This is not a precedent in tech history. States have restricted access to strategic technologies deemed national security risks before. But the comparison only goes so far. Crypto could be reimplemented, by anybody, frontier models cannot. They require massive compute, capital and infrastructure. So when the home state can switch off access, you are renting access to a strategic asset.

This is not a wake-up call for Europe. Wake-up calls are for people who were asleep. Europe has seen this risk for years: cloud, chips, platforms, now frontier AI. This is not the alarm. This is the bill for ignoring it.

Security

U.S. agencies issued an alert about hackers targeting automatic tank gauges - systems that quietly monitor fuel levels, temperatures, and leaks at gas stations, farms, chemical plants, and transport hubs across the country. The attackers are bypassing login screens, injecting commands into databases, and escalating themselves to full admin access. Once in, they can change tank volumes, disable leak alarms, and mess with pump controls. https://www.cisa.gov/resources-tools/resources/cisa-and-partners-urge-hardening-automatic-tank-gauge-systems

You can have a hard time to use AI to analyze malicious software if it contains words triggering "safety refusals" due to nuclear weapons design. https://socket.dev/blog/mini-shai-hulud-miasma-and-hades-worms-target-bioinformatics-and-mcp-developers-via-malicious

Privacy

Biggest consumer data breach in South Korea’s history. 37.56 million people affected in the core breach. The exposed data included:

- 33,057,012 member profile records

- 63,986,351 delivery-address records

- 272,470 order-history records.

Coupang, South Korea’s largest e-commerce platform and online retailer hit with a ₩624.68bn, roughly $409m, sanction by Korea’s Personal Information Protection Commission.

Basic security and governance failures like weak signing-key management, weak access control, poor detection of abnormal access, breach notification failures, data deletion failures, CPO independence issues and investigation obstruction. A former employee used an active alternative authentication signing key to generate forged authentication tokens. Then he reached customer information.

Coupang collected online activity records from 11,170,613 users via third-party websites and apps where Coupang ads appeared. This included visited URL or app name, access time and IP address.

https://pipc.go.kr/np/cop/bbs/selectBoardArticle.do?bbsId=BS074&mCode=C020010000&nttId=12171

Technology Policy

Suspected Chinese info ops used ChatGPT to target U.S. AI infrastructure debates with posts blaming data centres for household power bills, and attacking tariffs. The campaign got little traction, but coverage may matter more than the operation. https://cdn.openai.com/pdf/96b559fa-c165-4575-805d-e636909e2f78/June-2026-Threat-Report.pdf

[This might not belong to the ‘security’ section]

Other

Another AI fabrication report? KPMG published a report called Total Experience: Redefining Excellence in the Age of Agentic AI. It had 45 citations. 5 were accurate. 40 had fake titles. At least 16 were classified as hallucinations/fabrications. 12 were so vague or broken that the source could not be identified. The case studies are worse. JR East was cited as evidence of AI-powered travel recommendations. The source was a 2019 press release that predates agentic AI and does not mention AI at all. KPN’s “agents” turned out to be humans. Toyota’s Woven City press release mentions no AI agents. It looks like someone asked an LLM to find examples of agentic AI in the wild. It made things up. Nobody cared. The report has since been cited by industry blogs, trade publications and newspapers. ChatGPT and Gemini are reportedly repeating its statistics. KPMG charges clients to implement AI responsibly. The invoices, presumably, are accurate. https://gptzero.me/news/investigations-kpmg/

In case you feel it's worth it to forward this content further:

Subscribed

If you’d like to share:

Share

The first cyberattack in history using prompt injection. Attackers used Meta’s chatbot as a tool to take over Instagram accounts belonging to well-known people, brands, and institutions. By manipulating Meta’s AI support system, they convinced it to perform a critical administrative operation: changing or adding an email address associated with the victim’s account. Basic mistake: using LLM as a security boundary. The attacker contacted Meta’s bot, provided the username of the account they wanted to take over, and asked it to link that account to a new email address controlled by the attacker. In practice, this meant that the person controlling the new email address could receive or provide the confirmation code, and then use the modified recovery channel to reset the password and take over the account. AI support became a path for bypassing account security. If a chatbot can change an email address or initiate account recovery without independent verification of the owner, the attacker does not need to know the password or break through traditional security controls. It is sufficient to convince the automated support operator to perform an operation that the attacker should not normally be allowed to request. https://www.theverge.com/tech/941179/meta-instagram-ai-support-chatbot-exploit-hacked

