection. The threat actors are already changing their playbook. Can you keep up?]]></description><link>https://edge.intruvent.com/p/prevent-this-they-stole-everything</link><guid isPermaLink="false">https://edge.intruvent.com/p/prevent-this-they-stole-everything</guid><dc:creator><![CDATA[Sig Murphy]]></dc:creator><pubDate>Tue, 21 Apr 2026 18:17:34 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!jst9!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa1afbec2-e1cf-4b62-a109-543375c58514_1024x592.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<h2>What Happened?</h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!jst9!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa1afbec2-e1cf-4b62-a109-543375c58514_1024x592.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!jst9!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa1afbec2-e1cf-4b62-a109-543375c58514_1024x592.png 424w, https://substackcdn.com/image/fetch/$s_!jst9!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa1afbec2-e1cf-4b62-a109-543375c58514_1024x592.png 848w, https://substackcdn.com/image/fetch/$s_!jst9!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa1afbec2-e1cf-4b62-a109-543375c58514_1024x592.png 1272w, https://substackcdn.com/image/fetch/$s_!jst9!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa1afbec2-e1cf-4b62-a109-543375c58514_1024x592.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!jst9!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa1afbec2-e1cf-4b62-a109-543375c58514_1024x592.png" width="1024" height="592" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/a1afbec2-e1cf-4b62-a109-543375c58514_1024x592.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:592,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:996509,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/194939987?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F32fed796-d291-411b-b7b9-692e2d95d77f_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!jst9!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa1afbec2-e1cf-4b62-a109-543375c58514_1024x592.png 424w, https://substackcdn.com/image/fetch/$s_!jst9!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa1afbec2-e1cf-4b62-a109-543375c58514_1024x592.png 848w, https://substackcdn.com/image/fetch/$s_!jst9!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa1afbec2-e1cf-4b62-a109-543375c58514_1024x592.png 1272w, https://substackcdn.com/image/fetch/$s_!jst9!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa1afbec2-e1cf-4b62-a109-543375c58514_1024x592.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>In January 2026, the Clop ransomware group published 43 new victims to its leak site in a single 24-hour period. Among them: Hilton, The Weather Company, multiple law firms, managed service providers, financial institutions, and universities across the U.S., U.K., Europe, Canada, and New Zealand.</p><p><strong>The attackers never encrypted a single file. They did not need to.</strong> They exploited vulnerabilities in file transfer software, extracted sensitive data, and threatened to publish it. Pay up or your data goes public.</p><p>This was not an anomaly. It was the new playbook.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p></p><p>Clop pioneered this approach at scale with the MOVEit Transfer campaign in 2023, impacting approximately 2,000 organizations and 17 million individuals without deploying any encryption. They have continued refining the model ever since.</p><p>The BianLian group followed the same evolution. After a free decryptor neutralized their encryption capability in 2023, BianLian pivoted entirely to stealing data and demanding payment to keep it private. Their ransom demands have climbed from an average of $100,000 to $350,000 to around $3 million per victim. No encryption required.</p><p>And they are not alone. Karakurt. RansomHouse.  A growing number of threat actors have abandoned encryption entirely. They steal your data, send you a ransom note, and wait. If you do not pay, your files appear on a leak site for competitors, criminals, and regulators to find.</p><h2>Why Should You Care?</h2><p>The numbers show a dramatic shift:</p><p><strong>Elevenfold increase:</strong> Data extortion-only attacks rose from 2% of incident response cases to 22% between November 2024 and November 2025</p><ul><li><p><strong>6,182 extortion attacks</strong> occurred in 2025, a 23% increase over 2024, with data-theft-only attacks driving the growth</p></li><li><p><strong>6% of ransomware attacks</strong> in 2025 involved no encryption at all, double the 3% seen in 2024</p></li><li><p><strong>Average dwell time</strong> for exfiltration attacks can stretch to weeks or months, compared to hours or days for encryption attacks</p></li><li><p><strong>94% of leaked passwords </strong>are reused across multiple accounts, giving attackers easy paths from one breach to your network</p></li></ul><p>Here is what makes this worse: your backup strategy will not help you.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!pPnB!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96343168-c16a-45df-8c14-83939615d5af_1024x823.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!pPnB!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96343168-c16a-45df-8c14-83939615d5af_1024x823.png 424w, https://substackcdn.com/image/fetch/$s_!pPnB!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96343168-c16a-45df-8c14-83939615d5af_1024x823.png 848w, https://substackcdn.com/image/fetch/$s_!pPnB!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96343168-c16a-45df-8c14-83939615d5af_1024x823.png 1272w, https://substackcdn.com/image/fetch/$s_!pPnB!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96343168-c16a-45df-8c14-83939615d5af_1024x823.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!pPnB!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96343168-c16a-45df-8c14-83939615d5af_1024x823.png" width="1024" height="823" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/96343168-c16a-45df-8c14-83939615d5af_1024x823.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:823,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1037360,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/194939987?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fc3d13687-5ff4-4615-b966-9f3951615089_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!pPnB!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96343168-c16a-45df-8c14-83939615d5af_1024x823.png 424w, https://substackcdn.com/image/fetch/$s_!pPnB!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96343168-c16a-45df-8c14-83939615d5af_1024x823.png 848w, https://substackcdn.com/image/fetch/$s_!pPnB!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96343168-c16a-45df-8c14-83939615d5af_1024x823.png 1272w, https://substackcdn.com/image/fetch/$s_!pPnB!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F96343168-c16a-45df-8c14-83939615d5af_1024x823.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>Organizations have spent years building robust backup and recovery capabilities to survive ransomware. Attackers noticed. If your systems can be restored in hours, encryption loses its leverage. But stolen data cannot be &#8220;restored.&#8221; Once it is out, it is out. You cannot undo the leak of customer records, employee Social Security numbers, or proprietary business information.</p><p>This is why attackers are pivoting. Encryption was always just a means to an end. The real leverage is the data itself.</p><h2>How Does This Work?</h2><p>Think of it like a silent burglary versus a smash-and-grab.</p><p>Traditional ransomware is loud. Files stop opening. Ransom notes appear on every screen. Systems grind to a halt. Security teams scramble. Everyone knows something is wrong.</p><p><strong>Exfiltration-only attacks are quiet.</strong> The attacker gains access (often through stolen credentials or a vulnerable internet-facing system), moves laterally to find valuable data, and copies it out of the network. <strong>No files are modified. No services go offline. No alarms ring</strong>. The first indication that anything happened may be a ransom note in your inbox, weeks after the theft occurred.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!rO1k!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8fb28eb6-7336-486c-955c-d9f63f4e5b75_1200x896.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!rO1k!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8fb28eb6-7336-486c-955c-d9f63f4e5b75_1200x896.jpeg 424w, https://substackcdn.com/image/fetch/$s_!rO1k!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8fb28eb6-7336-486c-955c-d9f63f4e5b75_1200x896.jpeg 848w, https://substackcdn.com/image/fetch/$s_!rO1k!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8fb28eb6-7336-486c-955c-d9f63f4e5b75_1200x896.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!rO1k!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8fb28eb6-7336-486c-955c-d9f63f4e5b75_1200x896.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!rO1k!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8fb28eb6-7336-486c-955c-d9f63f4e5b75_1200x896.jpeg" width="1200" height="896" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/8fb28eb6-7336-486c-955c-d9f63f4e5b75_1200x896.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:896,&quot;width&quot;:1200,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:446677,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/194939987?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8fb28eb6-7336-486c-955c-d9f63f4e5b75_1200x896.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!rO1k!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8fb28eb6-7336-486c-955c-d9f63f4e5b75_1200x896.jpeg 424w, https://substackcdn.com/image/fetch/$s_!rO1k!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8fb28eb6-7336-486c-955c-d9f63f4e5b75_1200x896.jpeg 848w, https://substackcdn.com/image/fetch/$s_!rO1k!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8fb28eb6-7336-486c-955c-d9f63f4e5b75_1200x896.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!rO1k!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8fb28eb6-7336-486c-955c-d9f63f4e5b75_1200x896.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>The tools they use make detection even harder. Instead of obviously malicious software like Rclone or custom exfiltration tools, attackers increasingly use legitimate cloud utilities:</p><p><strong>Azure Copy (AzCopy)</strong> has become a favorite. It is Microsoft&#8217;s official utility for transferring data to Azure Blob storage. It is rarely blocked by endpoint detection and response (EDR) solutions. It uses standard HTTPS connections to *.blob.core.windows.net domains that are typically allowed through firewalls. And the destination is a fully legitimate cloud provider.</p><p>When an attacker uses AzCopy to upload your data to their Azure storage account, it looks almost identical to normal cloud operations. Security teams monitoring for &#8220;malicious&#8221; file transfers may never see it.</p><p>Other common exfiltration methods include:</p><ul><li><p><strong>Azure Storage Explorer:</strong> A GUI version of the same capability</p></li><li><p><strong>Standard cloud sync tools:</strong> Dropbox, OneDrive, Google Drive used to upload stolen data</p></li><li><p><strong>Archive utilities:</strong> Data compressed into smaller packages before transfer</p></li><li><p><strong>Living-off-the-land binaries:</strong> Built-in Windows tools repurposed for data theft</p></li></ul><p>The result: without an encryption event, there is no clear &#8220;moment of compromise&#8221; to trigger incident response. Attackers have days, weeks, or months to find and extract the most valuable data before anyone notices.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!m9jS!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd78f9bd7-1acd-428b-a458-c516a3579782_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!m9jS!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd78f9bd7-1acd-428b-a458-c516a3579782_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!m9jS!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd78f9bd7-1acd-428b-a458-c516a3579782_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!m9jS!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd78f9bd7-1acd-428b-a458-c516a3579782_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!m9jS!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd78f9bd7-1acd-428b-a458-c516a3579782_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!m9jS!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd78f9bd7-1acd-428b-a458-c516a3579782_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/d78f9bd7-1acd-428b-a458-c516a3579782_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1090756,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/194939987?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd78f9bd7-1acd-428b-a458-c516a3579782_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!m9jS!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd78f9bd7-1acd-428b-a458-c516a3579782_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!m9jS!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd78f9bd7-1acd-428b-a458-c516a3579782_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!m9jS!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd78f9bd7-1acd-428b-a458-c516a3579782_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!m9jS!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fd78f9bd7-1acd-428b-a458-c516a3579782_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>What Can You Do?</h2><p>Defending against exfiltration-only attacks requires a different mindset than defending against traditional ransomware. Your backup strategy is necessary but not sufficient. You need to catch the theft before it happens.</p><h3>Step 1: Know What Data You Have and Where It Lives</h3><p>You cannot protect what you cannot find. Map your sensitive data:</p><ul><li><p>Where is personally identifiable information (PII) stored?</p></li><li><p>Where are financial records, intellectual property, and trade secrets?</p></li><li><p>Which systems have access to this data?</p></li><li><p>Who has credentials to those systems?</p></li></ul><p><strong>Data Loss Prevention (DLP) tools like Microsoft Purview</strong> can help identify and monitor sensitive data. The goal is visibility: if you do not know what is valuable, you will not notice when it leaves.</p><h3>Step 2: Monitor for Unusual Data Movement</h3><p>Exfiltration attacks create data movement patterns that differ from normal operations. Look for:</p><p><strong>Volume anomalies:</strong></p><ul><li><p>Large file transfers from servers that normally do not send data externally</p></li><li><p>Unusual compression activity (creating large archives before transfer)</p></li><li><p>Spikes in outbound traffic, especially outside business hours</p></li></ul><p><strong>Destination anomalies:</strong></p><ul><li><p>Connections to Azure Blob storage (*.blob.core.windows.net) from systems that do not normally use Azure</p></li><li><p>Data flowing to personal cloud storage accounts (Dropbox, Google Drive, OneDrive personal)</p></li><li><p>Transfers to IP addresses or domains with no business justification</p></li></ul><p><strong>Tool anomalies:</strong></p><ul><li><p>AzCopy or Azure Storage Explorer running on systems where cloud migration is not occurring</p></li><li><p>Archive utilities (7zip, WinRAR) compressing large volumes of files</p></li><li><p>PowerShell or command-line tools accessing sensitive file shares</p></li></ul><p>Configure alerts for these patterns. Endpoint detection tools, network monitoring, and SIEM platforms can all contribute.</p><h3>Step 3: Restrict Outbound Network Access</h3><p>Most servers do not need direct internet access. Lock it down:</p><ul><li><p>Implement egress filtering: servers should only reach the specific external endpoints they require (update servers, API endpoints, etc.)</p></li><li><p>Block or alert on connections to cloud storage providers from systems that do not have a legitimate business need</p></li><li><p>Use a proxy or secure web gateway for outbound traffic so you have visibility and control</p></li><li><p>Consider application allowlisting on critical servers to prevent unauthorized tools from running</p></li></ul><h3>Step 4: Harden Your Identity Layer</h3><p>Most exfiltration attacks begin with compromised credentials. Make initial access harder:</p><ul><li><p><strong>Phishing-resistant MFA everywhere:</strong> Hardware security keys (FIDO2/WebAuthn) are ideal. Authenticator apps are acceptable. SMS is better than nothing but vulnerable.</p></li><li><p><strong>Privileged access management:</strong> Admin accounts should have separate credentials, time-limited access, and enhanced monitoring.