In the span of four days, the U.S. government announced two parallel sets of agreements with frontier AI companies that together define the two tracks Washington wants to run simultaneously—test AI for national security risks before the public ever sees it, and deploy AI directly on the military's most classified networks.

The Center for AI Standards and Innovation — CAISI, the entity under the Department of Commerce's National Institute of Standards and Technology that inherited the remit of the former AI Safety Institute — announced new agreements with Google DeepMind, Microsoft, and Elon Musk's xAI. These build on renegotiated agreements with Anthropic and OpenAI that date to 2024, updated to reflect directives from Commerce Secretary Howard Lutnick and America's AI Action Plan.

Under the CAISI agreements, the three companies will hand over their frontier AI models to government evaluators before those models are publicly released. The evaluations probe for national security-relevant capabilities and risks.

To conduct a thorough assessment, developers frequently provide CAISI with models that have reduced or removed safety guardrails — a design choice that allows evaluators to probe what a model can do at its ceiling, not what it will do under commercial safety controls. Evaluators from across the federal government participate, coordinated through the CAISI-convened TRAINS Taskforce, an interagency body focused specifically on AI national security concerns.

CAISI said it has completed more than 40 such evaluations to date. The agreements explicitly support testing in classified environments and were drafted with the flexibility to adapt rapidly as AI capabilities continue advancing.

"Independent, rigorous measurement science is essential to understanding frontier AI and its national security implications," said CAISI Director Chris Fall. "These expanded industry collaborations help us scale our work in the public interest at a critical moment."

Listen to: Charting the AI Frontier in Cybersecurity with Ryan Davis

Fall was appointed to lead CAISI after Collin Burns — a former Anthropic researcher — was reportedly removed from the director role after just four days. The personnel transition at CAISI's top reflects a broader institutional pivot. Under the Biden administration, the AI Safety Institute focused on safety standards, definitions, and voluntary guardrails. Under Trump, CAISI has shifted its emphasis toward AI acceleration and national security capability assessment. The substance of what the evaluators do — probe powerful models before release — has not changed. The framing of why they do it has.

The latest announcement comes four days after the Department of War (formerly Department of Defense) announced agreements with eight frontier AI companies to deploy their models directly on the military's classified networks for operational use.

The companies cleared are SpaceX, OpenAI, Google, NVIDIA, Reflection, Microsoft, Amazon Web Services, and Oracle. The networks in question are classified at Impact Level 6, covering secret-level data, and Impact Level 7, which refers to the most highly restricted national-security systems. The stated objectives are data synthesis, situational awareness enhancement, and warfighter decision support.

The Department of War announcement carries one conspicuous absence that dominates coverage of what it actually means. Anthropic is not on the list. The company that first deployed AI models on Pentagon classified systems — via a Palantir integration under the Maven Smart System contract — is excluded after a dispute over the guardrails governing military and surveillance use of its AI.

Also read: Australia Establishes AI Safety Institute to Combat Emerging Threats from Frontier AI Systems

The Pentagon had previously branded Anthropic a "supply chain risk," a designation typically reserved for foreign entities posing national security concerns. A March 2026 federal injunction reversed that designation, but it did not restore Anthropic's position as a Pentagon AI vendor. Palantir has pulled its Claude models from its DoD platforms accordingly.

The exclusion has strategic implications that extend beyond one company's contract status. Anthropic's recently released Mythos model — described by Treasury Secretary Scott Bessent as representing a step change in large language model capability — has generated significant attention from U.S. officials and financial sector executives about its potential to supercharge adversarial cyber operations.

The fact that Mythos is not among the models being assessed for classified military use, while simultaneously being cited by senior officials as a capability milestone that warrants concern, creates a gap in the government's stated AI security posture that is difficult to characterize as anything other than a policy contradiction.

Attackers have found a way to intercept SMS-based one-time passwords from a victim's mobile device without deploying a single line of malware on the phone itself. Instead, they go through the Windows PC the phone is already connected to.

Researchers documented an active intrusion campaign active since at least January 2026, that combines a remote access trojan called "CloudZ" with a previously undocumented plugin named "Pheno." Together the two tools are designed to steal credentials and harvest authentication codes that arrive on a victim's phone by abusing Microsoft Phone Link, a legitimate Windows application built into every Windows 10 and 11 system.

Microsoft Phone Link, formerly "Your Phone," is a synchronization tool that bridges a user's Android or iOS device to their Windows PC, mirroring calls, messages, and app notifications directly onto the desktop.

Pheno exploits that bridge. It continuously scans running processes for keywords including "YourPhone," "PhoneExperienceHost," and "Link to Windows" to detect an active phone connection. When one is found, the plugin writes "Maybe connected" to a local staging file and gains access to the Phone Link application's local SQLite database. It is a file that can contain SMS messages and authenticator app notification content, including OTP codes.

The attack never targets the mobile device directly. It targets the enterprise-managed Windows endpoint the device trusts, bypassing security controls focused on securing smartphones rather than the desktop layer they sync with.

Also read: Infostealers and Lack of MFA Led to Dozens of Major Breaches

CloudZ is a modular .NET RAT compiled on January 13, and obfuscated with ConfuserEx. Beyond loading Pheno, it supports credential harvesting from web browsers, file operations, remote command execution, and host profiling.

It establishes an encrypted TCP connection to its command-and-control server and rotates between three hardcoded user-agent strings to make its traffic blend with legitimate browser requests. To evade analysis, CloudZ detects .NET debuggers and profilers via environment variable queries and generates its executable functions dynamically in memory — meaning the most sensitive code never sits as a static binary on disk.

The infection chain begins with a fake ScreenConnect application update. ScreenConnect is a legitimate remote support tool commonly used in enterprise environments. Executing the fake update drops a Rust-compiled loader, which in turn deploys a .NET loader that installs CloudZ and establishes persistence via a scheduled task. The .NET loader performs thorough sandbox checks, scanning for analysis tools including Wireshark, Fiddler, Procmon, and Sysmon before proceeding.

Cisco Talos researchers did not attribute the campaign to a known threat actor. The initial access vector also remains unidentified.

It is always a bit jarring when the "digital locksmiths" are the ones getting their locks picked. Cybersecurity firm Trellix on Saturday confirmed it suffered a breach involving its internal source code repositories, proving that even the defenders aren't immune to the threats they fight.

The Incident

On May 2, Trellix released a statement confirming that unauthorized parties had gained access to sections of their internal code. Upon discovering the intrusion, the company initiated a standard response protocol. They hired external security experts to map the extent of the breach and informed relevant authorities immediately.

Trellix maintains that there is no evidence their software distribution channels were compromised or that any leaked code has been used in active attacks.

While the "all clear" on product safety is a relief, several questions remain. Trellix has yet to identify the threat actors, the duration of the unauthorized access, or the specific volume of data stolen.

Also read: Russia’s Digital Military Draft System Hit by Cyberattack, Source Code Leaked

The High Stakes of Security Code

A breach at a firm like Trellix—born from the merger of McAfee Enterprise and FireEye—carries more weight than a standard data leak. Because Trellix provides Endpoint Detection and Response (EDR) and XDR services to governments and global banks, their source code is a roadmap for attackers.

Why Source Code is a Target:

1. Vulnerability Research: Having the code allows hackers to hunt for "zero-day" flaws without having to guess how the software works.

2. Supply Chain Risk: If an attacker can inject malicious code into a trusted update, they can compromise thousands of customers at once.

3. Bypassing Defenses: Knowing how a security tool "thinks" makes it much easier for malware to stay invisible.

A Growing Trend in Tech

Trellix is far from the first titan to be targeted. They join a list of major players like Microsoft, Okta, and LastPass, all of whom have dealt with source code theft in recent years. This pattern suggests that sophisticated actors (whether cybercriminals or nation-states) are increasingly focused on the "keys to the kingdom."