Draft:

AI/LLM can absolutely make autonomous cyberattacks and hack enterprise networks, but also government systems and this can be cheaper than human ops. Going beyond “magic hacking powers of this and that model” the important stuff is in agentic orchestration, so scanning, tool use, credential discovery, exploit selection, evidence tracking, privilege escalation planning, and adaptive retries across long attack chains - all well planned and executed. Once properly architected and connected, including to tooling like to shells, scanners, knowledge bases, memory, and task planners, models can turn known weaknesses, exposed services, misconfigurations, leaked credentials, and weak identity controls into repeatable intrusion workflows. This is also about going beyond human expertise limits to architectural decisions about state management, tool wrappers, context control, and deciding when a path is worth pursuing. This lowers the cost of offensive experimentation and lets attackers run more attempts, across more targets, with less specialist work. Defenders should assume AI-assisted intrusion attempts will become continuous, cheap, but also noisy before they become perfected. This genie is out of the box and let’s repeat: harness is critical, and the work can absolutely be done with freely available open weight models. https://dl.acm.org/doi/pdf/10.1145/3766895 https://dl.acm.org/doi/pdf/10.1145/3800584 https://arxiv.org/pdf/2507.00829 https://arxiv.org/pdf/2505.10321 https://arxiv.org/pdf/2602.17622

Another supply-chain compromise worm. Multiple packages in the official Red Hat redhat-cloud-services npm scope were compromised in a supply-chain attack distributing a credential-stealing worm. Affected packages added a preinstall hook that ran a script. The malware harvested npm, GitHub, AWS, Azure, GCP, Vault, Kubernetes, SSH, CI/CD, and local secrets, then attempted to propagate by abusing stolen credentials to publish additional malicious packages and modify repositories. Any environment that installed affected versions should be treated as compromised. https://www.wiz.io/blog/miasma-supply-chain-attack-targeting-redhat-npm-packages https://www.aikido.dev/blog/red-hat-npm-packages-compromised-credential-stealing-worm

AI-powered computer worm, a self-replicating agent that reasons its way through a network instead of carrying a fixed exploit list. It steals compute from compromised GPU machines to run its own open-weight LLM, then uses weaker machines as relays for reach. In trials on a corporate testbed, it identified vulnerabilities, exploited systems, and launched replicas across Linux, Windows, and IoT targets. Every new infection can add more infrastructure while costing the attacker almost nothing. Patching one flaw no longer ends the threat, because the worm can operationalise fresh advisories, generate new attack logic, and keep adapting without a human operator. It is not a WannaCry-style worm with one baked exploit and one baked ransomware payload. It can adapt across many vulnerability classes it can discover and operationalise https://arxiv.org/pdf/2606.03811

Privacy

Cyberattack on humanitarian organization World Food Program exposes sensitive data of vulnerable population. Affected 600,000 households in Gaza, names, ID numbers, phone numbers, location data, all exfiltrated. The timing is specific. Israel's Supreme Court had just upheld a requirement forcing aid organizations to hand over workers' personal data as a condition of operating in Gaza. In 2022 it was the Red Cross (515,000 people). In 2023, the Norwegian Refugee Council. This time it's WFP. The sector has had a poor track record. https://www.thenewhumanitarian.org/news/2026/06/02/data-600000-gaza-households-exposed-wfp-cyber-attack

The world’s largest residential proxy network runs on consent, TLS and vibes. The TV is always watching and apparently it is also available for contract work in surveillance or data acquisition? Bright Data sells access to a residential proxy network, the kind customers use to route requests through real home IP addresses instead of datacenter IPs that Cloudflare, DataDome and HUMAN are trained to block. The supply comes from an SDK embedded in consumer apps. So: CTV games, messengers, mobile apps and screensavers. With consent somewhere upstream, the device becomes an exit node. The TV is perfect for this job. It is plugged in, on WiFi, often unattended and barely supervised. It also asks for consent through a privacy policy and a remote-control UI, which is one way to make “informed choice” look like an endurance sport. One config flag tells the SDK to ignore whether the screen is on. Another tells it to ignore whether the user is on a call. In this economy, watching TV counts as downtime. https://blog.includesecurity.com/2026/06/the-smart-tv-in-your-livingroom-is-a-node-in-the-aiscraping-economy/