</p></li><li><p><strong>Credential hygiene:</strong> Audit for password reuse, default credentials, and service accounts with excessive permissions.</p></li><li><p><strong>Conditional access policies:</strong> Block logins from unexpected locations, devices, or risk levels.</p></li></ul><h3>Step 5: Segment Your Network</h3><p>If attackers gain access to one system, limit how far they can move:</p><ul><li><p>Separate sensitive data repositories from general user networks</p></li><li><p>Restrict lateral movement between segments</p></li><li><p>Apply the principle of least privilege: users and systems should only access what they need</p></li></ul><p>An attacker who compromises a workstation should not be able to reach your file servers, customer databases, or intellectual property repositories without triggering additional authentication or alerts.</p><h3>Step 6: Prepare for the Call</h3><p>Despite your best efforts, an exfiltration attack may still succeed. Have a plan:</p><p><strong>Legal counsel:</strong> Know who to call when you receive a ransom demand. Decisions about payment, disclosure, and law enforcement involvement require legal guidance.</p><p><strong>Incident response retainer:</strong> Have a relationship with an IR firm before you need one.</p><p><strong>Communication templates: </strong>Draft holding statements for customers, employees, regulators, and media.</p><p><strong>Data inventory:</strong> Know what was likely stolen based on what the attackers accessed. This will inform your disclosure obligations.</p><div><hr></div><h2>The Bottom Line</h2><p>Ransomware is evolving. The encryption that used to be the attack&#8217;s signature is becoming optional. Attackers have realized that stolen data is leverage enough, especially when victims have backups that make encryption pointless.</p><p>This shift has real implications. Your disaster recovery playbook will not help you. Your backups will not undo a data breach. And the quiet nature of exfiltration attacks means you may not know you have been compromised until the ransom note arrives.</p><p>The defense is detection: know your data, watch your network, and catch the theft before it is complete. Because once your data is in an attacker&#8217;s hands, your options narrow dramatically.</p><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-they-stole-everything?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-they-stole-everything?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://edge.intruvent.com/p/prevent-this-they-stole-everything?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p>Do not let the first sign of compromise be an email demanding millions to keep your data private.</p><div><hr></div><p><strong>Research Sources:</strong></p><ul><li><p>Intruvent Cloud CTI Engine (Codex)</p></li><li><p>Morphisec, &#8220;Ransomware Without Encryption: Why Pure Exfiltration Attacks Are Surging&#8221; (2026)</p></li><li><p>HIPAA Journal, &#8220;Elevenfold Increase in Data-only Extortion Attacks&#8221;</p></li><li><p> Industrial Cyber, &#8220;Ransomware Reaches Elevated New Normal&#8221; (2026)</p></li><li><p>BlackFog, &#8220;Clop&#8217;s New Extortion Wave Hits Oracle&#8221; (2026)</p></li><li><p> GuidePoint Security, &#8220;The Economics of Clop&#8217;s Zero-Day Campaigns&#8221;</p></li><li><p>CISA, &#8220;#StopRansomware Guide&#8221; and BianLian Advisory (AA23-136A)</p></li><li><p>Unit 42/Palo Alto Networks, &#8220;BianLian Threat Assessment&#8221;</p></li><li><p>Cisco Talos, &#8220;Everyday Tools, Extraordinary Crimes: The Ransomware Exfiltration Playbook&#8221;</p></li><li><p> FBI Internet Crime Complaint Center, 2025 Annual Report</p></li><li><p> Heimdal Security, &#8220;Password Breach Statistics 2026&#8221;</p></li></ul><p>Last Updated: April 21, 2026*</p>]]></content:encoded></item><item><title><![CDATA[Intruvent EDGE: CISA Confirms Iranian Disruption of US Critical Infrastructure]]></title><description><![CDATA[From default passwords to legitimate engineering tools: CyberAv3ngers have leveled-up their capabilities, and what Rockwell shops should do this week.]]></description><link>https://edge.intruvent.com/p/intruvent-edge-cisa-confirms-iranian</link><guid isPermaLink="false">https://edge.intruvent.com/p/intruvent-edge-cisa-confirms-iranian</guid><dc:creator><![CDATA[Sig Murphy]]></dc:creator><pubDate>Thu, 16 Apr 2026 18:53:14 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!Ycny!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf8f6a38-b747-42f9-82ce-a98c8223ae75_1376x768.heic" length="0" type="image/jpeg"/><content:encoded><![CDATA[<h2><strong>What Happened</strong></h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!Ycny!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf8f6a38-b747-42f9-82ce-a98c8223ae75_1376x768.heic" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!Ycny!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf8f6a38-b747-42f9-82ce-a98c8223ae75_1376x768.heic 424w, https://substackcdn.com/image/fetch/$s_!Ycny!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf8f6a38-b747-42f9-82ce-a98c8223ae75_1376x768.heic 848w, https://substackcdn.com/image/fetch/$s_!Ycny!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf8f6a38-b747-42f9-82ce-a98c8223ae75_1376x768.heic 1272w, https://substackcdn.com/image/fetch/$s_!Ycny!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf8f6a38-b747-42f9-82ce-a98c8223ae75_1376x768.heic 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!Ycny!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf8f6a38-b747-42f9-82ce-a98c8223ae75_1376x768.heic" width="1376" height="768" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/df8f6a38-b747-42f9-82ce-a98c8223ae75_1376x768.heic&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:768,&quot;width&quot;:1376,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:276227,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/heic&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/194435892?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf8f6a38-b747-42f9-82ce-a98c8223ae75_1376x768.heic&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!Ycny!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf8f6a38-b747-42f9-82ce-a98c8223ae75_1376x768.heic 424w, https://substackcdn.com/image/fetch/$s_!Ycny!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf8f6a38-b747-42f9-82ce-a98c8223ae75_1376x768.heic 848w, https://substackcdn.com/image/fetch/$s_!Ycny!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf8f6a38-b747-42f9-82ce-a98c8223ae75_1376x768.heic 1272w, https://substackcdn.com/image/fetch/$s_!Ycny!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fdf8f6a38-b747-42f9-82ce-a98c8223ae75_1376x768.heic 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>On April 7, 2026, six federal agencies published joint advisory <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a">AA26-097A</a> with two phrases that should concern every critical infrastructure operator in America: <strong>&#8220;operational disruption&#8221;</strong> and <strong>&#8220;financial loss.&#8221;</strong></p><p>The advisory, signed by the FBI, CISA, NSA, EPA, Department of Energy, and US Cyber Command, confirms that Iranian-affiliated cyber actors have actively disrupted programmable logic controllers across US water and wastewater systems, energy facilities, and government installations. Not &#8220;attempted to access.&#8221; Not &#8220;may have compromised.&#8221; Disrupted. With confirmed operational and financial impact.</p><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/intruvent-edge-cisa-confirms-iranian?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/intruvent-edge-cisa-confirms-iranian?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://edge.intruvent.com/p/intruvent-edge-cisa-confirms-iranian?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p><strong>The threat actor is CyberAv3ngers, a persona operated by Iran&#8217;s Islamic Revolutionary Guard Corps Cyber-Electronic Command (IRGC-CEC).</strong> The same group that compromised water utility PLCs in Pennsylvania in November 2023. The same group whose six operators were designated by the US Treasury in February 2024. The same group the State Department has offered a $10 million bounty on.</p><p><strong>They have advanced their tradecraft. </strong>Where earlier operations relied on internet-exposed devices with default credentials, <em>they are now targeting Rockwell Automation controllers, the most widely deployed industrial automation platform in North America, using legitimate Rockwell engineering software to establish connections that read as normal operator activity on most network sensors.</em></p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!BKv4!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4e93a977-5d48-4acd-b58e-2fdad19019b1_1376x768.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!BKv4!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4e93a977-5d48-4acd-b58e-2fdad19019b1_1376x768.jpeg 424w, https://substackcdn.com/image/fetch/$s_!BKv4!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4e93a977-5d48-4acd-b58e-2fdad19019b1_1376x768.jpeg 848w, https://substackcdn.com/image/fetch/$s_!BKv4!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4e93a977-5d48-4acd-b58e-2fdad19019b1_1376x768.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!BKv4!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4e93a977-5d48-4acd-b58e-2fdad19019b1_1376x768.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!BKv4!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4e93a977-5d48-4acd-b58e-2fdad19019b1_1376x768.jpeg" width="1376" height="768" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/4e93a977-5d48-4acd-b58e-2fdad19019b1_1376x768.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:768,&quot;width&quot;:1376,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:239874,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/194435892?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4e93a977-5d48-4acd-b58e-2fdad19019b1_1376x768.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!BKv4!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4e93a977-5d48-4acd-b58e-2fdad19019b1_1376x768.jpeg 424w, https://substackcdn.com/image/fetch/$s_!BKv4!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4e93a977-5d48-4acd-b58e-2fdad19019b1_1376x768.jpeg 848w, https://substackcdn.com/image/fetch/$s_!BKv4!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4e93a977-5d48-4acd-b58e-2fdad19019b1_1376x768.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!BKv4!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F4e93a977-5d48-4acd-b58e-2fdad19019b1_1376x768.jpeg 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>If your organization operates Rockwell CompactLogix or Micro850 PLCs, particularly in water, energy, or government sectors, this advisory is about you.</p><h2><strong>From Public Defacement to Legitimate Tooling: The CyberAv3ngers Evolution</strong></h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!wU1g!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7c0ff0d1-cda4-4821-b75e-dedf11f86230_1109x856.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!wU1g!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7c0ff0d1-cda4-4821-b75e-dedf11f86230_1109x856.png 424w, https://substackcdn.com/image/fetch/$s_!wU1g!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7c0ff0d1-cda4-4821-b75e-dedf11f86230_1109x856.png 848w, https://substackcdn.com/image/fetch/$s_!wU1g!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7c0ff0d1-cda4-4821-b75e-dedf11f86230_1109x856.png 1272w, https://substackcdn.com/image/fetch/$s_!wU1g!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7c0ff0d1-cda4-4821-b75e-dedf11f86230_1109x856.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!wU1g!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7c0ff0d1-cda4-4821-b75e-dedf11f86230_1109x856.png" width="1109" height="856" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/7c0ff0d1-cda4-4821-b75e-dedf11f86230_1109x856.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:856,&quot;width&quot;:1109,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:174489,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/194435892?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7c0ff0d1-cda4-4821-b75e-dedf11f86230_1109x856.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!wU1g!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7c0ff0d1-cda4-4821-b75e-dedf11f86230_1109x856.png 424w, https://substackcdn.com/image/fetch/$s_!wU1g!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7c0ff0d1-cda4-4821-b75e-dedf11f86230_1109x856.png 848w, https://substackcdn.com/image/fetch/$s_!wU1g!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7c0ff0d1-cda4-4821-b75e-dedf11f86230_1109x856.png 1272w, https://substackcdn.com/image/fetch/$s_!wU1g!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7c0ff0d1-cda4-4821-b75e-dedf11f86230_1109x856.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><strong>CyberAv3ngers first surfaced in October 2020 on Telegram, claiming responsibility for power outages in Israel.</strong> The group&#8217;s early public activity emphasized messaging, and some claims were later correlated to imagery from separate incidents. Those years established the brand. The years that followed established the capability.</p><p><strong>In November 2023, the Municipal Water Authority of Aliquippa, Pennsylvania discovered that their Unitronics Vision Series PLC had been compromised and was displaying a defacement message.</strong> CISA confirmed the attack and published advisory <a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a">AA23-335A</a>. The operators took a pragmatic technical approach, exploiting internet-exposed PLCs running default credentials. Within weeks, CISA documented at least 75 similar compromises across multiple states. The target selection was deliberate: a specific vendor, in a specific sector, at a scale that demonstrated operational tempo.</p><p>The 2023 campaign confirmed CyberAv3ngers as a capable operational group with sustained interest in US critical infrastructure. The 2026 campaign shows where that capability has grown.</p><p><strong>According to AA26-097A, the operators are now using </strong><em><strong>&#8220;leased, third-party hosted infrastructure with configuration software, such as Rockwell Automation&#8217;s Studio 5000 Logix Designer software, to create an accepted connection to the victim&#8217;s PLC.&#8221;</strong></em> They are not exploiting a software vulnerability in the traditional sense. They are using the exact tools that legitimate engineers use to program and maintain these controllers, which means the resulting network traffic looks like engineering activity to most detection tooling.</p><p><strong>This is a meaningful escalation in capability.</strong> Studio 5000 Logix Designer is Rockwell&#8217;s professional engineering environment. Using it requires stolen credentials, a compromised engineering workstation, or exploitation of <strong>CVE-2021-22681</strong>, a cryptographic key vulnerability that permits an actor who obtains a specific key to authenticate to affected PLCs without valid credentials. CISA added CVE-2021-22681 to its Known Exploited Vulnerabilities catalog in March 2026, confirming active exploitation.</p><p>The target set has expanded in proportion to the capability. Rockwell Automation dominates the North American industrial automation market. CompactLogix and ControlLogix controllers run water treatment plants, power generation facilities, manufacturing lines, and oil and gas operations across the continent. Censys identified 5,219 internet-exposed hosts globally responding to EtherNet/IP protocols and identifying as Rockwell Automation devices. 74.6% of them, approximately 3,890 devices, are in the United States.</p><h2><strong>Inside the Attack Chain</strong></h2><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!QklY!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7aa71a1e-5c7b-48e6-983e-72bdab08c8e0_1388x1782.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!QklY!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7aa71a1e-5c7b-48e6-983e-72bdab08c8e0_1388x1782.png 424w, https://substackcdn.com/image/fetch/$s_!QklY!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7aa71a1e-5c7b-48e6-983e-72bdab08c8e0_1388x1782.png 848w, https://substackcdn.com/image/fetch/$s_!QklY!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7aa71a1e-5c7b-48e6-983e-72bdab08c8e0_1388x1782.png 1272w, https://substackcdn.com/image/fetch/$s_!QklY!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7aa71a1e-5c7b-48e6-983e-72bdab08c8e0_1388x1782.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!QklY!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7aa71a1e-5c7b-48e6-983e-72bdab08c8e0_1388x1782.png" width="1388" height="1782" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/7aa71a1e-5c7b-48e6-983e-72bdab08c8e0_1388x1782.