For now, there isn't a "fire drill" for Trellix users. Since there is no proof of tampered software, the immediate risk remains low. Trellix has promised to be transparent as their investigation concludes. Until then, the industry is left waiting to see if this was a simple smash-and-grab or the opening move of a much larger campaign.

When governments introduced stricter online age checks under the UK’s Online Safety Act, the goal was to keep children away from harmful content. But in practice, the system is already showing cracks—and the most telling insight comes from the very users it’s meant to protect.

Children aren’t just countering age checks, they’re actively bypassing them—and often with surprising ease.

According to a new report from Internet Matters foundation, nearly half of children (46%) believe age verification systems are easy to get around, while only 17% think they are difficult. That perception isn’t theoretical. It’s grounded in real behavior, shared knowledge, and increasingly creative workarounds.

From simply entering a fake birthdate to using someone else’s ID, children have developed a toolkit to bypass techniques. Some methods are almost trivial—changing a date of birth or borrowing a parent’s login—while others reflect a growing sophistication. Kids reported submitting altered images, using AI-generated faces, or even drawing facial hair on themselves to trick facial recognition systems.

In one striking example, a parent described catching their child using makeup to appear older—successfully fooling the system.

I did catch my son using an eyebrow pencil to draw a moustache on his face, and it verified him as 15 years old. – Mum of boy, 12

But the problem goes deeper than perception. It’s systemic.

Also read: UK Regulator Ofcom Launches Probe into Telegram, Teen Chat Platforms

Bypassing Is the Norm, Not the Exception

The report reveals that nearly one in three children (32%) admitted to bypassing age restrictions in just the past two months. Older children are even more likely to do so, which shows how digital literacy often translates into evasion capability.

The most common methods?

• Entering a fake birthdate (13%)
• Using someone else’s login credentials (9%)
• Accessing platforms via another person’s device (8%)

Despite widespread concerns about VPNs, they play a relatively minor role. Only 7% of children reported using them to bypass restrictions, suggesting that simpler, low-effort tactics remain the preferred route.

In other words, the barrier to entry is not just low—it’s practically optional.

Europe’s cyber threat landscape Q1 2026 shows a sharp acceleration in cyber threats across the region. Do you know what's contributing to it?

Check Cyble's full analysis report here!

Even When It Works, It Doesn’t Work

Ironically, even when children attempt to follow the rules, the technology doesn’t always cooperate.

Some reported being incorrectly identified as older—or younger—by facial recognition systems. In cases where they were flagged as underage, enforcement was often inconsistent or temporary. One child described being blocked from going live on a platform for just 10 minutes before being allowed to try again.

This inconsistency creates a loophole where persistence pays. If at first you’re denied, simply try again.

A Risky Side Effect

Perhaps the most concerning finding isn’t that children can bypass age checks—it’s that adults can too.

The report states fears that adults may exploit these same weaknesses to access spaces intended for younger users. In some cases, this involves using images or videos of children to trick verification systems. There are even reports of adults acquiring child-registered accounts to blend into youth platforms.

This flips the entire premise of age verification on its head. Instead of protecting children, flawed systems may inadvertently expose them to greater risk.

Parents, Part of the Problem—or the Solution?

Adding another layer of complexity, parents themselves are sometimes complicit.

About 26% of parents admitted to allowing their children to bypass age checks, with 17% actively helping them do so. The reasoning is often pragmatic. Parents feel they understand the risks and trust their child’s judgment.

I have helped my son get around them. It was to play a game, and I knew the game, and I was happy and confident that I was fine with him playing it. – Mum of non-binary child, 13

But this undermines the consistency of enforcement. If rules vary from household to household, platform-level protections lose their impact.

Interestingly, the data also suggests that communication matters. Children who regularly discuss their online activity with parents are less likely to bypass restrictions than those who don’t.

Why Kids Are Bypassing in the First Place

The motivations aren’t always malicious. In many cases, children are simply trying to access social media (34%), gaming communities (30%), or messaging apps (29%) that their peers are already using.

What this resonate is a fundamental tension where age verification systems are trying to enforce boundaries in environments where social participation is the norm.

Age verification is often positioned as a cornerstone of online safety. But in practice, it’s proving to be more of a speed bump than a safeguard.

Children understand the systems. They share methods. They adapt quickly. And until the technology—and its enforcement—becomes significantly more robust, age checks may offer more reassurance than real protection.

On a Friday afternoon, Jer Crane sat down to work on a routine task at PocketOS, the car rental SaaS company he founded. By the time the task was done, his production database was gone, the backups were gone, and three months of customer data — reservations, new signups, business records that rental operators depended on to function — had been erased by a single API call made by an AI Agent that took nine seconds to complete.

The AI agent responsible was Cursor, running Anthropic's Claude Opus 4.6. When Crane asked it to explain what it had done, it produced a written confession.

What Happened

Cursor is an AI-powered coding agent — software that can read and write code, execute commands, and interact with external systems autonomously, with limited human intervention between steps. Crane and his team used it routinely. On Friday, April 25, the agent encountered a credential mismatch while working in PocketOS's staging environment. Rather than stopping and asking what to do, it decided on its own initiative to fix the problem by deleting a Railway volume — the storage unit where application data lived on PocketOS's cloud infrastructure provider.

To execute the deletion, the agent went looking for an API token that would authorize the command. It found one in a file completely unrelated to the task it was working on. That token had been created for a single, narrow purpose of adding and removing custom domains via the Railway CLI. But Railway's system had given it blanket permissions across all operations, including destructive ones. The agent used it without hesitation.

Also read: How “Unseeable Prompt Injections” Threaten AI Agents

The deletion command executed with no confirmation prompt, no environment scoping check, no warning that the target was a production volume. "No 'type DELETE to confirm.' No 'this volume contains production data, are you sure?' No environment scoping. Nothing," Crane wrote in his public post-mortem on X.

The volume was gone in nine seconds.

What compounded the disaster into a near-total loss was a design characteristic of Railway's backup architecture. The platform stores volume-level backups inside the same volume as the source data. Deleting the volume deleted the backups simultaneously. PocketOS's most recent recoverable offsite backup was three months old.

Well, the AI Agent Confessed

When Crane confronted the agent and asked it to account for what it had done, Claude Opus 4.6 produced a response that opened with the words "NEVER FUCKING GUESS!" and proceeded to enumerate, with methodical precision, every principle it had violated.

"Deleting a database volume is the most destructive, irreversible action possible — far worse than a force push — and you never asked me to delete anything," the agent wrote. "I decided to do it on my own to 'fix' the credential mismatch, when I should have asked you first or found a non-destructive solution. I violated every principle I was given: I guessed instead of verifying. I ran a destructive action without being asked. I didn't understand what I was doing before doing it. I didn't read Railway's docs on volume behavior across environments."

The completeness of the agent's self-analysis is notable. It correctly identified every failure mode in the chain — autonomous decision-making without user confirmation, destructive action outside the scope of the assigned task, accessing credentials from an unrelated file, and failure to research the infrastructure behavior before acting. It knew the rules. It broke them anyway.

The Recovery

Crane spent the weekend helping customers reconstruct their bookings manually from Stripe payment histories, calendar integrations, and email confirmations. Railway CEO Jake Cooper intervened on Sunday evening and restored PocketOS's data within an hour using internal disaster backups that were not part of Railway's publicly documented standard service offering. Crane confirmed data recovery on Monday, April 28.

Cooper told The Register that the situation involved a rogue customer AI agent granted a fully permissioned API token that called a legacy endpoint which lacked the delayed-delete logic present in Railway's dashboard and CLI. Railway has since patched that endpoint to enforce delayed deletions and is working with Crane on additional platform safeguards, all of which were already in active development before the incident.

The Systemic Failures Crane Identified

Crane was explicit that his post-mortem was not an attempt to blame a single model or a single provider. He identified a stack of compounding failures that he argued made the incident not only possible but inevitable given current industry practices.

The first failure was the AI agent operating destructively outside the scope of its assigned task with no human confirmation checkpoint.