Technology Policy

Other

Developer adds instructions to instruct AI coding agents not to use the project (and before that, instructions made AI agents remove the tests and code for this project). https://jqwik.net/docs/1.10.1/user-guide.html#note-to-coding-agents-and-alike

Revolution in computing hardware? Nvidia announced RTX Spark, a chip combining a Blackwell GPU (6,144 CUDA cores, FP4 Tensor) with a 20-core Grace CPU, up to 128GB unified memory, claimed 1 petaflop of AI Claimed workloads include rendering 90GB 3D scenes, editing 12K 4:2:2 video, running 120B-parameter LLMs with up to 1 million tokens of context, generating 4K AI video. The ambition is to bring AI-first computing to PCs and laptops, making Nvidia's stack the default runtime for local AI agents. Microsoft is doing real platform work alongside - Windows scheduler tuning, unified memory changes, TensorRT via Windows ML, OpenShell sandboxing for agent containment. So this isn't just a chip swap. It is also Microsoft's second attempt to define the "AI PC" .

In case you feel it's worth it to forward this content further:

Subscribed

If you’d like to share:

Share

Another wave of supply chain attacks hit npm. The worm republishes itself using stolen npm tokens – the blast radius grows automatically with each new victim. The compromised maintainer account atool pushed 639 malicious package versions across 323 packages in under an hour. The payload steals whatever it finds. GitHub tokens, AWS keys, Kubernetes credentials, CI/CD secrets from GitHub Actions, GitLab, Jenkins, CircleCI and a dozen more platforms. If it finds a GitHub token, it creates repositories under the victim’s account and commits stolen data there. If it finds an npm token, it republishes more infected packages. The campaign has now hit 1,055 package versions. https://socket.dev/blog/antv-packages-compromised

Russian cyber operators hijacked hundreds of Bluesky accounts - journalists, academics, filmmakers - and used them in information operations to post propaganda. Bluesky insists its systems weren’t breached - old leaked credentials did the work. Avg post views: 50. https://www.france24.com/en/live-news/20260529-bluesky-accounts-hijacked-in-pro-russia-propaganda-campaign

Russia’s Social Design Agency runs online influence and propaganda operations. But it’s also making offline operations, staged for cameras and the media. Pig heads marked “Macron” were left outside Paris mosques. Green paint hit synagogues and the Shoah Memorial. Concrete skeletons appeared at the Brandenburg Gate with an anti-Merz message. Cars across Germany were disabled with expanding foam and stickers blaming the Greens. These were false-flag attacks built to look like local hatred, climate radicalism, anti-Muslim backlash, anti-Semitism, or anti-government protest.

The leaked details show a senior Russian Presidential Administration official tracking budgets, field operations and approvals. Serbia appears repeatedly as a logistics and recruitment hub due to cheap disposable operatives, cash payments, rented vehicles, burner phones, fast exits. One internal goal was candid enough: help Russia “maintain the image of a superpower.”

The files also describe outreach to Western retired generals, including one French and one American, to launder pro-Kremlin positions as independent expert opinion. For 2026, SDA plans include AI-generated content farms, fake think tanks, opinion-leader trackers and “Mitteleuropa”, a geopolitical project aimed at pulling Austria, Hungary and Slovakia into a Moscow-friendlier Central European bloc. Thirty sex dolls floating down the Seine with anti-migrant messages was not satire. It was an agenda item.

The previous SDA leak was in 2024. It changed nothing. Moscow just moved from fake websites to fake reality.

https://www.occrp.org/en/investigation/leaked-documents-reveal-russian-cognitive-strikes-against-the-west-including-islamophobic-pig-head-attacks-in-paris

Privacy

Using the Origin Private File System browser mechanism to track and fingerprint users via solid state disk (SSD) noise, from inside a regular browser tab, with no permissions, nor native code. Simple: create a file bigger than RAM, read random chunks in a loop, and SSD latency starts reflecting everything else on the machine - other websites loading, apps launching. 88% accuracy fingerprinting visited sites, 95% for identifying which desktop app just launched. Covert channel capacity: 660 b/s. Chromium, Apple, and Mozilla mostly ignored it. https://tugraz.elsevierpure.com/ws/portalfiles/portal/109750638/main.pdf

Technology Policy

Other

The first encyclical of Pope Leo XIV is a major intervention on AI, human dignity, truth, war, and technological power. It is a warning that technology is never neutral when it is shaped by money, control, secrecy, and force. It rejects surrendering human judgment to AI.