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1782,&quot;width&quot;:1388,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:333267,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/194435892?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7aa71a1e-5c7b-48e6-983e-72bdab08c8e0_1388x1782.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!QklY!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7aa71a1e-5c7b-48e6-983e-72bdab08c8e0_1388x1782.png 424w, https://substackcdn.com/image/fetch/$s_!QklY!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7aa71a1e-5c7b-48e6-983e-72bdab08c8e0_1388x1782.png 848w, https://substackcdn.com/image/fetch/$s_!QklY!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7aa71a1e-5c7b-48e6-983e-72bdab08c8e0_1388x1782.png 1272w, https://substackcdn.com/image/fetch/$s_!QklY!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7aa71a1e-5c7b-48e6-983e-72bdab08c8e0_1388x1782.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>The AA26-097A advisory describes a multi-phase operation targeting specific ports on exposed Rockwell controllers:</p><ul><li><p><strong>Port 44818 (EtherNet/IP):</strong> The primary Rockwell Automation industrial protocol. This is how Studio 5000 communicates with CompactLogix and other Logix-family controllers.</p></li><li><p><strong>Port 2222:</strong> Used for OT configuration and some Rockwell-specific services.</p></li><li><p><strong>Port 102 (ISO-TSAP):</strong> The Siemens S7 communication protocol. Its presence in the advisory suggests the operators are scanning for multiple PLC vendors in parallel.</p></li><li><p><strong>Port 502 (Modbus TCP):</strong> A legacy industrial protocol still widely used. Many Rockwell controllers support Modbus for integration with third-party systems.</p></li><li><p><strong>Port 22 (SSH):</strong> Indicates deployment of persistent access mechanisms. Picus Security&#8217;s analysis of the campaign notes that &#8220;attackers deployed Dropbear SSH on victim endpoints, providing persistent remote access surviving PLC reboots.&#8221;</p></li></ul><p>Once connected, the operators performed two categories of post-access activity:</p><p><strong>Project file extraction.</strong> PLC project files (with .ACD extension in Rockwell environments) contain the ladder logic, control sequences, and configuration parameters that define how the controller operates. Extracting these files yields a complete blueprint of the target facility&#8217;s automation logic, useful for reconnaissance, follow-on operations, or potential kinetic effects.</p><p><strong>HMI/SCADA display manipulation.</strong> The operators modified data displayed on human-machine interfaces and SCADA systems. This is particularly consequential in critical infrastructure environments. If operators cannot trust what their screens tell them, they cannot safely run the facility. A manipulated display could show normal pressure readings while a tank overflows, or hide a dangerous temperature rise until equipment fails.</p><p>The advisory confirms that &#8220;some of the victims experienced operational disruption and financial loss.&#8221; The FBI declined to provide additional details about specific incidents.</p><h2><strong>Who Is CyberAv3ngers?</strong></h2><p>CyberAv3ngers is a state-sponsored program run by the IRGC-CEC, the cyber-electronic warfare arm of Iran&#8217;s Islamic Revolutionary Guard Corps. It is a well-resourced group with sustained access to infrastructure, tooling, and personnel, operating within an established national cyber program.</p><p>The US Treasury designated six IRGC-CEC officials in February 2024 for their roles in the group.  The State Department has offered a $10 million reward for information leading to the identification or location of any person who, while acting at the direction of a foreign government, participates in malicious cyber activities against US critical infrastructure.</p><p>The group is tracked under multiple names across the vendor community:</p><ul><li><p><strong>Storm-0784</strong> (Microsoft)</p></li><li><p><strong>Bauxite</strong> (Dragos)</p></li><li><p><strong>UNC5691</strong> (Mandiant)</p></li><li><p><strong>G1027</strong> (MITRE ATT&amp;CK)</p></li></ul><p>In January 2026, the group rebranded its Telegram channel from &#8220;CyberAv3ngers&#8221; to &#8220;Cyber4vengers.&#8221; The rebrand coincided with a shift toward more technically mature operations.</p><p>Leaked records from December 2025 confirmed operational connections between CyberAv3ngers and Moses Staff, another Iranian state-sponsored group known for destructive wiper operations. Check Point Research has documented approximately 60 affiliated pro-Iranian groups that adopt CyberAv3ngers techniques.</p><h2><strong>The IOCONTROL Connection</strong></h2><p>The Rockwell campaign is not the only active CyberAv3ngers toolset. A parallel thread in the group&#8217;s capability development was documented two years earlier.</p><p>In mid-2024, Claroty&#8217;s Team82 published analysis of a custom malware family called IOCONTROL, attributed to CyberAv3ngers. IOCONTROL is designed to run on a variety of IoT and OT devices, including PLCs, HMIs, routers, and IP cameras. The malware uses:</p><ul><li><p>MQTT over TLS on port 8883 for command and control</p></li><li><p>DNS-over-HTTPS to resolve C2 infrastructure, evading traditional DNS monitoring</p></li><li><p>AES-256-CBC encryption for all communications</p></li></ul><p>IOCONTROL marked a clear step beyond the 2023 Unitronics operations. Where the earlier work centered on public-facing defacement, IOCONTROL extended the toolkit to persistent access and programmatic manipulation of industrial processes across a broader range of device types. By 2024, the group was already investing in purpose-built OT malware, a year and a half before the Rockwell activity in AA26-097A surfaced publicly.</p><p>The relationship between the IOCONTROL work and the 2026 Rockwell exploitation is not explicitly stated in public reporting. Both lines of operation target overlapping sectors and reflect a consistent trajectory toward persistent, vendor-agnostic access to industrial control environments.</p><h2><strong>Why This Advisory Is Different</strong></h2><p>CISA has published many advisories about threats to critical infrastructure. Most describe potential risks or document intrusion attempts. AA26-097A is different because it confirms actual impact.</p><p>On March 18, 2026, the CISA Acting Director stated that CISA was operating at &#8220;steady state&#8221; regarding Iranian cyber threats, despite the ongoing military conflict between the US, Israel, and Iran. The implication at the time was that threat activity remained within normal parameters.</p><p>AA26-097A, published 20 days later, functionally updates that assessment. The advisory confirms that Iranian actors have not merely attempted to access critical infrastructure; they have disrupted it. Facilities have experienced operational impacts. Organizations have incurred financial losses.</p><p>This is also the first joint advisory of the current conflict signed by six federal agencies, including US Cyber Command&#8217;s Cyber National Mission Force. The breadth of signatories signals the severity of the threat and the confidence level in the attribution.</p><p>The geopolitical context matters. Since Operation Epic Fury began on February 28, 2026, the US and Israel have conducted sustained military operations against Iran. The Strait of Hormuz has been effectively closed for over a month. Iran&#8217;s Supreme Leader was killed in an early strike. This week, President Trump issued an ultimatum threatening to destroy &#8220;every bridge&#8221; and &#8220;every power plant in Iran&#8221; if the Strait is not reopened.</p><p>CyberAv3ngers is one of Iran&#8217;s primary instruments of asymmetric cyber operations. The confirmed disruptions in AA26-097A indicate that instrument is in active use against American infrastructure.</p><h2><strong>What You Should Do</strong></h2><div><hr></div><h3>A Note Before You Act</h3><p>The guidance below describes general defensive practices for OT and ICS environments. It is not prescriptive direction for your specific network.</p><p>Operational technology environments are safety-critical. Taking a PLC offline, altering network segmentation, disabling services, or changing keyswitch positions can produce consequences that extend well beyond IT, including process upsets, equipment damage, safety incidents, and regulatory exposure.</p><p>Before implementing any step in this section:</p><ol><li><p>Review the guidance with your OT engineering team, facility operators, and safety personnel.</p></li><li><p> Verify compatibility with your specific device models, firmware versions, and operational context.</p></li><li><p>Consult vendor documentation, including Rockwell Automation advisories, for device-specific procedures.</p></li><li><p> Coordinate changes through your organization&#8217;s change-management and outage-planning processes.</p></li><li><p> Where doubt exists, engage a qualified OT cybersecurity professional familiar with your environment.</p></li></ol><p>This newsletter is threat intelligence reporting, not engineering direction. Intruvent Technologies provides this information on an &#8220;as is&#8221; basis, without warranties of any kind, and accepts no liability for any operational, safety, financial, or other consequences arising from actions taken on the basis of this content. Decisions about your systems are yours to make, with your team, based on your knowledge of your environment.</p><div><hr></div><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!q9-X!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8e9e7177-9c30-4c36-bdaa-d38849d8ae5b_1387x1669.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!q9-X!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8e9e7177-9c30-4c36-bdaa-d38849d8ae5b_1387x1669.png 424w, https://substackcdn.com/image/fetch/$s_!q9-X!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8e9e7177-9c30-4c36-bdaa-d38849d8ae5b_1387x1669.png 848w, https://substackcdn.com/image/fetch/$s_!q9-X!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8e9e7177-9c30-4c36-bdaa-d38849d8ae5b_1387x1669.png 1272w, https://substackcdn.com/image/fetch/$s_!q9-X!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8e9e7177-9c30-4c36-bdaa-d38849d8ae5b_1387x1669.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!q9-X!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8e9e7177-9c30-4c36-bdaa-d38849d8ae5b_1387x1669.png" width="1387" height="1669" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/8e9e7177-9c30-4c36-bdaa-d38849d8ae5b_1387x1669.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1669,&quot;width&quot;:1387,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:364706,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/194435892?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8e9e7177-9c30-4c36-bdaa-d38849d8ae5b_1387x1669.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!q9-X!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8e9e7177-9c30-4c36-bdaa-d38849d8ae5b_1387x1669.png 424w, https://substackcdn.com/image/fetch/$s_!q9-X!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8e9e7177-9c30-4c36-bdaa-d38849d8ae5b_1387x1669.png 848w, https://substackcdn.com/image/fetch/$s_!q9-X!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8e9e7177-9c30-4c36-bdaa-d38849d8ae5b_1387x1669.png 1272w, https://substackcdn.com/image/fetch/$s_!q9-X!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8e9e7177-9c30-4c36-bdaa-d38849d8ae5b_1387x1669.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h3><strong>Right Away</strong></h3><p><strong>Take internet-exposed PLCs offline.</strong> There is no legitimate reason for a PLC to be directly accessible from the public internet. Every Rockwell CompactLogix, Micro850, or similar controller that responds to public internet queries is a potential target. If your organization has exposed devices, disconnect them now. Remote access should be routed through secured gateways, jump servers, or VPNs with multi-factor authentication.</p><p><strong>Check the ports.</strong> Scan your external perimeter for services on TCP 44818 (EtherNet/IP), 2222, 102 (ISO-TSAP), 502 (Modbus), and 22 (SSH). Any inbound access to these ports from untrusted networks should be blocked.</p><p><strong>Set physical mode switches to RUN.</strong> CompactLogix controllers have a physical keyswitch that can be set to RUN mode, preventing remote programming changes. This is a simple, effective control that many operators overlook. An actor who gains network access to a controller in RUN mode cannot upload new logic without physical access to the device.</p><p><strong>Audit for Dropbear SSH.</strong> The advisory indicates operators deployed Dropbear SSH for persistence. Dropbear is a lightweight SSH server that does not belong on most PLCs. Search for unexpected SSH services on your OT devices.</p><h3><strong>This week</strong></h3><p><strong>Patch CVE-2021-22681.</strong> This cryptographic key vulnerability affects Rockwell Studio 5000 Logix Designer and enables authentication bypass. Rockwell has released mitigations, check them out.</p><p><strong>Review your cellular connectivity.</strong> Many PLCs in remote locations use cellular modems for remote access. These connections often bypass corporate firewalls and security controls. Audit which devices have cellular connectivity and whether that connectivity is necessary.</p><p><strong>Enable network monitoring at OT boundaries.</strong> If you do not have visibility into traffic entering and leaving your OT networks, you cannot detect this activity. Deploy network detection and response capabilities that understand industrial protocols like EtherNet/IP and Modbus.</p><h3><strong>Going forward</strong></h3><p><strong>Implement network segmentation.</strong> PLCs should sit on isolated network segments with controlled access points. Traffic between IT and OT networks should flow through monitored chokepoints. &#8220;Air gaps&#8221; that exist only on network diagrams provide no protection.</p><p><strong>Disable unnecessary services.</strong> VNC, Telnet, FTP, and HTTP management interfaces on PLCs provide additional attack surface. Disable anything not required for operation.</p><p><strong>Monitor for configuration changes.</strong> Establish baselines for PLC project files and alert on unexpected modifications. A change to ladder logic should trigger immediate investigation.</p><p><strong>Develop offline recovery procedures.</strong> If your PLCs are compromised, can you restore them from known-good backups? Are those backups stored offline where they cannot be modified by the same actor? Test your ability to rebuild a compromised controller from scratch.</p><h2><strong>Indicators of Compromise</strong></h2><p>The CISA advisory includes a STIX file with machine-readable indicators at <a href="https://www.cisa.gov/sites/default/files/2026-04/AA26-097A.stix_.xml">https://www.cisa.gov/sites/default/files/2026-04/AA26-097A.stix_.xml</a>.</p><p><strong>Target ports:</strong></p><ul><li><p>TCP 44818 (EtherNet/IP)</p></li><li><p>TCP 2222 (OT configuration)</p></li><li><p>TCP 102 (ISO-TSAP)</p></li><li><p>TCP 502 (Modbus)</p></li><li><p>TCP 22 (SSH)</p></li></ul><p><strong>Affected devices:</strong></p><ul><li><p>Rockwell Automation CompactLogix</p></li><li><p>Rockwell Automation Micro850</p></li><li><p>Any Rockwell/Allen-Bradley device on EtherNet/IP</p></li></ul><p><strong>CVE:</strong></p><ul><li><p>CVE-2021-22681 (CVSS 9.8): Authentication bypass via insufficiently protected cryptographic key in Studio 5000 Logix Designer</p></li></ul><p><strong>Behavioral indicators:</strong></p><ul><li><p>Studio 5000 connections from non-engineering workstations</p></li><li><p>Dropbear SSH processes on PLC or HMI devices</p></li><li><p>Modified PLC project files (.ACD)</p></li><li><p>Inconsistencies between SCADA displays and physical process values</p></li><li><p>Outbound connections from OT devices to unexpected IP ranges</p></li></ul><h2><strong>Sources</strong></h2><ul><li><p><a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa26-097a">CISA Advisory AA26-097A</a>, April 7, 2026</p></li><li><p><a href="https://www.picussecurity.com/resource/blog/cisa-alert-aa26-097a-iranian-affiliated-actors-target-plcs-across-us-critical-infrastructure">Picus Security Analysis of AA26-097A</a></p></li><li><p><a href="https://industrialcyber.co/industrial-cyber-attacks/censys-warns-systemic-exposure-of-rockwell-plcs-enable-iran-linked-targeting-of-critical-infrastructure-ot-networks/">Industrial Cyber: Censys Warns of Rockwell PLC Exposure</a></p></li><li><p><a href="https://www.tenable.com/blog/what-to-know-about-cyberav3ngers-the-irgc-linked-group-targeting-critical-infrastructure">Tenable: CyberAv3ngers FAQ</a></p></li><li><p><a href="https://www.theregister.com/2026/04/07/iran_hackers_disrupting_us_water_energy/">The Register: Iran Intruders Disrupting US Water, Energy Facilities</a></p></li><li><p><a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a">CISA Advisory AA23-335A</a>, November 2023 Unitronics Campaign</p></li></ul><div><hr></div><h2><strong>More Iran Cyber Threat Intelligence</strong></h2><p>The CyberAv3ngers campaign is part of a broader pattern of Iranian cyber operations escalating alongside the ongoing military conflict. We&#8217;re tracking 16+ Iranian threat groups actively targeting US and allied infrastructure.