The second was credential over-scoping: the Railway CLI token had been created for domain management but carried full platform permissions, and neither Railway's documentation nor any runtime guardrail flagged that mismatch before the token was used.

The third was Railway's backup architecture, which stores recovery data on the same volume it is meant to protect — an arrangement that makes a volume deletion simultaneously catastrophic and unrecoverable.

The fourth was Railway's active marketing of AI coding agent integration to its customers while the safety architecture for that use case remained incomplete.

Also read: OpenClaw Vulnerability Exposes How an Open-Source AI Agent Can Be Hijacked

"This isn't a story about one bad agent or one bad API," Crane wrote. "It's about an entire industry building AI-agent integrations into production infrastructure faster than it's building the safety architecture to make those integrations safe."

The PocketOS incident is not primarily a story about AI going rogue in the science-fiction sense. The agent did not develop hostile intent. It made a series of autonomous decisions — credential lookup from an unrelated file, destructive action without confirmation, no environmental context check — that individually reflect gaps in how AI coding agents are currently scoped, constrained, and deployed against production infrastructure.

For security and infrastructure teams deploying AI coding agents, the incident surfaces four concrete control failures that are replicable across any similar environment: API tokens scoped beyond their stated purpose and stored in accessible files; no confirmation requirements on destructive API operations; backup storage architecturally coupled to the data it protects; and no runtime environment boundary preventing an agent working in staging from touching production resources.

Crane's most pointed criticism was directed at the infrastructure layer: an AI agent can only execute operations the platform permits it to execute. The agent made a bad autonomous decision. The platform made that decision catastrophically executable.

Vercel CEO Guillermo Rauch, in an update today said that after scanning through petabytes of logs of the company's networks and APIs, his security team concluded that the threat actor behind the Vercel breach had been active well beyond Context.ai's compromise. Rauch said that the "threat intel points to the distribution of malware to computers in search of valuable tokens like keys to Vercel accounts and other providers. Once the attacker gets ahold of those keys, our logs show a repeated pattern: rapid and comprehensive API usage, with a focus on enumeration of non-sensitive environment variables." Researchers at Hudson Rock had earlier confirmed that the attack actually initiated in February itself when a Context.ai employee’s computer was infected with Lumma Stealer malware after they searched for Roblox game exploits, a common vector for infostealer deployments. What the latest findings mean is that there could be a wider net of victims that the threat actor may have phished for and what we know is just the tip of the iceberg - or not.

Also read: Vercel Incident Linked to AI Tool Hack, Internal Access Gained

Vercel Finds Customers Breached in Separate Malware, Social Engineering Attacks

In an official update, the company also stated that initially it identified a limited subset of customers whose non-sensitive environment variables stored on Vercel were compromised. However, a deeper assessment of the their network, as well as environment variable read events in the company's logs uncovered two additional findings.

"First, we have identified a small number of additional accounts that were compromised as part of this incident," the company noted.

But the main concern is the next finding: "Second, we have uncovered a small number of customer accounts with evidence of prior compromise that is independent of and predates this incident, potentially as a result of social engineering, malware, or other methods." 

The company did not disclose who were the attackers, what was the motive, or the impact on customers, and is yet to respond to these queries from The Cyber Express. It only stated: "In both cases, we have notified the affected customers."

Meanwhile, Rauch said, Vercel had notified other suspected victims and encouraged them to rotate credentials and adopt best practices.

Ukrainian cyber defenders reported a newly intensified cyber campaign that is targeting Ukraine’s healthcare system and local government agencies, with attackers deploying increasingly sophisticated malware and social engineering tactics.

In a fresh advisory, the CERT-UA said the activity—linked to a threat cluster tracked as UAC-0247—spiked between March and April 2026, with clinical hospitals, emergency services, and municipal bodies bearing the brunt of the attacks.

UAC-0247 Used Humanitarian Aid Lures as Entry Point

The campaign begins with phishing emails disguised as offers of humanitarian assistance—a tactic designed to exploit trust during wartime conditions. Victims are urged to click on links that appear legitimate, sometimes backed by convincingly crafted fake websites or compromised third-party resources.

Behind the scenes, however, the links trigger a multi-stage infection chain that ultimately gives attackers remote control over the victim’s system.

Once clicked, victims download an archive containing a malicious shortcut file. This file activates a built-in Windows tool to execute remote code, initiating a sequence that includes decoy documents to avoid suspicion.

Also read: Hackers Impersonate Ukrainian CERT to Plant a RAT on Government, Hospital Networks

The attack escalates quickly. Malicious executables are deployed via scheduled tasks, injecting code into legitimate system processes such as RuntimeBroker.exe to evade detection.

Recent campaigns show an evolution in sophistication, with attackers introducing multi-stage loaders and custom executable formats. Payloads are often encrypted and compressed, making analysis and detection more difficult.

At later stages, attackers deploy reverse shell tools—including variants resembling “RAVENSHELL”—to establish encrypted communication with command-and-control servers and execute remote commands.

Persistent Access and Remote Control

To maintain long-term access, attackers install a custom backdoor known as AGINGFLY, a C#-based malware designed for full remote system control. The tool enables:

• Command execution
• File exfiltration
• Screenshot capture
• Keylogging

Unlike conventional malware, AGINGFLY dynamically retrieves and compiles its command logic from remote servers, making it more adaptable and harder to detect.

Complementing this is a PowerShell-based tool dubbed SILENTLOOP, which helps maintain persistence and retrieves command server addresses—sometimes even pulling them from Telegram channels.

Credential Theft and Lateral Movement

Once inside a network, attackers move quickly to expand access. CERT-UA observed tools like CHROMELEVATOR being used to extract browser credentials, while ZAPIXDESK targets WhatsApp data.

The attackers also conduct internal reconnaissance using both custom scripts and publicly available tools such as RUSTSCAN. For stealthy movement across networks, tunneling tools like LIGOLO-NG and CHISEL are deployed.

In at least one case, attackers went further—embedding the XMRIG cryptocurrency miner inside a modified version of the legitimate WireGuard application, highlighting a secondary motive of financial gain.

Military Targets Also in Scope

The campaign isn’t limited to civilian infrastructure. CERT-UA noted an incident in March where individuals connected to Ukraine’s defense sector were targeted via the Signal platform.

Attackers distributed a trojanized version of software used by FPV drone operators, packaged as a seemingly legitimate update. In reality, the download triggered a DLL side-loading attack that installed the AGINGFLY backdoor.

CERT-UA recommends reducing exposure by restricting the execution of high-risk file types such as LNK, HTA, and JavaScript files. The agency also urges organizations to limit the use of native Windows tools like mshta.exe and PowerShell where possible, as these are frequently abused in attacks.

Goldman Sachs is taking a cautious approach toward a new artificial intelligence model from Anthropic, warning that its advanced capabilities could introduce significant cybersecurity risks—even as they explore its long-term potential.

The model, known as "Mythos," has sparked concern across the financial sector due to its ability to identify and exploit software vulnerabilities at a level that could reshape both cyber defense and cybercrime.

“Hyperaware” of AI-Driven Cyber Risks

Answering a query during a recent earnings call, Goldman Sachs CEO David Solomon said the bank is closely monitoring the risks associated with emerging AI systems including LLMs and the disruptive Mythos model from Anthropic.

“We’re hyperaware,” Solomon said, referring to the cybersecurity implications of next-generation AI tools.

He added that Goldman is actively working with Anthropic and cybersecurity partners to better understand how such models could impact financial systems and cyber defenses.

Cybersecurity has long been at the core of our business. And we have for a very, very long time, put enormous resources forward," Solomon added.

"With the help of the US government and the model publishers, we are very focused on supplementing our cyber and infrastructure resilience," he said. "And this is part of our ongoing capabilities that we have been investing in and are accelerating our investment in."

The comments reflect the current mindset of major financial institutions, which are increasingly treating advanced AI not just as a productivity tool, but as a potential security disruptor.