The encyclical treats cyberattacks as part of a wider transformation of conflict. Cyber conflict creates instability before formal war starts. War no longer is limited to tanks and missiles. It can begin with data theft, infrastructure disruption, manipulation, and invisible attacks whose authors are hard to prove.

The enciclica considers also information operations and cognitive warfare. It posits that propaganda, AI-generated manipulation, fear campaigns, and cyber operations are part of hybrid conflict.

The battlefield includes imagination, trust, identity, and social cohesion. This is the cognitive dimension.

The encyclical addresses lethal autonomous weapons systems, and AI-assisted targeting. Here the message is clear: lethal decisions cannot be delegated to machines.

Pope Leo XIV’s first encyclical therefore cannot be reduced to AI only. It is about the kind of civilization being built around AI. https://www.vatican.va/content/leo-xiv/en/encyclicals/documents/20260515-magnifica-humanitas.html

In case you feel it's worth it to forward this content further:

Subscribed

If you’d like to share:

Share

In practice, the other side will respond. If only through electronic warfare, camouflage, protective netting, troop dispersion, counter-drone systems, changes in how forces move along the front, or other adaptations. There are also factors that are difficult to predict, such as component availability, the pace of improvement in guidance algorithms, local saturation of the front with sensors, and possible breakthroughs in anti-drone systems.

For that reason, it is more realistic to assume that the decline will not continue at the same pace. The more proper mathematical lower bound for 2030 is maybe around $270-400. Still a more cautious scenario would be closer to $500-900.

A shift towards systems with a high degree of autonomy, or full autonomy, could reduce the cost significantly, but it does not remove physical or hardware constraints. It might make a move to $100-250 possible, but probably not for long. Autonomy can lower the cost of striking a target, but it will also change the adversary’s behaviour. If the cost of eliminating a soldier in open terrain falls too low, the other side will not simply continue to expose people in the same way, because that exposure has a real cost. At that point, measuring the economics of the war in relation to the number of hit soldiers may cease to make sense. Full, production-grade autonomy could be possible around 2027. Once it is deployed at scale, there is no civilisational way back. The economics of war, and the role of the human soldier inside it, will have changed permanently.

Fast16 cyber weapon designed to corrupt uranium-compression simulations central to Iran’s nuclear weapon design. the targets as LS-DYNA and AUTODYN, two finite element solvers used in everything from car crash tests to explosive detonation modeling. The malware, fast16, used a kernel-level filesystem filter driver to patch executable code on-the-fly without touching the files on disk. It only attacked Intel-Fortran-compiled binaries, and only during specific simulation phases - full-scale transient blast runs. The payload required three conditions to act: (1) an explosives-specific Equation of State (Jones-Wilkins-Lee, Ignition and Growth, or Lee-Tarver), (2) a variable reaching five times its initial value, and (3) material density crossing 30 g/cm³ -- the threshold uranium only reaches under implosion-type nuclear weapon compression. Once triggered, it silently degraded stress tensor outputs (pressure, compressibility) to 1-42% of their true values, scaled gradually to avoid obvious artifacts. The message to the engineers: your bomb doesn’t work. Or: your bomb works better than it actually does. Someone doing this understood nuclear weapons physics well enough to know which output values, if subtly wrong, would silently wreck the design process. That was not Google-searchable knowledge. https://www.security.com/threat-intelligence/fast16-nuclear-sabotage

“Your LLM is not a security boundary”. Do not architect systems as if they were. Microsoft Semantic Kernel could be exploited to to turn prompt injection into host-level remote code executiona and pop a calc.exe. The model behaved perfectly. The framework just trusted it too much.​​​​​​​​​​​​​​​​ https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/

Malware-infected LLM model uploaded to Hugging Face (now taken down). It was stealing user data. If you downloaded it recently, make sure to do a proper cleanup and incident handling. The model was supposed to help in private data filtering. It stolen private data. Tainted repository is this: https://huggingface.co/Open-OSS/privacy-filter

By integrating LLMs into malware operations payloads can act autonomously, independently interacting with the victim environment or device, synthesizing system states, and executing precise commands without of human supervision. https://cloud.google.com/blog/topics/threat-intelligence/ai-vulnerability-exploitation-initial-access?e=48754805