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p>For continuously updated threat actor profiles, IOC feeds, detection rules, and geopolitical context on the Iran cyber threat, visit the <strong><a href="https://intruvent.com/iran-cyber-threat/">Intruvent Iran Cyber Threat Intelligence Center</a></strong>.</p><p>Resources include:</p><ul><li><p>CyberAv3ngers, Handala, MuddyWater, and 13+ other Iranian APT profiles</p></li><li><p>Iran Conflict SITREP (updated bi-weekly)</p></li><li><p>OT/ICS-specific detection queries for Splunk and Microsoft Sentinel</p></li><li><p>Indicators of compromise with blocking guidance</p></li></ul><div><hr></div><p><em>Intruvent Edge is a bi-weekly threat intelligence newsletter from Intruvent Technologies. For monthly threat reporting and detection, visit <a href="https://intruvent.com/brace">intruvent.com/brace</a>.</em></p>]]></content:encoded></item><item><title><![CDATA[Prevent This: Getting Burned by Your Old Passwords]]></title><description><![CDATA[6 billion login attempts. Every month. Using passwords just like yours.]]></description><link>https://edge.intruvent.com/p/prevent-this-getting-burned-by-your</link><guid isPermaLink="false">https://edge.intruvent.com/p/prevent-this-getting-burned-by-your</guid><dc:creator><![CDATA[Sig Murphy]]></dc:creator><pubDate>Tue, 14 Apr 2026 16:33:07 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!DBda!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F848b1594-c104-44e8-8d2d-a6fb7f23dc71_1024x1024.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!DBda!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F848b1594-c104-44e8-8d2d-a6fb7f23dc71_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!DBda!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F848b1594-c104-44e8-8d2d-a6fb7f23dc71_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!DBda!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F848b1594-c104-44e8-8d2d-a6fb7f23dc71_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!DBda!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F848b1594-c104-44e8-8d2d-a6fb7f23dc71_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!DBda!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F848b1594-c104-44e8-8d2d-a6fb7f23dc71_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!DBda!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F848b1594-c104-44e8-8d2d-a6fb7f23dc71_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/848b1594-c104-44e8-8d2d-a6fb7f23dc71_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1552590,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/194119704?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F848b1594-c104-44e8-8d2d-a6fb7f23dc71_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!DBda!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F848b1594-c104-44e8-8d2d-a6fb7f23dc71_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!DBda!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F848b1594-c104-44e8-8d2d-a6fb7f23dc71_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!DBda!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F848b1594-c104-44e8-8d2d-a6fb7f23dc71_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!DBda!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F848b1594-c104-44e8-8d2d-a6fb7f23dc71_1024x1024.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>What Happened?</h2><p>In March 2025, hackers hit five Australian superannuation funds (retirement accounts) simultaneously. Within 48 hours, they accessed over 20,000 customer accounts and stole AUD $500,000. The victims did nothing wrong. They never clicked a phishing link. They never downloaded malware. They never shared their passwords.</p><p>Their passwords had been stolen years earlier, from completely unrelated breaches, and they were still using them.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p>The attackers used a technique called <strong>credential stuffing</strong>: they took massive lists of usernames and passwords from old data breaches (LinkedIn 2012, Adobe 2013, Dropbox 2016, and hundreds of others) and systematically tried them against fresh targets. When people reuse passwords across sites, one old breach becomes the key to everything.</p><p>The Australian attack was not sophisticated. It was inevitable. When 109 million email addresses and passwords from a single &#8220;stealer log&#8221; collection appeared online earlier this year, followed by another 183 million from a separate dump, the raw material for these attacks has never been more abundant.</p><p>And it is not just happening in Australia. The FBI issued a public service announcement in March 2026 warning that credential stuffing attacks against financial institutions are surging, with attackers routing their attempts through residential proxy networks to evade detection.</p><div><hr></div><h2>Why Should You Care?</h2><p>The numbers are staggering:</p><ul><li><p><strong>26 billion</strong> automated login attempts happen every month using stolen credentials</p></li><li><p><strong>76% of leaked password</strong>/login combinations still work when tried against other sites</p></li><li><p><strong>83% of organizations</strong> experienced at least one account takeover last year</p></li><li><p><strong>$4.8 million</strong> is the average cost of a credential stuffing breach</p></li><li><p><strong>972 breached websites</strong> are currently tracked by HaveIBeenPwned, with billions of compromised accounts</p></li></ul><p>Here is the uncomfortable truth: if you have been using the internet for more than a few years, your credentials have almost certainly been exposed in at least one breach. The question is not whether your password is out there. The question is whether you are still using it.</p><p>Every dormant account you have ever created, that old forum from 2011, the streaming service free trial you forgot about, the shopping site you used once, is a liability. If that service gets breached (or already has been), your email and password are now in a database that attackers will use against your bank, your email, your work accounts.</p><p>Dormant accounts are 10 times less likely to have two-factor authentication enabled than active accounts. They are not monitored. Nobody notices when they are compromised. They sit there, waiting to be exploited.</p><p>According to a Beyond Identity survey, 10% of people are still using a password they first created as a teenager. That means somewhere out there, a bank account, an email inbox, or a corporate VPN is protected by the same password someone picked for their Neopets account in 2007. Which brings us to this week&#8217;s Oreo and Bean comic:</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!CK91!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7ace4001-0c69-4aa3-ba85-f77305051e58_1200x896.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!CK91!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7ace4001-0c69-4aa3-ba85-f77305051e58_1200x896.jpeg 424w, https://substackcdn.com/image/fetch/$s_!CK91!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7ace4001-0c69-4aa3-ba85-f77305051e58_1200x896.jpeg 848w, https://substackcdn.com/image/fetch/$s_!CK91!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7ace4001-0c69-4aa3-ba85-f77305051e58_1200x896.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!CK91!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7ace4001-0c69-4aa3-ba85-f77305051e58_1200x896.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!CK91!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7ace4001-0c69-4aa3-ba85-f77305051e58_1200x896.jpeg" width="1200" height="896" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/7ace4001-0c69-4aa3-ba85-f77305051e58_1200x896.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:896,&quot;width&quot;:1200,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:433185,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/194119704?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7ace4001-0c69-4aa3-ba85-f77305051e58_1200x896.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!CK91!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7ace4001-0c69-4aa3-ba85-f77305051e58_1200x896.jpeg 424w, https://substackcdn.com/image/fetch/$s_!CK91!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7ace4001-0c69-4aa3-ba85-f77305051e58_1200x896.jpeg 848w, https://substackcdn.com/image/fetch/$s_!CK91!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7ace4001-0c69-4aa3-ba85-f77305051e58_1200x896.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!CK91!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F7ace4001-0c69-4aa3-ba85-f77305051e58_1200x896.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><div><hr></div><h2>How Does This Work?</h2><p>Think of it like a master key ring.</p><p>Every time a company gets breached, the attackers add another set of keys to the ring. LinkedIn breach? That is 117 million keys. Adobe breach? Another 153 million. Dropbox? 68 million more. These &#8220;combolists&#8221; (username/password combinations) circulate freely on criminal forums, often for free.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!uwo5!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d99452d-e034-43df-aa01-56251afe7ab1_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!uwo5!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d99452d-e034-43df-aa01-56251afe7ab1_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!uwo5!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d99452d-e034-43df-aa01-56251afe7ab1_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!uwo5!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d99452d-e034-43df-aa01-56251afe7ab1_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!uwo5!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d99452d-e034-43df-aa01-56251afe7ab1_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!uwo5!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d99452d-e034-43df-aa01-56251afe7ab1_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/5d99452d-e034-43df-aa01-56251afe7ab1_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1287663,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/194119704?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d99452d-e034-43df-aa01-56251afe7ab1_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!uwo5!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d99452d-e034-43df-aa01-56251afe7ab1_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!uwo5!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d99452d-e034-43df-aa01-56251afe7ab1_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!uwo5!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d99452d-e034-43df-aa01-56251afe7ab1_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!uwo5!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F5d99452d-e034-43df-aa01-56251afe7ab1_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>Attackers then run automated tools that try these credentials against valuable targets: banks, email providers, corporate VPNs, streaming services. They rotate through thousands of residential proxy IP addresses (rented from services like IPRoyal for as little as $4 per gigabyte) so their attempts look like they are coming from ordinary home internet connections all over the world, not a single attacker.</p><p>Rate limiting does not stop them, because each IP only makes a few attempts. Geographic blocking does not stop them, because the proxies are everywhere. Even &#8220;impossible travel&#8221; detection struggles, because the attackers are patient.</p><p>The attack is simple: if you used the same password for LinkedIn in 2012 that you use for your bank today, they are in.</p><div><hr></div><h2>What Can You Do?</h2><p>This is your credential cleanup checklist. Set aside 30 minutes this week and work through it.</p><h3>Step 1: Check What Has Been Exposed</h3><p>Go to <a href="https://haveibeenpwned.com">HaveIBeenPwned.com</a> and enter every email address you have ever used. Yes, that old Hotmail account too. The site will show you every known breach that included your email.</p><p>Do not panic at the list. The point is not to feel bad. The point is to know which passwords are definitely compromised so you can stop using them.</p><p><strong>Bonus:</strong> Check <a href="https://haveibeenpwned.com/Passwords">HaveIBeenPwned.com/Passwords</a> to see if any specific password you use has appeared in a breach. (The site uses a clever privacy technique so your actual password never leaves your device.)</p><h3>Step 2: Delete Accounts You Do Not Use</h3><p>This is the step most people skip, and it is the most important.</p><p>Every old account is an attack surface. If you are not using it, delete it. Here is how to find them:</p><p>1. <strong>Search your email</strong> for phrases like &#8220;welcome to,&#8221; &#8220;confirm your account,&#8221; &#8220;thanks for signing up,&#8221; or &#8220;verify your email.&#8221; This will surface accounts you have forgotten about.</p><p>2. <strong>Check your password manager</strong> (if you use one) for sites you have not visited in over a year.</p><p>3. <strong>Review &#8220;Sign in with Google/Apple/Facebook&#8221;</strong> connections in your account settings. Revoke access to apps and services you no longer use.</p><p>4. Use a service like <a href="https://justdeleteme.xyz">JustDeleteMe</a> to find the account deletion page for specific services. (Some make it deliberately hard to find.)</p><p>For each account you find: if you use it, update the password. If you do not use it, delete it. No exceptions.</p><h3>Step 3: Fix Your Password Hygiene</h3><p>You have heard this before, but here it is again, because it is the single most effective defense:</p><p>1. <strong>Use a password manager</strong>. Bitwarden (free), Apple Passwords, 1Password, Dashlane, or the one built into your browser. The specific tool matters less than actually using one.</p><p>2. <strong>Every account gets a unique password.</strong> Let the password manager generate random 16+ character passwords. You do not need to remember them.</p><p>3. <strong>Turn on two-factor authentication everywhere it is offered.</strong> Authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) are better than SMS, but SMS is better than nothing.</p><p>4. <strong>Secure your password manager recovery.</strong> Your master password should be strong and unique. Store backup codes in a safe place (not a cloud document). If you use biometrics, make sure your backup method is also secure.</p><h3>Step 4: Secure Your Backup Codes</h3><p>Here is a detail most people miss: in the Australian superannuation attack, some victims had MFA enabled, but attackers used stolen backup codes to bypass it.</p><p>Backup codes are the &#8220;break glass in emergency&#8221; option for two-factor authentication. They are also often stored carelessly (in notes apps, cloud documents, or email drafts).</p><p>- Store backup codes in your password manager, or</p><p>- Print them and keep them in a physical safe, or</p><p>- Store them in an encrypted note</p><p>Never store them in plain text in the cloud.</p><div><hr></div><h2>The Bottom Line</h2><p><strong>Your passwords from 2015 are still circulating on criminal forums</strong>. Your dormant accounts from services you forgot about are still vulnerable. And attackers are running 26 billion automated attempts every month to see which old keys still open new doors.</p><p><strong>The good news: you can fix this in an afternoon.</strong> Check what has been exposed. Delete what you do not need. Update what remains. Turn on two-factor authentication. And stop reusing passwords.</p><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-getting-burned-by-your?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-getting-burned-by-your?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://edge.intruvent.com/p/prevent-this-getting-burned-by-your?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p>The Australian victims lost half a million dollars because they were still using passwords from years ago. Do not be the next case study.