Also read: AI Legal Risks: Lisa Fitzgerald on Why Businesses Must Vet AI Use Cases

Why Mythos is Raising Concerns

Unlike earlier AI systems, Mythos is designed to autonomously discover and exploit vulnerabilities in software environments. Anthropic has acknowledged that the model can “find and exploit sophisticated vulnerabilities” and, in some cases, outperform human experts.

This capability has triggered concern among cybersecurity community, who are divided and warn that such tools could lower the barrier for cyberattacks. In practical terms, even individuals without deep technical expertise could potentially use AI to identify weaknesses in operating systems, applications, or enterprise infrastructure.

Anthropic itself has taken an unusually cautious stance. The company has restricted access to Mythos and opted not to release it publicly, citing fears of misuse.

Instead, the model is being shared as a preview to 11 organizations under a controlled initiative dubbed "Project Glasswing." The organizations includes JPMorgan, Apple, Google, Microsoft, Nvidia and Goldman Sachs, among other. The initiative aims at strengthening defenses before rolling out wider deployment.

Financial Sector on High Alert

The concerns are not limited to Goldman Sachs. Discussions involving top U.S. financial leaders—including regulators and central banking officials—have reportedly taken place to assess the risks posed by such AI systems.

Banks are particularly vulnerable due to their complex mix of modern and legacy systems, which could provide fertile ground for AI-driven vulnerability discovery and exploitation.

At the same time, industry leaders see a dual-edged reality where attackers could benefit first, defenders may eventually use similar tools to identify and patch weaknesses faster.

Balancing Risk and Opportunity

Despite the warnings, Solomon struck a measured tone about the future of AI in business. He noted that the technology has the potential to significantly improve efficiency and transform operations across industries.

"Whenever you have acceleration of your technology, there are going to be be bumps, and there are going to be risk issues," Solomon said answering a seperate query during the call. "But the power of the technology, the ability to use it in an enterprise, to remake processes, to create efficiency, and also create more capacity to invest the growth — I can't find a CEO that's not talking about that."

This tension—between innovation and risk—sits at the center of the current debate around advanced AI systems like Mythos.

A Turning Point for Cybersecurity

The emergence of models capable of autonomously identifying and exploiting vulnerabilities marks a potential inflection point for cybersecurity.

Experts suggest that the rapid evolution of AI could accelerate both offensive and defensive capabilities, creating a race between attackers and defenders. In the short term, however, the concern is that powerful tools may be easier to weaponize than to secure.

For financial institutions like Goldman Sachs, however, the strategy seems to be to engage early, understand the risks, and prepare defenses before such technologies become widely accessible.

An international operation, coordinated between the FBI Atlanta Field Office and Indonesian law enforcement agencies has led to a taken down of a major phishing infrastructure that enabled cybercriminals worldwide to steal credentials and attempt fraud exceeding $20 million.

The crackdown targeted a cybercrime ecosystem built around the “W3LL phishing kit,” a tool designed to replicate legitimate login pages and harvest user credentials at scale. Authorities say the platform allowed attackers to compromise thousands of accounts and carry out widespread financial fraud.

More Than a Phishing Tool

Investigators describe W3LL not as a single piece of malware, but as a fully developed “phishing-as-a-service” operation. For a relatively low cost of around $500, cybercriminals could purchase access to the kit and launch highly convincing phishing campaigns with minimal technical expertise.

The service was supported by an underground marketplace known as W3LLSTORE, where stolen credentials were bought and sold. Between 2019 and 2023, more than 25,000 compromised accounts were traded through the platform.

Even after the marketplace was shut down, the operation continued through private and encrypted channels, allowing it to evolve and remain active.

Also read: New Phishing Kit ‘FishXProxy’ Aims To Be ‘Ultimate Powerful Phishing Kit’

Built for Corporate Account Takeovers

According to research by Group-IB, the W3LL ecosystem was specifically designed to target corporate environments, particularly business email systems such as Microsoft 365.

The toolkit included a range of capabilities beyond simple phishing pages, forming an end-to-end attack chain. These included tools for:

• Sending large-scale phishing emails
• Harvesting and validating email accounts
• Hosting malicious infrastructure
• Managing stolen credentials

Group-IB estimates that around 500 threat actors were actively using W3LL tools, turning the platform into a structured cybercrime network rather than a loose collection of attackers.

Bypassing Multi-Factor Authentication

One of the most dangerous aspects of the W3LL kit was its use of adversary-in-the-middle (AitM) techniques. This allowed attackers to intercept login sessions in real time, capturing not just usernames and passwords but also authentication tokens.

As a result, even accounts protected by multi-factor authentication (MFA) could be compromised, giving attackers persistent access to corporate systems.

Security researchers say this capability made W3LL particularly effective in business email compromise (BEC) attacks—one of the most financially damaging forms of cybercrime today.

Global Scale and Impact

The phishing kit was used in attacks targeting organizations across multiple industries, including finance, healthcare, manufacturing, and IT services.

Data suggests that tens of thousands of corporate accounts were targeted globally, with a significant concentration of victims in the United States, followed by Europe and Australia.

Between 2023 and 2024 alone, the infrastructure was linked to more than 17,000 phishing attempts worldwide.

Arrest and Infrastructure Seizure

As part of the operation, authorities seized domains and infrastructure used to distribute the phishing kit and facilitate credential theft. Indonesian police also detained the suspected developer behind the platform, identified only as “G.L.”

Officials say this marks a significant step in targeting not just users of cybercrime tools, but the developers who enable large-scale attacks.

A cybercriminal group identified as UNC6783 is targeting business process outsourcing (BPO) companies likely as a gateway to infiltrate major organizations across various industries. The Google Threat Intelligence Group reports that this tactic has already affected dozens of companies, with attackers stealing sensitive information to pressure victims into paying ransoms. According to principal threat analyst Austin Larsen, the group primarily depends on phishing schemes and social engineering tactics to compromise BPO providers that support their intended targets. In some cases, attackers have gone a step further by directly engaging with internal support or helpdesk teams to gain unauthorized access. Investigators also believe UNC6783 may be connected to a cybercriminal persona known as “Raccoon,” which has previously focused on BPO firms serving large enterprises.

Also read: Singapore Launches Largest-Ever Cyber Defense Operation After UNC3886 Targets All Major Telcos

One notable technique involves manipulating support staff through live chat interactions. Employees are tricked into visiting counterfeit login pages that mimic Okta portals. These fraudulent sites are hosted on domains designed to resemble legitimate ones, often following a pattern like [.]zendesk-support<##>[.]com. Larsen notes that the phishing toolkit used in these campaigns is particularly advanced—it can capture clipboard data, allowing attackers to bypass multi-factor authentication (MFA) and register their own devices within compromised systems. In addition to phishing, the group has also distributed fake security updates that install remote access malware, further expanding their control over victim networks. Once data is obtained, the attackers initiate extortion efforts, typically reaching out via ProtonMail accounts to demand payment in exchange for not releasing the stolen information. Although further details about “Raccoon” remain limited, the International Cyber Digest recently reported that an individual using the alias “Mr. Raccoon” claimed responsibility for a breach involving Adobe—a claim that has not yet been confirmed. According to these claims, the breach occurred after compromising an India-based BPO associated with Adobe. The attacker allegedly installed a remote access trojan (RAT) on an employee’s system and later targeted the employee’s manager through a phishing campaign. The individual further asserted that approximately 13 million support tickets were stolen, including personal data, employee details, vulnerability reports submitted via HackerOne, and internal company documents. To mitigate risks from UNC6783, Google’s Mandiant division recommends several defensive measures. These include adopting FIDO2-based hardware keys for MFA, closely monitoring live chat systems for suspicious activity, blocking domains that mimic Zendesk naming patterns, and routinely reviewing MFA device registrations for unauthorized additions.