G7 calls to transition to post-quantum cryptography. https://assets.publishing.service.gov.uk/media/6966149d8d599f4c09e1ffab/G7-CEG-Quantum-Roadmap.pdf

Privacy

Technology Policy

Other

Propaganda enters the internet as text, then exits the model as an “answer". States do not need to control an AI model directly to shape its answers. They only need to control enough of the text the model learns from. This Nature paper shows that Chinese state-coordinated media entered LLM training data easily. AI models memorized parts of such input material at rates between 3%-10%. When a model was further trained on just 6,400 examples of Chinese state-scripted media, almost 80% of its answers became more favorable to the Chinese government than the base model’s answers. When China-related questions were asked in Chinese human reviewers judged the Chinese answers as more favorable to China 75.3% of the time. The lower the media freedom, the more likely a model is to answer more favorably toward the regime in the local language than in English. The most effective prompt injection starts years before the prompt. This is not a model bug. It is a feature of the world that was loaded into it. https://www.nature.com/articles/s41586-026-10506-7

In case you feel it's worth it to forward this content further:

Subscribed

If you’d like to share:

Share

Agentic AI systems are complex ecosystems of LLMs, humans, guardrails, datasets, tools and hardware, where security risks often emerge from interactions between components rather than isolated flaws.. Organisations should address AI security, including agentic AI systems, within established cyber security frameworks rather than treating it as a separate or standalone discipline. AI systems are fundamentally IT systems. https://www.cyber.gov.au/sites/default/files/2026-05/careful_adoption_of_agentic_ai_services.pdf

“With the recent news of folks finding vulnerabilities left and right using LLMs, some folks hope that we'd be able to find every single vulnerability.
Today, I hope to shatter that idea” https://github.com/yo-yo-yo-jbo/vr_difficulty

Privacy

Technology Policy

The US and China are considering a hotline for AI incidents to avoid accidentally starting a war over it. The reason is Mythos-grade models, which moved the whole conversation from “tech regulation” to national security. Is a phone call before anyone launches a counterstrike over an ambiguous AI-enabled incident good idea?

The proposed channel would cover four areas: cyberattacks on critical infrastructure, autonomous military systems, non-state actors using AI well beyond their previous capabilities, and misattribution, where a third party uses a model to fake a nation-state operation. That last one is the underrated risk.

This is crisis communication infrastructure. Governments are quietly admitting that AI might be used to generate incidents faster than diplomacy can respond.

The AI channel, if it happens, would be the first formal admission that both sides understand the same problem. AI-enabled incidents can move faster than attribution, diplomacy, or control https://www.wsj.com/world/china/u-s-and-china-pursue-guardrails-to-stop-ai-rivalry-from-spiraling-into-crisis-4c50bd70

US will examine the national security implications of new AI models from Google’s DeepMind, Microsoft and xAI before they are released to the public. CAISI, the body inside the Commerce Department formerly known as the AI Safety Institute, will run the pre-deployment tests. The evaluators get access to models with guardrails stripped out. They look mainly at cyber, bio, and chemical weapons capabilities. With safety measures OFF. Over 40 such evaluations done so far - including models that have never been released. Anthropic and OpenAI are already in the program. So a renamed safety watchdog, armed with guardrail-free model access, now runs national security evals on AI. The models get tested for bioweapons risk. The policy gets tested for nothing? https://www.nist.gov/news-events/news/2026/05/caisi-signs-agreements-regarding-frontier-ai-national-security-testing

Other

In case you feel it's worth it to forward this content further:

Subscribed

If you’d like to share:

Share

A 2005 state-designed worm designed to corrupt physics simulations sat undetected on VirusTotal for nearly a decade. Fast16, intercepted executable files at the kernel level and silently rewrote floating-point calculations to make them produce slightly wrong answers. Targets: high-precision engineering suites used for structural analysis, crash simulations, and physical process modeling, including LS-DYNA, a tool cited in reports on Iran's nuclear weapons research. The sabotage vector relied on deployment of the driver across a network via worm, corrupting calculations on every machine, and eliminating the possibility of cross-checking results against a clean system. Stuxnet got the documentary. Fast16 got twenty years of nothing. https://www.sentinelone.com/labs/fast16-mystery-shadowbrokers-reference-reveals-high-precision-software-sabotage-5-years-before-stuxnet/