</p><div><hr></div><p>Sources: </p><p>FBI IC3 (March 2026), HaveIBeenPwned.com, HUMAN Security, Trend Micro, Bitdefender, Consumer Reports Security Planner*</p>]]></content:encoded></item><item><title><![CDATA[Prevent This: Supply Chain Software Attacks]]></title><description><![CDATA[One compromised vendor. 823,548 bank customers exposed. Zero shots fired.]]></description><link>https://edge.intruvent.com/p/prevent-this-supply-chain-software</link><guid isPermaLink="false">https://edge.intruvent.com/p/prevent-this-supply-chain-software</guid><dc:creator><![CDATA[Sig Murphy]]></dc:creator><pubDate>Tue, 31 Mar 2026 16:31:11 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!5JR5!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b31169f-7421-4445-9859-49984876191e_1024x1024.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<h2>What Happened?</h2><p>Picture your building&#8217;s security company storing a copy of every tenant&#8217;s master key in a warehouse. A thief breaks into the warehouse, copies the keys, then robs 80 apartments. The tenants&#8217; locks were fine. The security company&#8217;s warehouse was the weak link.</p><p>That is almost exactly what happened to Marquis Software Solutions.</p><p>According to Marquis&#8217; lawsuit against SonicWall, In February 2025, attackers compromised SonicWall&#8217;s cloud portal and stole firewall configuration data, including emergency backup passcodes, for a subset of customers. Those passcodes were designed to bypass normal authentication in emergencies. The attackers sat on the stolen keys for months.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p>Then, in August 2025, they used those passcodes to walk straight into Marquis Software&#8217;s network. Marquis provides core banking software to community banks and credit unions across the country. Once inside, the attackers exfiltrated Social Security numbers, bank account details, and credit card numbers belonging to 823,548 people across 80 banks and credit unions, then deployed ransomware.</p><p>No bank was directly attacked. Every bank was affected.</p><p>This is a <strong>double supply chain attack</strong>: SonicWall (the firewall vendor) fell first, which enabled the breach of Marquis (the banking software vendor), which exposed data from 80+ financial institutions and their customers. Two links in the chain, hundreds of thousands of victims.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!5JR5!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b31169f-7421-4445-9859-49984876191e_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!5JR5!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b31169f-7421-4445-9859-49984876191e_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!5JR5!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b31169f-7421-4445-9859-49984876191e_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!5JR5!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b31169f-7421-4445-9859-49984876191e_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!5JR5!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b31169f-7421-4445-9859-49984876191e_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!5JR5!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b31169f-7421-4445-9859-49984876191e_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/2b31169f-7421-4445-9859-49984876191e_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1230843,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/192742003?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b31169f-7421-4445-9859-49984876191e_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!5JR5!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b31169f-7421-4445-9859-49984876191e_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!5JR5!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b31169f-7421-4445-9859-49984876191e_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!5JR5!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b31169f-7421-4445-9859-49984876191e_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!5JR5!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2b31169f-7421-4445-9859-49984876191e_1024x1024.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><p>And Marquis was not alone. In March 2026:</p><ul><li><p><strong>APT41</strong> (a Chinese state-backed group) was revealed to have been inside <strong>F5 Networks</strong> for over 12 months, potentially deploying backdoors on customer systems. F5 makes the access control software that banks, hospitals, and government agencies depend on.</p></li><li><p>The <strong>Trivy vulnerability scanner (covered last week)</strong>, a security tool used by thousands of enterprises, was itself compromised when attackers poisoned 76 of 77 release tags on GitHub. The tool organizations trusted to find vulnerabilities became the vulnerability.</p></li><li><p>The <strong>GlassWorm campaign</strong> planted malicious code in 433 packages, repositories, and IDE extensions across GitHub, npm, and VSCode marketplaces, hiding payloads in invisible Unicode characters.</p></li></ul><p>The good news is that there are steps that you can take to minimize the risk from your supply chain&#8230;. Like insisting on a Software Bill of Materials (SBOM) among other controls.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!E4u2!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbef7267a-a1e5-46f4-82cb-114d6be38baa_1200x896.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!E4u2!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbef7267a-a1e5-46f4-82cb-114d6be38baa_1200x896.jpeg 424w, https://substackcdn.com/image/fetch/$s_!E4u2!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbef7267a-a1e5-46f4-82cb-114d6be38baa_1200x896.jpeg 848w, https://substackcdn.com/image/fetch/$s_!E4u2!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbef7267a-a1e5-46f4-82cb-114d6be38baa_1200x896.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!E4u2!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbef7267a-a1e5-46f4-82cb-114d6be38baa_1200x896.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!E4u2!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbef7267a-a1e5-46f4-82cb-114d6be38baa_1200x896.jpeg" width="1200" height="896" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/bef7267a-a1e5-46f4-82cb-114d6be38baa_1200x896.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:896,&quot;width&quot;:1200,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:435542,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/192742003?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbef7267a-a1e5-46f4-82cb-114d6be38baa_1200x896.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!E4u2!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbef7267a-a1e5-46f4-82cb-114d6be38baa_1200x896.jpeg 424w, https://substackcdn.com/image/fetch/$s_!E4u2!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbef7267a-a1e5-46f4-82cb-114d6be38baa_1200x896.jpeg 848w, https://substackcdn.com/image/fetch/$s_!E4u2!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbef7267a-a1e5-46f4-82cb-114d6be38baa_1200x896.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!E4u2!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbef7267a-a1e5-46f4-82cb-114d6be38baa_1200x896.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p></p><div><hr></div><h2>Why Should You Care?</h2><p>Supply chain attacks are growing faster than almost any other category:</p><ul><li><p><strong>30% of all data breaches in 2025 involved a third-party vendor</strong>, double the rate from previous years (DeepStrike)</p></li><li><p><strong>Supply chain breaches cost $4.91 million on average</strong> and take the longest to detect, averaging 267 days from compromise to containment (IBM Cost of a Data Breach Report, 2025)</p></li><li><p><strong>877,522 malicious packages</strong> were detected in open-source software repositories in 2025, a 73% increase over 2024 (ReversingLabs/Sonatype)</p></li><li><p><strong>$60 billion</strong> in global losses from software supply chain attacks in 2025, projected to reach $138 billion by 2031 (Cybersecurity Ventures)</p></li></ul><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!PFCh!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F885eda27-6652-4dc8-b1a7-2700922a80f4_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!PFCh!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F885eda27-6652-4dc8-b1a7-2700922a80f4_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!PFCh!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F885eda27-6652-4dc8-b1a7-2700922a80f4_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!PFCh!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F885eda27-6652-4dc8-b1a7-2700922a80f4_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!PFCh!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F885eda27-6652-4dc8-b1a7-2700922a80f4_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!PFCh!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F885eda27-6652-4dc8-b1a7-2700922a80f4_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/885eda27-6652-4dc8-b1a7-2700922a80f4_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1078945,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/192742003?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F885eda27-6652-4dc8-b1a7-2700922a80f4_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!PFCh!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F885eda27-6652-4dc8-b1a7-2700922a80f4_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!PFCh!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F885eda27-6652-4dc8-b1a7-2700922a80f4_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!PFCh!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F885eda27-6652-4dc8-b1a7-2700922a80f4_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!PFCh!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F885eda27-6652-4dc8-b1a7-2700922a80f4_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>Here is the part that makes supply chain attacks different from every other type: <strong>you can do everything right and still get hit.</strong> Your firewalls are configured correctly. Your employees passed phishing training. Your systems are patched. But if your software vendor, or your vendor&#8217;s vendor, gets compromised, the attackers ride in on trusted software through the front door.</p><div><hr></div><h2>How Does This Work?</h2><p>Think of it like a contaminated ingredient in a food supply. The restaurant did nothing wrong. The ingredient passed inspection. But everyone who eats the meal gets sick.</p><p>Software supply chains work the same way. Modern organizations depend on dozens (sometimes hundreds) of vendors, each of which depends on their own set of vendors, open-source libraries, cloud providers, and service partners. An attacker who compromises one link anywhere in that chain can reach every organization downstream.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!PJVF!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe81ba41d-418f-4f52-bbb8-7dd85881dd6b_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!PJVF!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe81ba41d-418f-4f52-bbb8-7dd85881dd6b_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!PJVF!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe81ba41d-418f-4f52-bbb8-7dd85881dd6b_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!PJVF!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe81ba41d-418f-4f52-bbb8-7dd85881dd6b_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!PJVF!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe81ba41d-418f-4f52-bbb8-7dd85881dd6b_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!PJVF!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe81ba41d-418f-4f52-bbb8-7dd85881dd6b_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/e81ba41d-418f-4f52-bbb8-7dd85881dd6b_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1168898,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/192742003?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe81ba41d-418f-4f52-bbb8-7dd85881dd6b_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!PJVF!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe81ba41d-418f-4f52-bbb8-7dd85881dd6b_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!PJVF!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe81ba41d-418f-4f52-bbb8-7dd85881dd6b_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!PJVF!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe81ba41d-418f-4f52-bbb8-7dd85881dd6b_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!PJVF!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fe81ba41d-418f-4f52-bbb8-7dd85881dd6b_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>The most common supply chain attack patterns right now:</p><ol><li><p><strong>Vendor credential theft</strong> (the Marquis pattern): Steal login credentials or backup codes from a vendor&#8217;s systems, then use that access to reach their customers. The attackers never need to touch the target directly.</p></li><li><p><strong>Software update poisoning</strong> (the Trivy pattern): Inject malicious code into a legitimate software update or open-source package. Every organization that installs the update gets compromised automatically.</p></li><li><p><strong>Developer environment infiltration</strong> (the GlassWorm pattern): Plant malicious code in developer tools, IDE extensions, or code repositories. When developers use these tools, the malicious code harvests credentials and tokens that open doors to production systems.</p></li><li><p><strong>Cloud infrastructure compromise</strong> (the Resolv DeFi pattern): Target the cloud management layer, such as AWS key management or Microsoft Intune admin accounts, rather than the application itself. One privileged cloud key can unlock an entire organization.</p></li></ol><p>What makes these attacks so effective is trust. Organizations trust their vendors. Developers trust their tools. Automated systems trust signed updates. Attackers exploit that trust.</p><div><hr></div><h2>What Can You Do?</h2><h3>If You Run an Organization</h3><p><strong>1. Know your ingredient list.</strong><br>You cannot protect what you do not know about. Build and maintain a <strong>Software Bill of Materials (SBOM)</strong>, an inventory of every piece of software and every vendor your organization depends on. Our colleagues at <a href="https://www.netrise.io/">NetRise</a> have built an excellent platform for exactly this: their tools generate SBOMs from binaries, firmware, and containers, then map every component back to known vulnerabilities and, with their new <strong>Provenance</strong> feature (launched March 2026), trace which developers and organizations are behind each open-source component. If the Trivy compromise taught us anything, knowing what is inside your software stack is no longer optional.</p><p><strong>2. Verify your vendors&#8217; vendors.</strong><br>Third-party risk assessments should not stop at your direct vendors. Ask them: who are <em>your</em> critical vendors? How do you secure <em>their</em> access? According to Marquis, the Marquis breach happened because SonicWall&#8217;s cloud backup practices were inadequate. Marquis trusted SonicWall. Eighty banks trusted Marquis. The chain broke at the link nobody was watching.</p><p><strong>3. Lock down admin accounts like they are the crown jewels.</strong><br>Phishing-resistant multi-factor authentication (hardware keys, not SMS codes) on every administrative account. No exceptions. The Stryker wiper attack (200,000 devices destroyed in March 2026) started with a single compromised Microsoft Intune admin account.</p><p><strong>4. Segment your network so one breach cannot reach everything.</strong><br>If a vendor is compromised, limit what they can access. Your banking software vendor does not need access to your HR systems. Your HVAC vendor does not need access to your customer database.</p><p><strong>5. Plan for your vendor getting breached.</strong><br>Have an incident response plan that specifically addresses the scenario where a trusted vendor is compromised. Know which data is at risk, how to isolate affected systems, and who to call. Practice it.</p><h3>If You Are a Professional (Any Field)</h3><p><strong>1. Use a password manager and unique passwords everywhere.</strong><br>If one service is breached, reused passwords give attackers access to your other accounts. A password manager makes unique passwords easy.</p><p><strong>2. Turn on multi-factor authentication, and secure the backup codes.</strong><br>MFA is essential, but in the Marquis case, attackers bypassed it using stolen emergency backup passcodes. Store your backup codes in a secure location (a password manager or a physical safe), not in a cloud document.</p><p><strong>3. Be cautious with browser extensions and software add-ons.