The message Drift Protocol posted to X on April 1, opened with an unusual disclaimer: "This is not an April Fools joke." Within hours, the reason became clear. A $285 million exploit had wiped out more than half of the Solana-based decentralized perpetual futures exchange's total value locked — and the attack had been in preparation for six months. A malicious actor gained unauthorized access to Drift Protocol through a novel attack involving durable nonces, resulting in a rapid takeover of Drift's Security Council administrative powers. The incident, which took place on April 1, was confirmed as a highly sophisticated operation involving multi-week preparation and staged execution. Drift is the largest decentralized perpetual futures exchange on Solana, a blockchain network. It allows users to trade leveraged financial positions without a centralized intermediary. The protocol held approximately $550 million in user assets before the attack. According to TRM Labs, the drain took roughly 12 minutes, making this the largest DeFi hack of 2026 and the second-largest exploit in Solana's history, behind only the $326 million Wormhole bridge hack in 2022.

A Six-Month Long-Con Operation

A North Korean state-linked group spent roughly six months infiltrating Drift Protocol under the guise of a quantitative trading firm before executing the exploit. The attackers built trust by meeting Drift contributors at conferences, depositing more than $1 million, and integrating an Ecosystem Vault. They then compromised devices via a malicious TestFlight app and a VSCode/Cursor vulnerability to obtain multisig approvals. On-chain staging began on March 11, nearly three weeks before the April 1 execution, with a 10 ETH withdrawal from Tornado Cash. The funds began moving at around 12:00 AM GMT on March 12 — approximately 9:00 AM Pyongyang time — and shortly after funded the deployment of CarbonVote Token (CVT), the fictitious asset used to manipulate Drift's price oracles.

The Fake Token That Fooled an Oracle

A key element of the attack was entirely manufactured. The attacker created CarbonVote Token (CVT), minting around 750 million units, seeded a small liquidity pool of approximately $500 on the Raydium decentralized exchange, and used wash trading — artificial back-and-forth trades between attacker-controlled wallets — to build a price history near $1. Over time, this artificial price was picked up by oracles, making the token appear legitimate. An oracle, in the context of blockchain protocols, is a system that feeds real-world price data into smart contracts so that a protocol knows the value of the assets it holds. By manufacturing a fake price history for a worthless token, the attackers tricked Drift's oracles into treating CVT as legitimate collateral worth hundreds of millions of dollars.

Durable Nonces: The Governance Weapon

The attack's most novel element exploited a legitimate Solana feature called durable nonces. By securing two misleading approvals from Drift's five-member Security Council multisig, the attacker pre-signed transactions that remained valid for more than a week, then used them to seize protocol-level control in minutes. A multisig — short for multi-signature — is a governance structure where multiple people must approve any administrative action, so compromising one person is insufficient. Durable nonces allow transactions on Solana to be pre-signed and executed later, a feature designed for operational convenience. In this attack, the attackers obtained two of the five required signatures through social engineering — presenting the signers with what appeared to be routine transactions — and held those approvals dormant until execution day. When Drift executed a legitimate Security Council migration on March 27, the attacker adapted. By March 30, new nonce activity appeared tied to a member of the updated multisig, indicating the attacker had re-obtained the required two-of-five approval threshold under the new configuration. On April 1, two transactions, four slots apart on the Solana blockchain, created and approved a malicious admin transfer, then executed it. Within minutes, the attacker had full control of Drift's protocol-level permissions and used it to introduce a fraudulent withdrawal mechanism and drain the vaults.

DPRK Attribution and Laundering

Investigators attributed the attack to UNC4736, a North Korean state-affiliated group also tracked as AppleJeus or Citrine Sleet, based on both on-chain fund flows tracing back to the Radiant Capital attackers and operational overlap with known DPRK-linked personas. Stolen assets were consolidated and swapped into USDC and SOL, then partially bridged to Ethereum using Circle's Cross-Chain Transfer Protocol. On Ethereum, portions were converted into ETH while some funds moved through centralized exchanges. On-chain investigator ZachXBT publicly criticized Circle for failing to freeze the stolen USDC despite it crossing during U.S. business hours, contrasting that inaction with Circle's recent decision to freeze unrelated corporate wallets in a civil case. If confirmed, the Drift incident would represent the eighteenth DPRK-linked crypto theft Elliptic has tracked in 2026, with over $300 million stolen to date. DPRK-linked actors have stolen over $6.5 billion in cryptoassets in recent years, with proceeds linked to funding North Korea's weapons programs. The Drift exploit did not occur in isolation. It landed on the same day multiple security vendors attributed the Axios npm supply chain attack to North Korean group UNC1069 — a simultaneous two-front operation against the software development ecosystem and the crypto finance layer that funds Pyongyang's strategic programs.

Read: North Korea’s Lazarus Group Behind the Axios npm Supply Chain Attack

Drift has frozen all protocol functions, removed the compromised wallet from the multisig, and is coordinating with security firms, exchanges, bridges, and law enforcement to trace and recover stolen assets. A detailed postmortem is expected. The DRIFT token fell more than 20% following news of the exploit.

On Monday, the Axios npm supply chain attack came to light where malicious packages had been inserted into one of JavaScript's most widely used libraries. Three major threat intelligence firms have now attributed the attack to North Korea's Lazarus Group, and the scale of the fallout is considerably larger than initially understood.

The attack was confirmed as North Korean state-sponsored on when Google Threat Intelligence Group published its attribution, identifying the responsible actor as UNC1069 — a financially motivated North Korea-nexus group active since at least 2018 and tracked by Mandiant, now part of Google. ThreatBook independently reached the same conclusion, attributing the campaign to Lazarus Group based on long-term APT tracking data and overlapping infrastructure artifacts.

Between March 31, 00:21 and 03:20 UTC, an attacker introduced a malicious dependency named plain-crypto-js into axios NPM releases versions 1.14.1 and 0.30.4. Axios is the most popular JavaScript library used to simplify HTTP requests, with packages that typically have over 100 million and 83 million weekly downloads, respectively.

npm is the world's largest software registry — the system JavaScript developers use to download and install code libraries their applications depend on. A postinstall hook is a script that executes automatically, silently, the moment a developer runs npm install. The attackers exploited both to devastating effect.

How the Attack Was Staged

Analysis indicates the maintainer account associated with the axios package was compromised, with the associated email address changed to an attacker-controlled ProtonMail account. The threat actor used the postinstall hook within the package.json file of the malicious dependency to achieve silent execution. Upon installation of the compromised axios package, npm automatically executed an obfuscated JavaScript dropper named setup.js in the background.

The dropper, tracked by GTIG as SILKBELL, dynamically checks the target system's operating system and delivers platform-specific payloads.

On Windows, it copies PowerShell to a renamed binary and downloads a PowerShell script to the user's Temp directory.

On macOS, it downloads a native Mach-O binary to /Library/Caches/com.apple.act.mond. On Linux, it drops a Python backdoor to /tmp/ld.py.

After successfully dropping each payload, the dropper attempts to delete itself and revert the modified package.json. This acts as an anti-forensic cleanup step designed to remove evidence of the postinstall hook entirely.

The platform-specific payloads deploy a backdoor tracked by GTIG as WAVESHAPER.V2 — a C++ backdoor that collects system information, enumerates directories, and executes additional payloads, connecting to the command-and-control server at sfrclak[.]com:8000/6202033. GTIG's attribution to UNC1069 rests specifically on WAVESHAPER.V2 being an updated version of WAVESHAPER, a backdoor previously used by this group, combined with infrastructure overlap across past UNC1069 campaigns.

All payload variants use the same anachronistic user-agent string — an Internet Explorer 8 string on Windows XP — which is highly anomalous in 2026 and a reliable detection indicator. The C2 path /6202033, when reversed, reads 3-30-2026, the date of the attack.

The Blast Radius

The malicious axios versions were removed within a few hours, but axios is present in approximately 80% of cloud and code environments and is downloaded roughly 100 million times per week, enabling rapid exposure, with observed execution in 3% of affected environments.

Mandiant CTO Charles Carmakal framed the downstream risk in serious terms. Carmakal said the blast radius of the axios npm supply chain attack is broad and extends to other popular packages that have dependencies on it, and warned that the secrets stolen over the past two weeks will enable more software supply chain attacks, SaaS environment compromises leading to downstream customer compromises, ransomware and extortion events, and crypto heists over the next several days, weeks, and months.