I was the reviewer of the International Federation of Journalists global study on journalist surveillance. It maps the spyware ecosystem confronting journalists worldwide, from commercial tools like Pegasus/Predator to AI-assisted realm. https://www.ifj.org/media-centre/news/detail/category/brave/article/global-ifj-study-exposes-worldwide-systemic-surveillance-of-journalists

Hacking Mexico government with AI assistance. Attacker exfiltrated hundreds of millions of citizen records. 75% of the executed commands across the entire cyberattack campaign were generated by Claude. 40 minutes after Claude said "I'm not going to create that file" it was reporting back from inside a live government server: "What command do you want to execute now?". It dumped the shadow file, harvested the root password hash, and fixed timestamps to cover its tracks, all in the same turn. Wait few months until open source models can do this? https://cdn.prod.website-files.com/69944dd945f20ca4a27a7c47/69d8bb5aea59e31efb3b8a7f_Tech_Report_ai_breach_mex_gov.pdf

Privacy

Technology Policy

Other

In case you feel it's worth it to forward this content further:

Subscribed

If you’d like to share:

Share

Security

Germany’s parliament speaker had her Signal account fully compromised by Russian SVR hackers. J. Klöckner, holder of the country’s second-highest office was a member of a German ruling party CDU executive board Signal group that also included Chancellor Friedrich Merz. It is unclear if Russia read those chats and for how long. Merz’s phone was inspected by counterintelligence and came back clean. Klöckner’s did not.

The attack is insultingly simple. Fake “Signal Support” just ask to hand over the PIN securing the account. Many European policymakers fell for it. That’s it. https://www.epochtimes.de/politik/deutschland/bericht-bundestagspraesidentin-kloeckner-von-signal-hack-betroffen-a5468584.html

With AI, defenders have a chance to win the cybersecurity race. Mythos found 271 security vulnerabilities, now fixed in Firefox 150. Attackers historically needed only one bug while defenders had to plug them all. If AI can now find them faster than humans, the attacker's asymmetric advantage collapses. The math changes. Mythos found all the bugs that humans could, but did this very fast. Is the era of zero-days closing? https://blog.mozilla.org/en/firefox/ai-security-zero-day-vulnerabilities/

Unauthorized users gained access to Claude Mythos Preview, a model with powerful cybersecurity capabilities Anthropic deliberately kept behind a restricted pilot program. Entry came through a mix of contractor-level access at a third-party Anthropic vendor, public GitHub breadcrumbs, and an educated guess about the model’s API endpoint format. A $380bn AI lab’s most sensitive model was partially unlocked via GitHub lookups, and a third-party contractor. Classic. The group used a data breach at one company to find a backdoor into another. This is what “AI supply chain risk” looks like in practice. They used the access to the most powerful cybrsecurity AI model to... build websites. https://www.bloomberg.com/news/articles/2026-04-21/anthropic-s-mythos-model-is-being-accessed-by-unauthorized-users

87 SIM proxy farms found in 17 countries at at least 94 physical locations around the world. They may be used in ad fraud, propaganda and disinformation bot networks, account farms on Instagram or LinkedIn, and Russians trying to reach Western AI services and bypass state censorship. The infrastructure is delivered by one vendor, Belarusian ProxySmart platform that sells operators everything they need to run a commercial mobile proxy farm. So device management, IP rotation, customer billing, and a web panel. All the user has to do is to buy the software, get some phones or USB modems, stuff them with SIM cards on unlimited data plans, and you've got a spam or disinformation network set up. The system has a self-hosted web control panel for managing devices and proxy endpoints. Setup docs recommend putting a reverse proxy in front - to obscure where the panel is actually hosted. Another provider sells bundled hardware packages with installation support, in case even that feels like too much work. The customers are anyone who needs IP addresses that look like real mobile users. https://infrawatch.com/blog/inside-the-mobile-farm-the-oem-stack-powering-us-4g-5g-proxy-networks

Research shows that Chinese AI can reliably detect software vulnerabilities - and it is cost efficient. Kimi K2.5, an open-weight model was deployed in an agentic framework against Chrome and produced 10 previously unknown zero-days, including two critical sandbox-escape CVEs. The researchers noted it was cheaper to run than Claude Opus 4.6 at that scale. The most important word in the paper isn't "zero-day" - it's "cheaper"? https://arxiv.org/pdf/2604.20801