</strong><br>The GlassWorm campaign hid malicious code inside 72 fake VSCode extensions that mimicked popular developer tools. The same approach works with browser extensions, mobile apps, and plugins of all kinds. Stick to well-known, well-reviewed tools, and remove anything you are not actively using.</p><p><strong>4. Update deliberately, not blindly.</strong><br>Patching remains critical, but after the Trivy compromise, security experts recommend a brief waiting period (24 to 48 hours) before adopting updates from sources that are not critical security patches. This gives the community time to catch poisoned updates before they spread.</p><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-supply-chain-software?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-supply-chain-software?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://edge.intruvent.com/p/prevent-this-supply-chain-software?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p></p><h2>The Bottom Line</h2><p>The biggest cybersecurity risk to your organization may not be your own security. It may be your vendor&#8217;s. Supply chain attacks exploit the trust between organizations, and they are growing in frequency, sophistication, and impact. You cannot eliminate the risk, but you can reduce your exposure by knowing your software ingredients, verifying your vendors, and planning for the day one of them gets compromised.</p><div><hr></div><p><em>Research Sources:</em></p><p><em>Intruvent CTI Cloud</em></p><p>American Banker, &#8220;Marquis Breach Toll Rises to 80 Banks, 824,000 Consumers&#8221;</p><p>TechCrunch, &#8220;Marquis Sues SonicWall Over Ransomware Breach&#8221;</p><p>IBM, 2025 Cost of a Data Breach Report</p><p>DeepStrike, &#8220;Supply Chain Attack Statistics 2025&#8221;</p><p>Cybersecurity Ventures, &#8220;Software Supply Chain Attack Costs&#8221;</p><p>Microsoft Security Blog, &#8220;Trivy Supply Chain Compromise Guidance&#8221;</p><p>Intruvent Technologies, BRACE Threat Intelligence Reports, March 2026</p><p><em>Last Updated: March 31, 2026</em></p>]]></content:encoded></item><item><title><![CDATA[Your Vulnerability Scanner Just Became the Vulnerability]]></title><description><![CDATA[Trivy is a popular open-source vulnerability scanner. Last week, it was compromised and used to steal credentials from over 1,000 organizations that trusted it.]]></description><link>https://edge.intruvent.com/p/your-vulnerability-scanner-just-became</link><guid isPermaLink="false">https://edge.intruvent.com/p/your-vulnerability-scanner-just-became</guid><dc:creator><![CDATA[Sig Murphy]]></dc:creator><pubDate>Thu, 26 Mar 2026 16:31:31 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!PThR!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2def3928-e989-4e7e-99b1-eb3c78203b1b_1024x821.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<h1>What Happened</h1><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!PThR!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2def3928-e989-4e7e-99b1-eb3c78203b1b_1024x821.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!PThR!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2def3928-e989-4e7e-99b1-eb3c78203b1b_1024x821.png 424w, https://substackcdn.com/image/fetch/$s_!PThR!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2def3928-e989-4e7e-99b1-eb3c78203b1b_1024x821.png 848w, https://substackcdn.com/image/fetch/$s_!PThR!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2def3928-e989-4e7e-99b1-eb3c78203b1b_1024x821.png 1272w, https://substackcdn.com/image/fetch/$s_!PThR!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2def3928-e989-4e7e-99b1-eb3c78203b1b_1024x821.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!PThR!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2def3928-e989-4e7e-99b1-eb3c78203b1b_1024x821.png" width="1024" height="821" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/2def3928-e989-4e7e-99b1-eb3c78203b1b_1024x821.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:821,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1378265,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/192205276?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F74c3805c-2151-4b97-87c9-383f8b85d760_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!PThR!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2def3928-e989-4e7e-99b1-eb3c78203b1b_1024x821.png 424w, https://substackcdn.com/image/fetch/$s_!PThR!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2def3928-e989-4e7e-99b1-eb3c78203b1b_1024x821.png 848w, https://substackcdn.com/image/fetch/$s_!PThR!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2def3928-e989-4e7e-99b1-eb3c78203b1b_1024x821.png 1272w, https://substackcdn.com/image/fetch/$s_!PThR!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F2def3928-e989-4e7e-99b1-eb3c78203b1b_1024x821.png 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>On March 19, 2026, a threat actor called TeamPCP compromised Trivy, one of the most widely used open-source vulnerability scanners in the world. The tool that thousands of organizations run inside their CI/CD pipelines to find security flaws was itself weaponized to steal credentials, backdoor developer machines, and spread laterally through cloud infrastructure.</p><p>Over 1,000 cloud environments have been confirmed infected. Aqua Security, Trivy&#8217;s maintainer, is still investigating the full scope. Microsoft, Palo Alto Unit 42, Wiz, Sysdig, GitGuardian, and Arctic Wolf have all published independent analyses. CVE-2026-33634 has been assigned with a CVSS score of 9.4.</p><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><p>If your organization uses Trivy, GitHub Actions, or any npm packages updated in the last week, keep reading.</p><h1>How the Attack Unfolded</h1><p>The compromise happened in five phases, each building on the last. Understanding this chain matters because the same pattern can be replicated against any open-source project with CI/CD automation.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!wYQk!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F62058683-1332-47d6-a5c3-70ccf0953ff9_1024x1024.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!wYQk!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F62058683-1332-47d6-a5c3-70ccf0953ff9_1024x1024.jpeg 424w, https://substackcdn.com/image/fetch/$s_!wYQk!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F62058683-1332-47d6-a5c3-70ccf0953ff9_1024x1024.jpeg 848w, https://substackcdn.com/image/fetch/$s_!wYQk!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F62058683-1332-47d6-a5c3-70ccf0953ff9_1024x1024.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!wYQk!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F62058683-1332-47d6-a5c3-70ccf0953ff9_1024x1024.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!wYQk!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F62058683-1332-47d6-a5c3-70ccf0953ff9_1024x1024.jpeg" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/62058683-1332-47d6-a5c3-70ccf0953ff9_1024x1024.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:144447,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/192205276?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F62058683-1332-47d6-a5c3-70ccf0953ff9_1024x1024.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!wYQk!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F62058683-1332-47d6-a5c3-70ccf0953ff9_1024x1024.jpeg 424w, https://substackcdn.com/image/fetch/$s_!wYQk!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F62058683-1332-47d6-a5c3-70ccf0953ff9_1024x1024.jpeg 848w, https://substackcdn.com/image/fetch/$s_!wYQk!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F62058683-1332-47d6-a5c3-70ccf0953ff9_1024x1024.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!wYQk!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F62058683-1332-47d6-a5c3-70ccf0953ff9_1024x1024.jpeg 1456w" sizes="100vw"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Phase 1: A Misconfigured Workflow and an Incomplete Fix</h2><p>Sometime in late February 2026, an automated bot called &#8220;hackerbot-claw&#8221; found a misconfigured `pull_request_target` workflow in Trivy&#8217;s GitHub repository. This is a well-documented vulnerability in GitHub Actions: the `pull_request_target` event runs workflows with write access to the repository and makes secrets available to the workflow, even when triggered by a pull request from a fork.</p><p>The bot exploited this to steal a Personal Access Token (PAT) from Trivy&#8217;s CI environment. Aqua Security discovered the theft and rotated credentials, but the rotation was incomplete. According to GitGuardian&#8217;s analysis, residual access paths remained open. TeamPCP retained access to surviving tokens, including credentials for the `aqua-bot` service account, and waited.</p><h2>Phase 2: Binary Poisoning Through Official Channels</h2><p>On March 19 at 17:43 UTC, TeamPCP used the compromised service account to push a malicious Trivy release: version 0.69.4. The commits were crafted to spoof legitimate maintainer identities, reusing original author metadata and timestamps to create a deceptive Git history. The release triggered Aqua&#8217;s automated build pipelines, which published the infected binary to GitHub Releases, Docker Hub, GitHub Container Registry (GHCR), and Amazon ECR.</p><p>Two days later, on March 22, TeamPCP pushed additional malicious Docker images tagged 0.69.5 and 0.69.6 directly to Docker Hub, without corresponding GitHub releases. The last clean version is 0.69.3.</p><h2>Phase 3: Tag Poisoning Turns Every Pipeline into a Weapon</h2><p>This is where the attack scaled. TeamPCP force-pushed malicious commits to 75 of 76 version tags in the `trivy-action` GitHub Action and all 7 tags in `setup-trivy`. Because most GitHub Actions workflows reference actions by version tag (e.g., `@v0.28.0`) rather than by commit SHA, every CI/CD pipeline that referenced these actions began running TeamPCP&#8217;s code on its next execution. No workflow file changed. No pull request was created. The tag simply pointed somewhere new.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!OpZv!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b42ac5c-a381-409f-a374-9666972949b5_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!OpZv!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b42ac5c-a381-409f-a374-9666972949b5_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!OpZv!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b42ac5c-a381-409f-a374-9666972949b5_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!OpZv!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b42ac5c-a381-409f-a374-9666972949b5_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!OpZv!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b42ac5c-a381-409f-a374-9666972949b5_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!OpZv!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b42ac5c-a381-409f-a374-9666972949b5_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/8b42ac5c-a381-409f-a374-9666972949b5_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:992632,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/192205276?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b42ac5c-a381-409f-a374-9666972949b5_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!OpZv!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b42ac5c-a381-409f-a374-9666972949b5_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!OpZv!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b42ac5c-a381-409f-a374-9666972949b5_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!OpZv!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b42ac5c-a381-409f-a374-9666972949b5_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!OpZv!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F8b42ac5c-a381-409f-a374-9666972949b5_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>The poisoned actions executed a three-step credential theft operation:</p><p><strong>Collection. </strong>The malware read directly from GitHub Actions Runner memory (`/proc/&lt;pid&gt;/mem`), bypassing GitHub&#8217;s log-masking to harvest credentials. Targeted secrets included SSH keys, AWS/GCP/Azure cloud credentials, Kubernetes tokens, Docker registry credentials, database passwords, TLS private keys, and cryptocurrency wallet files. It also scraped credentials from over 50 filesystem paths.</p><p><strong>Encryption. </strong>Stolen data was encrypted with AES-256-CBC wrapped in RSA-4096, making network-layer inspection ineffective.</p><p><strong>Exfiltration.</strong>  Primary exfiltration went to a typosquatted domain: `scan.aquasecurtiy[.]org` (note the misspelling of &#8220;security&#8221;), resolving to 45.148.10.212 (TECHOFF SRV LIMITED, Amsterdam). As a fallback, the malware used the victim&#8217;s own stolen GitHub PAT to create a public repository named `tpcp-docs` and uploaded the encrypted credential dump there, using trusted infrastructure as a dead drop.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!aKh7!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6d7e67d1-9100-414f-b4c1-34b52261cad1_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!aKh7!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6d7e67d1-9100-414f-b4c1-34b52261cad1_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!aKh7!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6d7e67d1-9100-414f-b4c1-34b52261cad1_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!aKh7!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6d7e67d1-9100-414f-b4c1-34b52261cad1_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!aKh7!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6d7e67d1-9100-414f-b4c1-34b52261cad1_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!aKh7!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6d7e67d1-9100-414f-b4c1-34b52261cad1_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/6d7e67d1-9100-414f-b4c1-34b52261cad1_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:993190,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/192205276?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6d7e67d1-9100-414f-b4c1-34b52261cad1_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!aKh7!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6d7e67d1-9100-414f-b4c1-34b52261cad1_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!aKh7!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6d7e67d1-9100-414f-b4c1-34b52261cad1_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!aKh7!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6d7e67d1-9100-414f-b4c1-34b52261cad1_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!aKh7!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F6d7e67d1-9100-414f-b4c1-34b52261cad1_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Phase 4: Persistent Backdoor via Blockchain C2</h2><p>When the malicious Trivy binary ran on developer workstations (not just in CI/CD), it installed a systemd service (`sysmon.py`) that polled an Internet Computer Protocol (ICP) blockchain canister every 50 minutes for command-and-control instructions. Because the C2 infrastructure lives on a decentralized blockchain, it resists DNS sinkholes, domain takedowns, and traditional network-based blocking. The low beacon frequency (every 50 minutes) was designed to evade statistical anomaly detection.</p><h2>Phase 5: CanisterWorm Spreads Through npm</h2><p>Using credentials stolen in Phase 3, TeamPCP launched CanisterWorm, a self-propagating worm that compromised 47+ npm packages across multiple scopes (including @emilgroup, @opengov, and @teale.io namespaces). Twenty-eight packages were compromised within 60 seconds. Later variants added token theft and malicious publishing in postinstall hooks, turning every developer or CI pipeline that installed an affected package into an unwitting propagation vector.</p><p>On March 22, TeamPCP also used a compromised long-lived PAT from the `Argon-DevOps-Mgt` bot account (created July 2023) to breach Aqua Security&#8217;s internal GitHub organization. Within a two-minute window (20:31-20:32 UTC), 44 internal repositories were renamed with a `tpcp-docs-` prefix, exposing Tracee source code, internal forks, CI/CD pipelines, and Kubernetes operators.</p><h1>The Kubernetes Wiper: &#8220;Kamikaze&#8221;</h1><p>One payload deserves special attention. TeamPCP deployed a Kubernetes wiper that deploys privileged DaemonSets across cluster nodes. The behavior is geographically targeted:</p><p><strong>On systems geolocated to Iran:</strong> executes `rm -rf / --no-preserve-root` and forces a system reboot via a container named &#8220;kamikaze&#8221;</p><p><strong>On all other systems:</strong> installs CanisterWorm as a systemd service for persistent backdoor access</p><p><em>The Iranian targeting is notable given the current geopolitical context, but attribution to any state actor has not been established.