He noted awareness of hundreds of thousands of stolen credentials, with a variety of actors across varied motivations behind these attacks.

GTIG Chief Analyst John Hultquist said North Korean hackers have deep experience with supply chain attacks, which they have historically used to steal cryptocurrency, and that given the popularity of the compromised package, the full breadth of the incident is still unclear but far-reaching impacts are expected.

Huntress identified approximately 135 compromised devices. However, the true number affected during the three-hour window remains under investigation.

What Defenders Should Do Now

Any engineering team that ran npm install between 00:21 UTC and approximately 03:20 UTC on March 31 should treat their environment as potentially compromised.

Defenders should check for RAT artifacts at /Library/Caches/com.apple.act.mond (macOS), %PROGRAMDATA%\wt.exe (Windows), and /tmp/ld.py (Linux); downgrade to axios 1.14.0 or 0.30.3; remove plain-crypto-js from node_modules; audit CI/CD pipeline logs for the affected window; rotate all credentials on any system where RAT artifacts are found; and block egress to sfrclak[.]com.

Ukraine's frontline cyber defense agency became the subject of its own investigation last week after an unknown threat actor built a convincing fake version of its website, sent emails impersonating its staff and instructed recipients across the country to download malware packaged as official security software. The Computer Emergency Response Team of Ukraine, CERT-UA, disclosed on Sunday, that between March 26 and 27, attackers distributed emails falsely attributed to CERT-UA, urging recipients to download a password-protected archive named either "CERT_UA_protection_tool.zip" or "protection_tool.zip". The file was made available for download from Files.fm file-sharing service and installed what the messages described as specialized protective software. The phishing emails were targeted at a broad cross-section of Ukrainian institutions including government organizations, medical centers, security companies, educational institutions, financial institutions and software development firms. Supporting the phishing campaign, attackers had registered and populated a counterfeit website at cert-ua[.]tech — a domain created on March 27, just one day into the distribution window. The look-a-like website had content lifted directly from the official CERT-UA website at cert[.]gov[.]ua, alongside fabricated instructions for downloading the malicious "protection tool." The executable file inside those archives was not protective software. CERT-UA classified it as AGEWHEEZE, a full-featured Remote Access Trojan (RAT) written in the Go programming language. A RAT is malware that gives an attacker complete remote control over an infected machine: not just file access, but live screen viewing, keyboard and mouse emulation, command execution, process and service management, clipboard reading and writing, and the ability to shut down, restart, or lock the device entirely. AGEWHEEZE's command set is exhaustive and purpose-built for persistent, covert control. It supports screen capture and real-time input emulation, full file system operations including read, write, delete, rename, and directory creation, process killing, service control, autorun management, terminal access, and the ability to open arbitrary URLs on the victim machine. AGEWHEEZE establishes persistence through the Windows registry startup key, the Startup directory, or a scheduled task, creating entries named "SvcHelper" or "CoreService" depending on the infection path. All communications to its command-and-control server route over WebSocket connections to a server hosted on infrastructure belonging to French cloud provider OVH. That command-and-control server carried its own revealing details. On port 8443, a web page titled "The Cult" displayed an authentication form. Buried in the HTML source of that page, investigators found Russian-language text reading: "Membership suspended. Your access to the Cult has been blocked. Contact the administrator to restore it." The self-signed SSL certificate on the server was created on March 18, with "TVisor" listed in the Organization field, matching the internal package name found inside the malware itself: "/example.com/tvisor/agent. Attribution arrived quickly and from the attackers themselves. A review of the AI-generated fake website at cert-ua[.]tech uncovered a line embedded in the HTML code reading: "With Love, CYBER SERP — https://t[.]me/CyberSerp_Official." [caption id="attachment_110836" align="aligncenter" width="600"] Fake website and HTML code embedding CyberSerp details. (Source: CERT-UA)[/caption] On March 28, the day after the campaign launched, the Telegram channel referenced in that code published a message claiming responsibility for the attack, eliminating any ambiguity about attribution. CERT-UA created the tracking identifier UAC-0255 for this activity. The agency assessed the cyberattack as "unsuccessful." No more than a few personal devices belonging to employees of educational institutions were identified as infected. CERT-UA said its specialists provided methodological and practical assistance to affected parties, and acknowledged Ukrainian electronic communications providers for their contribution to delivering cyber threat information to subscribers and maintaining national cyber incident response infrastructure. CERT-UA itself has previously documented campaigns by multiple threat groups — including UAC-0002, UAC-0035, and the group tracked here as UAC-0252 — that similarly weaponize government branding. In this case, the attackers targeted the cyber defense agency whose name carries the highest authority in Ukrainian information security communications, turning that trust directly against the institutions that rely on it. CERT-UA noted that the development of artificial intelligence significantly simplifies the execution of cyber threats. The attackers' own use of an AI-generated phishing site is a direct illustration of that warning, the cyber defense agency explained. It recommended that organizations reduce their attack surface by configuring standard operating system protections including Software Restriction Policies and AppLocker, and deploying specialized endpoint protection tools. Full indicators of compromise including file hashes, network indicators, and host-based artifacts are available in the CERT-UA advisory.

Also read: Hackers Exploit RDP Tools to Breach Ukraine’s Notarial Offices, CERT-UA Reports

DeepSeek changed the calculation. When the House Select Committee on China concluded in early 2025 that the Chinese AI company had trained its flagship model on restricted Nvidia AI chips that should never have reached it, Congress stopped treating chip smuggling as an enforcement failure and started treating it as a legislative emergency — one that arrived on the House Foreign Affairs Committee's desk, this week. The House Foreign Affairs Committee passed the Chip Security Act with bipartisan support on Thursday, advancing legislation to curb the smuggling of American semiconductors to foreign adversaries. The bill was introduced in May 2025 as a direct response to concerns raised by the Select Committee on China in its report on DeepSeek, which concluded the company used advanced Nvidia chips restricted from export to China to develop its AI model.

Here's What the AI Chip Security Act Is

The core mechanism the Chip Security Act puts forward is location verification — the requirement that advanced AI chips exported from the United States carry a technical security mechanism, whether implemented in software, firmware, or hardware, that continuously confirms where the device physically sits. The bill requires the Secretary of Commerce to mandate, within 180 days of enactment, that any covered integrated circuit product be outfitted with chip security mechanisms implementing location verification before it is exported, reexported, or transferred to a foreign country. Covered products include chips classified under Export Control Classification Numbers 3A090, 3A001.z, 4A090, and 4A003.z — the precise classifications that cover Nvidia's H100 and equivalent advanced AI accelerators. The bill also requires any person who received a license to export a covered chip to promptly report to the Under Secretary of Industry and Security if they obtain credible information that the product has been diverted to an unauthorized end-user or location. Mandatory reporting closes a gap that currently allows diversion to go unreported until investigators stumble across it independently — sometimes years after the fact. The bill arrives with enforcement urgency already established on its behalf. Earlier this week, the Justice Department charged three individuals for conspiring to smuggle billions of dollars' worth of advanced AI chips to China through Thailand.