</em> TeamPCP&#8217;s motivations appear primarily criminal (credential theft, infrastructure compromise) with the Iranian wiper component potentially representing hacktivism, a false flag, or an unrelated vendetta. No vendor has attributed TeamPCP to a nation-state.</p><h1>Why This Matters</h1><p>This attack exploits a fundamental trust assumption: that security tools are trustworthy. Organizations run Trivy inside their most privileged environments (CI/CD pipelines with access to production credentials, cloud infrastructure tokens, and signing keys) precisely because it is a security tool. That trust relationship made the compromise devastatingly effective.</p><h3>Three structural problems made this possible:</h3><p><strong>1.</strong> <strong>Tag-based GitHub Action references are inherently fragile.</strong> If you reference `uses: aquasecurity/trivy-action@v0.28.0`, you are trusting that the tag will always point to the same commit. Tags can be force-pushed. There is no integrity guarantee. This is a known risk that the GitHub Actions ecosystem has not adequately addressed. The fix is to pin actions by full commit SHA, which is immutable.</p><p><strong>2.</strong> <strong>Incomplete credential rotation created the window. </strong>Aqua Security detected the initial PAT theft in late February and rotated credentials, but missed residual access paths. TeamPCP waited and re-entered through a surviving token. As GitGuardian&#8217;s analysis puts it: the core lesson extends beyond detection. Organizations must &#8220;trace blast radius, prioritize rotation, verify remediation, and prove that the same credential cannot be reused tomorrow.&#8221;</p><p><strong>3. Official distribution channels became the delivery mechanism. </strong>The malicious binary was published through GitHub Releases, Docker Hub, GHCR, and ECR. These are the channels organizations trust. There was no phishing email, no drive-by download, no exploitation of a vulnerability in the traditional sense. The attacker simply published a new version through legitimate automation.</p><h1>What You Should Do</h1><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!n0Ke!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F14f1f4d3-70e3-4d4e-bff0-ed1cad32edb8_1024x634.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!n0Ke!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F14f1f4d3-70e3-4d4e-bff0-ed1cad32edb8_1024x634.png 424w, https://substackcdn.com/image/fetch/$s_!n0Ke!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F14f1f4d3-70e3-4d4e-bff0-ed1cad32edb8_1024x634.png 848w, https://substackcdn.com/image/fetch/$s_!n0Ke!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F14f1f4d3-70e3-4d4e-bff0-ed1cad32edb8_1024x634.png 1272w, https://substackcdn.com/image/fetch/$s_!n0Ke!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F14f1f4d3-70e3-4d4e-bff0-ed1cad32edb8_1024x634.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!n0Ke!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F14f1f4d3-70e3-4d4e-bff0-ed1cad32edb8_1024x634.png" width="1024" height="634" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/14f1f4d3-70e3-4d4e-bff0-ed1cad32edb8_1024x634.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:634,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:423744,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/192205276?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fbec1ce57-805a-4469-a536-290a80a48811_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!n0Ke!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F14f1f4d3-70e3-4d4e-bff0-ed1cad32edb8_1024x634.png 424w, https://substackcdn.com/image/fetch/$s_!n0Ke!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F14f1f4d3-70e3-4d4e-bff0-ed1cad32edb8_1024x634.png 848w, https://substackcdn.com/image/fetch/$s_!n0Ke!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F14f1f4d3-70e3-4d4e-bff0-ed1cad32edb8_1024x634.png 1272w, https://substackcdn.com/image/fetch/$s_!n0Ke!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F14f1f4d3-70e3-4d4e-bff0-ed1cad32edb8_1024x634.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h2>Immediate (today)</h2><p><strong>Check for affected Trivy versions.</strong> Search your environments for Trivy 0.69.4, 0.69.5, or 0.69.6. The last clean version is 0.69.3. Check GitHub Actions logs, Docker image registries, and developer workstations.</p><p><strong>Audit GitHub Actions workflow runs from March 19 onward.</strong> Review execution logs for `trivy-action` and `setup-trivy`. Look for unexpected network connections, repository creation (especially repositories prefixed with `tpcp-docs`), or credential access patterns.</p><p><strong>Rotate all secrets that were accessible to affected pipelines.</strong> If any pipeline ran a compromised action or binary after March 19, treat every secret accessible to that pipeline as compromised. This includes cloud provider credentials, Docker registry tokens, npm publish tokens, SSH keys, database credentials, and Kubernetes service account tokens.</p><p><strong>Search for persistence mechanisms. </strong>On Linux systems, look for suspicious systemd services: `sysmon.py`, `pgmon.py`, `pgmonitor.service`, `internal-monitor.service`. Check for outbound connections to the ICP canister endpoint (`tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0.io`) or the typosquatted domain (`scan.aquasecurtiy[.]org`).</p><h2>This week</h2><p><strong>Pin all GitHub Actions by full commit SHA. </strong>Replace every tag-based action reference in your workflows with the full 40-character commit hash. This is the single most effective mitigation against tag poisoning attacks. Yes, it makes updates harder. That friction is the point.</p><p><strong>Audit npm dependencies installed since March 19.</strong> Check for packages in the @emilgroup, @opengov, and @teale.io scopes. Review postinstall hooks in all recently updated packages.</p><p><strong>Review CI/CD pipeline permissions.</strong> Apply least privilege to workflow tokens. Restrict `GITHUB_TOKEN` permissions to the minimum required for each workflow. Eliminate long-lived PATs wherever possible and replace with short-lived, scoped tokens.</p><h2>Going forward</h2><p><strong>Treat CI/CD runners as production infrastructure.</strong> Monitor them with the same rigor you apply to production servers. Credential theft from a CI/CD runner can be more damaging than a production server compromise because runners have access to deployment credentials, signing keys, and cross-environment tokens.</p><p><strong>Implement secret scanning and rotation verification.</strong>  When you rotate credentials after an incident, verify the rotation was complete. Test that the old credential no longer works. GitGuardian, GitHub Advanced Security, and similar tools can help detect lingering exposure.</p><h1>Indicators of Compromise</h1><h3>Network:</h3><p>- `scan.aquasecurtiy[.]org` (typosquatted exfiltration domain)</p><p>- `45.148.10.212` (TECHOFF SRV LIMITED, Amsterdam)</p><p>- `tdtqy-oyaaa-aaaae-af2dq-cai.raw.icp0[.]io` (ICP blockchain C2)</p><p>- `plug-tab-protective-relay.trycloudflare.com` (Cloudflare tunnel exfil)</p><p>- `souls-entire-defined-routes.trycloudflare.com`</p><p>- `checkmarx[.]zone`</p><p>- `63.251.162.11`</p><p>- `23.142.184.129` (ICP blockchain infrastructure; monitor only, do not block as this serves legitimate traffic.)</p><p><strong>Note on Cloudflare tunnel domains: </strong>The `trycloudflare[.]com` subdomains above are ephemeral Cloudflare quick tunnels that may already be rotated or expired. Monitor for the pattern but do not rely on these as durable indicators.</p><p><strong>Note on checkmarx[.]zone: </strong>This is a typosquatted domain impersonating Checkmarx (legitimate domain: checkmarx.com). Confirmed as attacker infrastructure by Palo Alto Unit 42.</p><h3>Affected versions:</h3><p>- Trivy 0.69.4, 0.69.5, 0.69.6 (last clean: 0.69.3)</p><p>- trivy-action: 75 of 76 tags compromised</p><p>- setup-trivy: all 7 tags compromised</p><p>- 47+ npm packages across @emilgroup, @opengov, @teale.io scopes</p><h3>Persistence indicators:</h3><p>- systemd services: `sysmon.py`, `pgmon.py`, `pgmonitor.service`, `internal-monitor.service`</p><p>- Repositories prefixed with `tpcp-docs` in your GitHub organization</p><h3>File hashes (select):</h3><p>- `e9b1e069efc778c1e77fb3f5fcc3bd3580bbc810604cbf4347897ddb4b8c163b`</p><p>- `61ff00a81b19624adaad425b9129ba2f312f4ab76fb5ddc2c628a5037d31a4ba`</p><h1>The Bottom Line</h1><p>The Trivy compromise demonstrates that software supply chain attacks are no longer limited to obscure packages or niche tools. A security scanner used by thousands of organizations to protect their infrastructure was turned into a credential harvesting platform, a persistent backdoor, and a worm propagation vector, all distributed through official channels that defenders are conditioned to trust.</p><p>The fix is not complicated, but it requires discipline. Pin your actions by SHA. Rotate credentials completely. Monitor your CI/CD runners. And stop assuming that because a tool is designed to improve your security, it cannot be used to destroy it.</p><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/your-vulnerability-scanner-just-became?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/your-vulnerability-scanner-just-became?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://edge.intruvent.com/p/your-vulnerability-scanner-just-became?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><p></p><p>*Research sources: Intruvent CTI Cloud, Microsoft Defender Security Research (March 24, 2026), Palo Alto Unit 42 Cloud Security (March 25, 2026), Wiz Research (March 20-23, 2026), GitGuardian (March 24, 2026), The Hacker News (March 25, 2026), Sysdig Threat Research (March 23, 2026), Arctic Wolf (March 24, 2026), Aqua Security formal advisory (March 23, 2026)*</p><p>For threat hunting queries and detection rules for your SIEM, visit the<strong><a href="https://intruvent.com/threat-intelligence/"> Intruvent Threat Intelligence Hub</a></strong> or for CTU related to the Iran conflict visit the <strong><a href="https://intruvent.com/iran-cyber-threat/">Intruvent Iran Cyber Threat Intelligence Center</a></strong> or contact us at contact@intruvent.com.</p><p>Want sector-specific threat intelligence for your organization? Check out our <strong><a href="https://intruvent.com/brace/#pricing">BRACE CTI platform</a></strong></p>]]></content:encoded></item><item><title><![CDATA[Prevent This: Approving Your Own Compromise]]></title><description><![CDATA[How Iranian APT groups steal sessions after you approve the login. And what actually stops them.]]></description><link>https://edge.intruvent.com/p/prevent-this-approving-your-own-compromise</link><guid isPermaLink="false">https://edge.intruvent.com/p/prevent-this-approving-your-own-compromise</guid><dc:creator><![CDATA[Sig Murphy]]></dc:creator><pubDate>Tue, 24 Mar 2026 16:30:29 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!AJaq!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3e9cc165-077a-4266-a583-c6b21d63fd1b_1024x1024.png" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div><hr></div><h1>What Happened?</h1><p>Last week, we published Threat Actor Profiles (TAPs) and Threat Hunting Guides (THGs) for Iran&#8217;s most dangerous cyber operators and the escalating threat they pose to Western organizations. If you haven&#8217;t seen them yet, our <a href="https://intruvent.com/iran-cyber-threat/">Iran Cyber Threat Intelligence Center</a> is the go-to resource for tracking every active Iranian threat group, complete with detection rules, hunting queries, and tactical guidance. Go check it out.</p><p><strong>One technique kept showing up across almost every group we profiled: bypassing multi-factor authentication.</strong></p><p>Not breaking it. Not cracking it. Bypassing it entirely.</p><p>Here&#8217;s how it works. You get an email that looks like it came from Microsoft or Google. The login page looks real. The URL looks close enough. You type your password, get the MFA prompt on your phone, and approve it. You did everything right. You followed the training. You used MFA.</p><p>And the attacker now has your session.</p><p>The page you logged into was running through a reverse proxy: a server sitting invisibly between you and the real Microsoft login. <strong>When you completed your MFA challenge, the proxy captured the session token that Microsoft issued after your successful authentication.</strong> The attacker takes that token, loads it into their own browser, and they&#8217;re in. <strong>Microsoft thinks they&#8217;re you.</strong> MFA never fires again because the token says authentication already happened.</p><p>This isn&#8217;t theoretical. <strong>This is the primary access technique for multiple Iranian state-sponsored groups operating right now.</strong></p><div><hr></div><div class="subscription-widget-wrap-editor" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe&quot;,&quot;language&quot;:&quot;en&quot;}" data-component-name="SubscribeWidgetToDOM"><div class="subscription-widget show-subscribe"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! Subscribe for free to receive new posts and support my work.</p></div><form class="subscription-widget-subscribe"><input type="email" class="email-input" name="email" placeholder="Type your email&#8230;" tabindex="-1"><input type="submit" class="button primary" value="Subscribe"><div class="fake-input-wrapper"><div class="fake-input"></div><div class="fake-button"></div></div></form></div></div><div><hr></div><h1>Why Should You Care?</h1><p>Because MFA has become the security equivalent of &#8220;I eat healthy&#8221; while surviving on protein bars and Diet Coke. It feels like you&#8217;re covered. The checkbox is checked. And for years, that was good enough.</p><p>It&#8217;s not good enough anymore.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!AJaq!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3e9cc165-077a-4266-a583-c6b21d63fd1b_1024x1024.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!AJaq!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3e9cc165-077a-4266-a583-c6b21d63fd1b_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!AJaq!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3e9cc165-077a-4266-a583-c6b21d63fd1b_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!AJaq!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3e9cc165-077a-4266-a583-c6b21d63fd1b_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!AJaq!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3e9cc165-077a-4266-a583-c6b21d63fd1b_1024x1024.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!AJaq!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3e9cc165-077a-4266-a583-c6b21d63fd1b_1024x1024.png" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/3e9cc165-077a-4266-a583-c6b21d63fd1b_1024x1024.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:1449684,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/191885579?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3e9cc165-077a-4266-a583-c6b21d63fd1b_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!AJaq!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3e9cc165-077a-4266-a583-c6b21d63fd1b_1024x1024.png 424w, https://substackcdn.com/image/fetch/$s_!AJaq!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3e9cc165-077a-4266-a583-c6b21d63fd1b_1024x1024.png 848w, https://substackcdn.com/image/fetch/$s_!AJaq!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3e9cc165-077a-4266-a583-c6b21d63fd1b_1024x1024.png 1272w, https://substackcdn.com/image/fetch/$s_!AJaq!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F3e9cc165-077a-4266-a583-c6b21d63fd1b_1024x1024.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p><strong>APT42, the IRGC Intelligence Organization&#8217;s dedicated credential harvesting unit (also tracked as Charming Kitten and Mint Sandstorm), has built an industrial-scale phishing operation specifically designed to defeat MFA.</strong> Check Point Research documented over 130 phishing domains operated by the group, many running custom React-based phishing kits that intercept MFA tokens in real time. Their targets include journalists, academics, policy researchers, government officials, and cybersecurity professionals. They build trust over weeks of correspondence before sending the malicious link. By the time the phishing page loads, the victim has every reason to believe the interaction is legitimate.</p><p><strong>APT33 (Peach Sandstorm) takes a different approach to the same problem. Rather than sophisticated phishing proxies, they run massive password spraying campaigns against Azure AD and Microsoft 365 environments.</strong> The technique is blunt but effective: try common passwords across thousands of accounts. When they find one that works, they look for ways around MFA. Legacy authentication protocols like IMAP, POP3, and SMTP AUTH don&#8217;t support MFA at all. If your organization hasn&#8217;t explicitly blocked these protocols, an attacker with a valid password can walk right past your MFA controls using a protocol from 1996.</p><p>Then there&#8217;s the Stryker attack. Two weeks ago, <strong>Handala (a front for Iran&#8217;s MOIS destructive operations unit, Void Manticore) compromised a Stryker Corporation admin account and used Microsoft Intune to remotely wipe 200,000 devices</strong> across 79 countries. MFA was in place. It didn&#8217;t prevent the initial credential theft from being leveraged into catastrophic admin abuse. Once the attackers had a <em>single valid session</em> with administrative privileges, every device enrolled in the management platform became a target.</p><p><strong>MuddyWater rounds out the picture. Iran&#8217;s MOIS-affiliated group harvests credentials and then operates entirely within legitimate cloud services for command and control.</strong> They don&#8217;t need to bypass your MFA repeatedly because they&#8217;re working within trusted authentication contexts, using your own cloud infrastructure against you.</p><p>The pattern across all four groups is the same: MFA is a speed bump, not a wall.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!P4DE!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F25ac008e-d42a-49cc-9f52-a0fe7770b8ff_1024x1024.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!P4DE!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F25ac008e-d42a-49cc-9f52-a0fe7770b8ff_1024x1024.jpeg 424w, https://substackcdn.com/image/fetch/$s_!P4DE!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F25ac008e-d42a-49cc-9f52-a0fe7770b8ff_1024x1024.jpeg 848w, https://substackcdn.com/image/fetch/$s_!P4DE!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F25ac008e-d42a-49cc-9f52-a0fe7770b8ff_1024x1024.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!P4DE!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F25ac008e-d42a-49cc-9f52-a0fe7770b8ff_1024x1024.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!P4DE!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F25ac008e-d42a-49cc-9f52-a0fe7770b8ff_1024x1024.jpeg" width="1024" height="1024" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/25ac008e-d42a-49cc-9f52-a0fe7770b8ff_1024x1024.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:1024,&quot;width&quot;:1024,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:114766,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/191885579?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F25ac008e-d42a-49cc-9f52-a0fe7770b8ff_1024x1024.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!P4DE!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F25ac008e-d42a-49cc-9f52-a0fe7770b8ff_1024x1024.jpeg 424w, https://substackcdn.com/image/fetch/$s_!P4DE!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F25ac008e-d42a-49cc-9f52-a0fe7770b8ff_1024x1024.jpeg 848w, https://substackcdn.com/image/fetch/$s_!P4DE!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F25ac008e-d42a-49cc-9f52-a0fe7770b8ff_1024x1024.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!P4DE!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F25ac008e-d42a-49cc-9f52-a0fe7770b8ff_1024x1024.jpeg 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h1>How Does This Actually Work?</h1><p>The tool that makes this possible is called Evilginx. Originally built as a penetration testing tool, it&#8217;s an open-source reverse proxy framework that sits between a victim and a legitimate login page. The attacker sets up a server, registers a domain that looks similar to the real one, and configures Evilginx to proxy traffic to the actual Microsoft or Google login.</p><p>When you visit the phishing page, Evilginx forwards your request to the real login server. You see the real login page, rendered through the proxy. You enter your password. The real server sends back an MFA challenge. You approve it on your phone. The real server issues a session token. Evilginx captures that token before passing the authenticated page back to you.</p><p>You see a successful login. The attacker sees your session token.</p><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!-mO4!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa173e0a3-3d1c-4d52-b7ae-e0666f514886_1008x595.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!-mO4!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa173e0a3-3d1c-4d52-b7ae-e0666f514886_1008x595.png 424w, https://substackcdn.com/image/fetch/$s_!-mO4!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa173e0a3-3d1c-4d52-b7ae-e0666f514886_1008x595.png 848w, https://substackcdn.com/image/fetch/$s_!-mO4!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa173e0a3-3d1c-4d52-b7ae-e0666f514886_1008x595.png 1272w, https://substackcdn.com/image/fetch/$s_!-mO4!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa173e0a3-3d1c-4d52-b7ae-e0666f514886_1008x595.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!-mO4!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa173e0a3-3d1c-4d52-b7ae-e0666f514886_1008x595.png" width="1008" height="595" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/a173e0a3-3d1c-4d52-b7ae-e0666f514886_1008x595.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:595,&quot;width&quot;:1008,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:720462,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/191885579?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fda2aef2a-3030-4edd-9a03-b2882159c9d0_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!-mO4!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa173e0a3-3d1c-4d52-b7ae-e0666f514886_1008x595.png 424w, https://substackcdn.com/image/fetch/$s_!-mO4!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa173e0a3-3d1c-4d52-b7ae-e0666f514886_1008x595.png 848w, https://substackcdn.com/image/fetch/$s_!-mO4!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa173e0a3-3d1c-4d52-b7ae-e0666f514886_1008x595.png 1272w, https://substackcdn.com/image/fetch/$s_!-mO4!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fa173e0a3-3d1c-4d52-b7ae-e0666f514886_1008x595.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p>From there, the attacker loads your stolen token into their own browser. <strong>To Microsoft&#8217;s servers, the request looks identical to yours: same token, valid authentication, MFA already completed.</strong> The attacker can now read your email, access your files, and move laterally through your organization. Unless someone notices that your account is suddenly being accessed from two different countries at the same time, there&#8217;s no alert.</p><p>The commercial ecosystem around this technique has matured rapidly. Phishing-as-a-Service platforms like Tycoon 2FA, Sneaky2FA, and Flowerstorm sell ready-made kits that handle the entire reverse proxy setup. No technical expertise required. Push Security&#8217;s 2025 analysis found that MFA bypass is now standard fare in the criminal phishing marketplace, and that roughly one in three phishing attacks they detected were delivered outside of email entirely, through LinkedIn messages, Google search results, and other channels that email security tools never see.</p><p>Token theft accounted for 31% of Microsoft 365 breaches in 2025, making it the leading attack vector ahead of traditional credential compromise. Microsoft documented over 382,000 MFA fatigue attacks in a single year, with research showing that 1% of users blindly accept the first push notification they receive.</p><p>One percent sounds small until you calculate it across an organization with 10,000 employees.</p><h1>What Can You Do?</h1><div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!1KPC!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fabb2cf55-bd4f-422d-a9fe-462b4ac7d2ea_1022x690.png" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!1KPC!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fabb2cf55-bd4f-422d-a9fe-462b4ac7d2ea_1022x690.png 424w, https://substackcdn.com/image/fetch/$s_!1KPC!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fabb2cf55-bd4f-422d-a9fe-462b4ac7d2ea_1022x690.png 848w, https://substackcdn.com/image/fetch/$s_!1KPC!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fabb2cf55-bd4f-422d-a9fe-462b4ac7d2ea_1022x690.png 1272w, https://substackcdn.com/image/fetch/$s_!1KPC!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fabb2cf55-bd4f-422d-a9fe-462b4ac7d2ea_1022x690.png 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!1KPC!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fabb2cf55-bd4f-422d-a9fe-462b4ac7d2ea_1022x690.png" width="1022" height="690" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/abb2cf55-bd4f-422d-a9fe-462b4ac7d2ea_1022x690.png&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:690,&quot;width&quot;:1022,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:825640,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/png&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:true,&quot;topImage&quot;:false,&quot;internalRedirect&quot;:&quot;https://edge.intruvent.com/i/191885579?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F29fe6f8a-1b6a-45ea-97aa-b00f20736f40_1024x1024.png&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!1KPC!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fabb2cf55-bd4f-422d-a9fe-462b4ac7d2ea_1022x690.png 424w, https://substackcdn.com/image/fetch/$s_!1KPC!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fabb2cf55-bd4f-422d-a9fe-462b4ac7d2ea_1022x690.png 848w, https://substackcdn.com/image/fetch/$s_!1KPC!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fabb2cf55-bd4f-422d-a9fe-462b4ac7d2ea_1022x690.png 1272w, https://substackcdn.com/image/fetch/$s_!1KPC!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2Fabb2cf55-bd4f-422d-a9fe-462b4ac7d2ea_1022x690.png 1456w" sizes="100vw" loading="lazy"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><h3><strong>For Everyone:</strong></h3><p><em><strong>Stop approving MFA prompts you didn&#8217;t initiate. This is the single most important takeaway from this entire article.</strong></em> If your phone buzzes with a login approval request and you aren&#8217;t actively logging into something, deny it. Every time. That unexpected prompt could be an attacker who already has your password, waiting for you to tap &#8220;Approve&#8221; so they can walk into your account.</p><p>Use a password manager. A good password manager auto-fills credentials only on the exact domain they were saved for. If you land on a phishing page at &#8220;micros0ft-login.com&#8221; instead of &#8220;microsoft.com,&#8221; your password manager will refuse to fill in your credentials. That moment of friction could save your organization.</p><h3><strong>For IT and Security Teams:</strong></h3><p><strong>Deploy phishing-resistant MFA</strong>. Hardware security keys (FIDO2/WebAuthn) and passkeys defeat reverse proxy attacks entirely because the authentication is cryptographically bound to the legitimate domain. The key literally cannot produce a valid response for a phishing site because the domain doesn&#8217;t match. Google deployed hardware security keys to all 85,000+ employees and reported zero successful phishing attacks afterward. Cloudflare survived a sophisticated phishing campaign that compromised other tech companies because their hardware keys refused to authenticate on the phishing domain, even after employees clicked the malicious links and entered their credentials.</p><p>Adoption of phishing-resistant authenticators grew 63% in 2024, according to Okta&#8217;s research. CISA calls FIDO2 and PKI-based authentication the gold standard. Multiple countries are now mandating the retirement of SMS-based authentication. The technology is mature and the deployment playbooks are proven.</p><p><strong>Block legacy authentication protocols. If IMAP, POP3, SMTP AUTH, and other legacy protocols are still enabled in your Microsoft 365 or Entra ID environment, you have a backdoor that bypasses MFA entirely.</strong> Create Conditional Access policies that block legacy authentication. Start in report-only mode to identify any legitimate usage, then enforce. This single change eliminates the attack vector that APT33 and dozens of other groups exploit through password spraying.</p><p><strong>Implement Conditional Access policies with teeth.</strong> Require compliant devices for access to sensitive resources. Restrict authentication to managed devices and known network locations for administrative accounts. Require step-up authentication for high-risk actions. These policies create layers of verification that survive a stolen session token.</p><p><strong>Monitor for token replay. When an attacker steals a session token, there&#8217;s a window where two different sessions using the same token are active from different IP addresses and user agents</strong>. Enable Continuous Access Evaluation in Entra ID, which can detect and revoke tokens when conditions change. Watch for impossible travel patterns. Alert on sessions where the user agent or IP address changes mid-session.</p><p><strong>Shorten token lifetimes for sensitive accounts.</strong> The shorter the session token validity, the smaller the window an attacker has to exploit a stolen token. This creates friction for legitimate users, so apply it selectively to high-privilege accounts where the security tradeoff is worth it.</p><h3><strong>For Security Leaders:</strong></h3><p>Audit your MFA deployment honestly. Check which accounts still use SMS-based MFA. Identify where legacy protocols remain enabled. Find the administrative accounts that have permanently assigned privileges rather than just-in-time access. The Stryker attack demonstrated what happens when a single admin account with broad permissions gets compromised. Least privilege and just-in-time access aren&#8217;t theoretical best practices. They&#8217;re the difference between a compromised account and a compromised enterprise.</p><h1>The Bottom Line</h1><p><strong>MFA still matters. Having MFA enabled is dramatically better than not having it. The vast majority of credential attacks still fail against accounts with any form of MFA enabled.</strong></p><p><strong>But &#8220;I have MFA&#8221; has become the new &#8220;I have antivirus.&#8221; It&#8217;s a starting point, not a finish line.</strong> The Iranian groups we profiled on our <a href="https://intruvent.com/iran-cyber-threat/">Iran Cyber Threat Intelligence Center</a> have built entire operational playbooks around the assumption that their targets use MFA. Their attacks are designed from the ground up to defeat it.</p><p>T<strong>he fix exists. Hardware security keys and passkeys are cryptographically immune to these attacks. Blocking legacy protocols closes the password-spraying backdoor. Conditional Access policies and token monitoring catch what gets through. None of this is exotic or experimental. It&#8217;s available today, from the vendors you already use.</strong></p><p>The question isn&#8217;t whether your MFA can be bypassed. It can. The question is whether you&#8217;ve deployed the controls that make bypass meaningless.</p><p><strong>Next time you get an unexpected MFA prompt on your phone, remember: that approval button might be the most dangerous click you make all year. Deny it. Call your IT team.</strong> </p><div><hr></div><div class="captioned-button-wrap" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-approving-your-own-compromise?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="CaptionedButtonToDOM"><div class="preamble"><p class="cta-caption">Thanks for reading Intruvent Edge! This post is public so feel free to share it.</p></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://edge.intruvent.com/p/prevent-this-approving-your-own-compromise?utm_source=substack&utm_medium=email&utm_content=share&action=share&quot;,&quot;text&quot;:&quot;Share&quot;}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://edge.intruvent.com/p/prevent-this-approving-your-own-compromise?utm_source=substack&utm_medium=email&utm_content=share&action=share"><span>Share</span></a></p></div><div><hr></div><p><em>Research Sources: Intruvent CTI Cloud, Google Cloud/Mandiant APT42 Research, Check Point Research, Microsoft Threat Intelligence, Cisco Talos, Push Security 2025 Phishing Trends Report, Okta Secure Sign-in Trends Report 2025, Obsidian Security, CISA Phishing-Resistant MFA Guidance, Malwarebytes, Infoblox</em></p><p><em>For the complete Iranian threat actor profiles, detection queries, and hunting guides, visit the <a href="https://intruvent.com/iran-cyber-threat/">Iran Cyber Threat Intelligence Center</a>.</em></p><p><em>Last Updated: March 24, 2026</em></p><div><hr></div><p><em>Want sector specific threat intelligence for your organization?  Check out our BRACE CTI platform at <a href="https://intruvent.com/brace">https://intruvent.com/brace</a></em></p>]]></content:encoded></item></channel></rss>