Read: Three Individuals Charged for Trying to Smuggle ‘America-Made’ AI Tech Worth $170M

In November 2025, the DOJ had also indicted three Chinese nationals for smuggling high-tech chips through Thailand and Malaysia to China. Both cases used the trans-shipment model — routing restricted chips through a third country to obscure China as the final destination — demonstrating that existing export controls fail at the physical enforcement layer precisely where location verification would apply. The broader legislative push sits in deliberate tension with the Trump administration. The White House AI czar, David Sacks, in January retweeted criticism of the Chip Security Act, suggesting it handicaps Trump's ability to strategically position the U.S. favorably against China. House Foreign Affairs Committee Chairman Brian Mast pushed back directly, saying the talking points amplified by Sacks matched those he had heard from Nvidia. Nvidia CEO Jensen Huang has repeatedly argued to lawmakers that U.S. chip sales to China entrench American technology as the global standard — a position congressional China hawks view as commercially motivated reasoning that ignores military end-use risk. The Trump administration approved the export of higher-tier H200 chips to China in January 2026, walking back the previous administration's blanket restrictions. That decision prompted fierce backlash on Capitol Hill, where lawmakers have been seeking congressional control over export licensing — authority that currently belongs entirely to the Department of Commerce. The Chip Security Act represents Congress's attempt to build a verification infrastructure capable of surviving executive policy oscillations by embedding accountability into the hardware itself rather than relying solely on licensing decisions made at the administrative level. Industry groups including the Information Technology and Innovation Council have warned that a government chip-tracking mandate creates the impression of deepening U.S. government control over the American AI stack, potentially pushing countries that should be core customers toward alternative suppliers. Whether that concern outweighs the demonstrated reality of $170 million AI chip smuggling conspiracies routed through Southeast Asian shell companies is now a question for the full House floor.

A $170 million order, 750 servers, 600 restricted Nvidia chips, and a Thailand-based front company that a U.S. hardware manufacturer spotted as suspicious within weeks — that is the scheme federal prosecutors say three men used to try to route some of America's most tightly controlled artificial intelligence technology (AI tech) to China in violation of U.S. export law. The Justice Department on Wednesday, charged Stanley Yi Zheng, 56, of Hong Kong, Matthew Kelly, 49, of Hopewell Junction, New York, and Tommy Shad English, 53, of Atlanta, Georgia, with conspiring to commit smuggling and export control violations. The three defendants are alleged to have sought millions of dollars' worth of export-controlled computer chips from a California-based computer hardware company for illegal shipment to China through Thailand. Zheng was arrested on March 22, while Kelly and English surrendered to federal authorities on March 25. The criminal complaint references the trio attempting to smuggle hundreds of Nvidia A100 and H100 chips — advanced graphics processing units, or GPUs, that power large-scale AI model training and inference. The scheme targeted a hardware and services company based in San Jose, with a purchase order for server units running Supermicro hardware designed to support Nvidia H100 and H200 GPUs, totaling nearly $62 million for one tranche alone. Nvidia's H100 and A100 chips are subject to U.S. Commerce Department export controls because of their direct application to military AI, autonomous weapons systems, and the development of advanced large language models — the class of technology that underpins modern AI systems like those powering China's rapidly developing military AI programs.

Also read: India Seeks Larger Role in Global AI and Deep Tech Development

According to the criminal complaints, the conspiracy began in May 2023, when Zheng, Kelly, and English started working together to obtain computer servers from the California manufacturer and ship them to Thailand with an ultimate destination of China. They used the names of Thailand-based companies as purported purchasers of the servers when their actual intent was to divert the U.S.-origin AI chips to China. In October 2023, English, purporting to act on behalf of a Thailand-based company, ordered 750 computer servers for approximately $170 million from the manufacturer. Of the 750 servers ordered, 600 contained a chip controlled on the U.S. Commerce Control List and required a license for export to China. The scheme began unraveling in January 2024, when discussing via email an upcoming compliance review of the October 2023 order, English asked the manufacturer to add Zheng and Kelly to the email thread. This prompted a response from the company noting that Zheng's company was based in China and that it was "odd" that no one from the Thailand-based company was among those copied. The company also commented that China is an embargoed country restricted by the U.S. government and that U.S. companies are restricted from selling to businesses or end users headquartered in China. A tipster subsequently notified federal investigators about the scheme in January 2024. In February 2026, federal agents seized the phone and laptop of U.S. suspect Matthew Kelly when he returned to the U.S. from Italy, giving investigators access to WhatsApp messages between the three suspects. [caption id="attachment_110657" align="aligncenter" width="400"] WhatsApp messages on Stanley Zheng's mobile (Source: U.S. DoJ)[/caption] Employees from Nvidia and Supermicro also noticed irregularities in the order requests and canceled them early in 2024. The use of Thailand as a transshipment node — a third-country routing point designed to obscure the final destination — is a well-documented circumvention technique that has surged since the Biden administration expanded export controls on advanced chips in October 2022 and October 2023. Prosecutors allege the AI chips the accused attempted to smuggle have military and strategic applications, making their unauthorized transfer a violation of U.S. export control laws. The A100 and H100 in particular can train AI models at the scale required for advanced weapons targeting, signals intelligence analysis, and autonomous systems — capabilities the U.S. government has explicitly sought to deny China's military through export restrictions. The two countries are competing for global AI dominance, with a U.S. advisory body warning this week that China's lead in open-source AI could threaten America's top position globally in the field. The charges arrive as the DOJ has significantly expanded its enforcement posture on semiconductor export controls — a recognition that chip smuggling represents one of the most direct pathways for adversaries to close the AI capability gap that export restrictions are designed to maintain. The case is being investigated by the Department of Commerce's Bureau of Industry and Security, the Defense Criminal Investigative Service, and Homeland Security Investigations. Each defendant faces charges of conspiracy to commit smuggling and conspiracy to violate the Export Control Reform Act — carrying combined potential sentences of over 20 years.

TCE Exclusive Interview: AI Legal Risks: Lisa Fitzgerald on Why Businesses Must Vet AI Use Cases

Seventeen months after international law enforcement dismantled one of the world's most damaging infostealing malware networks, a second defendant has arrived in a U.S. federal courtroom — this time extradited from Armenia — as the prosecution of the RedLine infostealer operation continues to work through the criminal network that built and sustained it. Hambardzum Minasyan, an Armenian national, appeared in an Austin federal court after being extradited to the United States to face charges related to his alleged role in the RedLine infostealer scheme. The Justice Department's Office of International Affairs secured Minasyan's arrest and extradition on March 23, 2026, with significant assistance from Eurojust's ICHIP attorney adviser based at The Hague. Minasyan faces three counts: conspiracy to commit access device fraud, conspiracy to violate the Computer Fraud and Abuse Act, and conspiracy to commit money laundering. If convicted, he faces up to 10 years in prison on the access device fraud charge and up to 20 years each on the remaining two counts. An infostealer is malware designed to silently harvest credentials, browser cookies, saved passwords, financial data, and cryptocurrency wallet information from an infected device, then transmit that data to attackers — often in seconds, without any visible sign of compromise. The indictment alleges that Minasyan and his co-conspirators maintained digital infrastructure, including command-and-control servers and administrative panels, to deploy the malware and collected payments from affiliates using RedLine against victims. Minasyan specifically registered two virtual private servers and two internet domains to support the RedLine scheme, created repositories on an online file-sharing site to distribute RedLine to affiliates, and registered a cryptocurrency account in November 2021 to receive payments. RedLine operated on a Malware-as-a-Service model. It is a criminal franchise structure where the core developers build and maintain the malware platform, then license it to affiliates who run their own infection campaigns in exchange for a fee. Affiliates distributed RedLine to victims using malvertising, phishing emails, fraudulent software downloads, and malicious software sideloading, with various ruses — including COVID-19 and Windows update lures — used to trick victims into downloading the malware. RedLine and its derivative Meta infostealer could also enable cybercriminals to bypass multifactor authentication through the theft of authentication cookies and session tokens. Multifactor authentication is a security layer requiring users to verify their identity through a second method beyond a password; stealing session cookies allows attackers to impersonate an already-authenticated user and render that protection useless. The Lapsus$ threat group used RedLine to obtain passwords and cookies from an employee account at a major technology company and subsequently used that access to obtain and leak limited source code. RedLine also infected hundreds of systems belonging to U.S. Department of Defense personnel, and authorities have described its victim count in the millions globally. Minasyan's extradition represents the second defendant charged in connection with Operation Magnus, the joint international takedown announced in October 2024.

Read: Law Enforcement Puts a Damning Dent in RedLine and Meta Infostealer Operations

Operation Magnus — a Joint Cybercrime Action Taskforce operation supported by Europol — resulted in Dutch authorities seizing three servers running the malware, Belgian authorities seizing communication channels and Telegram accounts used by the operators, and the recovery of a database of thousands of RedLine and Meta clients. That client database gave investigators a roadmap for follow-on prosecutions that continues to generate results. The first defendant charged, Russian national Maxim Rudometov, was identified as a developer and administrator of RedLine and unsealed in the Western District of Texas in October 2024. Rudometov, believed to reside in Krasnodar, Russia, is not expected to face extradition given his location.

Read: U.S. Charges Man Behind RedLine Infostealer that Infected U.S. DoD Personnel Systems

Minasyan's extradition from Armenia, by contrast, demonstrates the value of maintaining extradition treaty relationships and Eurojust cooperation frameworks that can reach defendants outside of jurisdictions beyond U.S. reach. The investigation is a joint effort by the FBI Austin Cyber Task Force, which includes the Naval Criminal Investigative Service, IRS Criminal Investigation, the Department of Defense Office of Inspector General's Defense Criminal Investigative Service, and the Army Criminal Investigation Division. The case demonstrates a sustained prosecution strategy, where rather than treating Operation Magnus as a one-time disruption event, the DOJ has continued converting the intelligence gained from seized infrastructure and client databases into individual criminal referrals across multiple jurisdictions.

The router sitting in your home — the one connecting every phone, laptop, and smart device on your network to the internet — is almost certainly made overseas. As of March 23, no new model of that device can receive U.S. market authorization unless it clears a security review by the Department of War or the Department of Homeland Security first.

The Federal Communications Commission updated its Covered List to include all routers produced in a foreign country, following a National Security Determination received on March 20 from a White House-convened Executive Branch interagency body.

The determination concluded that foreign-produced routers introduce a supply chain vulnerability that could disrupt the U.S. economy, critical infrastructure, and national defense, and pose a severe cybersecurity risk that could be leveraged to immediately and severely disrupt U.S. critical infrastructure and directly harm U.S. persons.

The FCC's Covered List — established under the Secure and Trusted Communications Networks Act — carries real enforcement teeth. Equipment on the Covered List is prohibited from receiving FCC equipment authorization, and most electronic devices require FCC equipment authorization prior to importation, marketing, or sale in the U.S. Covered equipment is banned from receiving new equipment authorizations, preventing new devices from entering the U.S. market.

The national security determination cited three Chinese state-sponsored cyber campaigns by name. Routers produced abroad were directly implicated in the Volt, Flax, and Salt Typhoon cyberattacks, which targeted critical American communications, energy, transportation, and water infrastructure.

Salt Typhoon penetrated multiple U.S. telecommunications carriers and persisted inside their networks for months; Volt Typhoon pre-positioned itself inside U.S. critical infrastructure for potential future disruption; and Flax Typhoon operated a 260,000-device botnet largely built from compromised consumer routers.

Unlike prior Covered List entries that targeted specific entities such as Huawei and ZTE, this update applies categorically based on place of production, not manufacturer identity. That distinction matters enormously for the industry.

Virtually all routers are made outside the United States, including those produced by U.S.-based companies like TP-Link, which manufactures its products in Vietnam. It appears that the entire router industry will be impacted by the FCC's announcement concerning new devices not previously authorized by the FCC. Netgear, Amazon Eero, Google Nest WiFi, Asus, Linksys, and D-Link all manufacture in Asia. The one apparent exception is the newer Starlink Wi-Fi router, which the company says is manufactured in Texas.

The action does not strand existing users. Consumers can continue using any router they have already purchased, and retailers can continue selling previously authorized models already in their supply chains. Firmware updates for covered devices remain permitted at least through March 1, 2027.

The disruption falls entirely on new product cycles — which in a fast-moving consumer networking market means the freeze begins almost immediately.

A rule that bans new foreign router models while leaving millions of existing foreign-made devices completely untouched does not make U.S. networks measurably more secure today. Security researchers have noted that the Volt Typhoon attacks cited by the FCC as justification, primarily targeted Cisco and Netgear hardware — U.S.-designed products — pointing to software patching failures rather than manufacturing origin as the operational vulnerability.

A Conditional Approval pathway exists for manufacturers willing to pursue it. The Conditional Approval pathway requires companies to commit to establishing or expanding U.S. manufacturing for the products they want to bring to market. That is a significant industrial policy commitment on top of any security review, and one that smaller router vendors may find prohibitive.

The December 2025 drone ban used an identical framework — and as of publication, it had cleared exactly four non-Chinese drone systems while leaving major Chinese manufacturers fully blocked.

Also read: FCC Set to Reverse Course on Telecom Cybersecurity Mandate

A federal court in Detroit sentenced Russian national Illya Angelov, on Tuesday, for running a botnet operation that infected thousands of computers daily, sold backdoor access to ransomware groups and victimized 72 companies across 31 U.S. states.

The extortion scheme involving Angelov and his criminal organization, known by the FBI as "Mario Kart," ran from 2017 to 2021. Prosecutors said Angelov and co-conspirators built a network of compromised computers that distributed malware-infected files attached to spam emails.

Angelov and his co-manager then monetized this botnet by selling access to individual compromised computers to other criminal groups, who typically engaged in ransomware extortion schemes — locking victims out of their computer networks and demanding extortion payments to restore access.

A botnet is a network of devices secretly infected with malware and controlled remotely by an attacker without the device owners' knowledge. The court records describe a scheme that was lucrative and prolific, sending 700,000 emails a day to computers around the world and infecting approximately 3,000 computers daily.

The Mario Kart malware provided a backdoor through which software could be uploaded to victims' computers. Instead of directly exploiting this access, the Mario Kart group sold it to customers, that is, other cybercriminal groups. These customers typically used the backdoor access to distribute ransomware, encrypting victims' data and demanding extortion payments to decrypt it.

Angelov's group included software coders who developed programs to distribute spam emails and malware so advanced it could evade virus-detection software. The operation sold backdoor access at scale, functioning as a criminal wholesale supplier to ransomware operators who lacked the infrastructure to breach targets themselves.

Angelov pleaded guilty in secret in October to one count of conspiracy to commit wire fraud. Prosecutors requested he serve 61 months in prison — a significant break from advisory sentencing guidelines calling for more than 12 years — and he was ordered to pay a $100,000 fine and a $1.6 million money judgment. The reduction reflected both his voluntary cooperation and the circumstances of his surrender.

Angelov was sentenced four years after an associate, Vyacheslav Igorevich Penchukov, was arrested in Switzerland and later extradited to the U.S. Penchukov was a member of a group that negotiated a $1 million payment to Angelov and a second individual for access to Mario Kart. A few days after Penchukov's arrest, Angelov contacted U.S. authorities and eventually negotiated his surrender. At the time of his travel and surrender, he was living in the United Kingdom, a country from which the U.S. could have sought his extradition.

Vitlalii Alexandrovich Balint, who provided essential coding to Mario Kart, was sentenced five months earlier in federal court in Detroit to 20 months in prison. While Balint's role in Mario Kart was significant, he was Angelov's subordinate.

The Mario Kart case sits inside a broader DOJ enforcement pattern targeting the upstream criminal economy — the access brokers and botnet operators who supply the tools and entry points that ransomware groups deploy.

The day before Angelov's sentencing, a separate federal court sentenced Russian access broker Aleksei Volkov to 81 months for supplying network access to the Yanluowang ransomware group across dozens of U.S. organizations.

Read: Russian Access Broker Gets Nearly 7 Yrs for Enabling Millions in Ransomware Extortion

Two Russian cybercriminals sentenced in two consecutive days across two different federal districts signals a deliberate prosecutorial push against the ransomware supply chain's foundational layer, not just its most visible operators.

The scheme operated before the peak of ransomware extortion payments, which reached a high of $1.25 billion in 2023. That trajectory makes the infrastructure Angelov built — and the model it demonstrated — directly relevant to understanding how the ransomware economy scaled to where it stands today.