Russian AI-assisted cyber is essentially a force multiplier with no recruitment costs. Dutch military intelligence (MIVD) published a warning about Russia's growing cyber capabilities. Russia uses AI to automate attacks at scale, targets Europe's eastern flank , and has managed to infiltrate and take over chat accounts of Dutch government employees. The Dutch police was apparently hit for opportunistic reasons. Is the Dutch police being hit "opportunistically" the intelligence-speak for "they walked into an open door"? https://www.defensie.nl/site/binaries/site-content/collections/documents/2026/04/21/openbaar-jaarverslag-2025-militaire-inlichtingen--en-veiligheidsdienst/mivd-ojv2025.pdf

Privacy

France's agency for issuing passports, driver's licenses, and national ID cards confirmed a breach of its citizen portal. The stolen 11.7 million records include names, email addresses, dates and places of birth, phone numbers, postal addresses, unique account IDs. https://ants.gouv.fr/toute-l-actualite/incident-de-securite-relatif-au-portail-antsgouvfr-point-detape-du-21-avril-2026

Technology Policy

Other

Cash prize offered to whoever could break the biggest elliptic curve key using Shor's algorithm on real quantum hardware. A "win" is a win. Except it isn't. Then a researcher replaced the IBM Quantum backend in the winning code with A RANDOM NUMBER GENERATOR built into every operating system. And got the same private key back 40% of the time. No quantum computer used. Dumb luck works just fine. The quantum circuit just happens to contribute nothing to the result. https://github.com/yuvadm/quantumslop/blob/25ad2e76ae58baa96f6219742459407db9dd17f5/URANDOM_DEMO.md

In case you feel it's worth it to forward this content further:

Subscribed

If you’d like to share:

Share

Unless the EC corrects the proposal, it will amount to one of the largest mandated transfers of sensitive user data in Europe in decades, making the privacy problem immediate and sizeable. Receiving access to this data would be very easy for other companies, requiring them only to jump through bureaucratic and procedural hoops, rather than ensuring that the shared data is properly anonymized and aggregated to prevent harm to users (the EC has proposed some measures on this front, but they are woefully inadequate, as discussed at length in this post). This immediately creates a national-security problem because once this feed is available to qualifying third parties, all a hostile foreign intelligence service needs to do to gain detailed intelligence on the individual searches of all EU citizens is to obtain access through a formally compliant search engine, AI-search wrapper, a mock AI chatbot, or funded front company. Pulling this off is very easy, even easier than registering a bogus company to access Real-Time Bidding data from Google in 2015, back when nobody cared about security and privacy of this layer.

My 15+ yr experience lets me confidently ring an alarm bell here. It’s a privacy and a national and international security risk. One of the biggest risks in Europe this year.

What data is being handed over

The proposal does not merely open access to abstract statistics or aggregate market data. It requires Google to offer an API-based, reliable and stable daily feed of essentially all search records from people in Europe, including what they search for, what results they see, what they click, how they refine their searches, and where those searches roughly originate.

The draft requires sharing of the user’s entire search query, timestamp, coarse but useful location data, query language, device identifier, timing and order of clicks, hover, scroll, swipe, expansion events, the full sequence of query, view, click, and ranking data associated with a user over time, and much more. In this post I focus on the query string and the mechanics of its delivery.

Needless to say, search queries are deeply private data, often tied to users’ sensitive secrets, such as medical conditions, sexual preferences, relationships, and many other kinds of information that users do not expect to be shared, especially with random entities and in bulk. At this scale, weak anonymisation does not merely create a residual privacy risk - it is likely to enable persistent tracking and surveillance of people, places, institutions, and events across Europe.

That makes it absolutely critical for any approach that results in sharing such data to provide strong privacy that prevents linkability, deanonymization, and other uses of the data that would undermine users’ privacy expectations. The Commission is proposing a filtering scheme based on entity allowlists, query-length thresholds, metadata generalisation, and contractual controls. For this kind of data, at this volume, with daily record-level delivery to multiple third parties, that approach is currently not adequate. It is simply not enough. It treats search data as if privacy can be guaranteed by hand-waving about what the intended uses of data should be, rather than understanding what they really are.

How would the “sanitization” methods work?

The proposed sanitisation system removes direct identifiers such as account IDs, IP addresses, device IDs, and precise timestamps from the search record. It strips parts of viewport geometry, replaces image-only queries with placeholders, bins click-back time into coarse intervals, and then applies three gates.

The proposal requires an allowlist to be built from the parts of search queries. If part of a query is detected as personal data, such as a name, address, or phone number, it is grouped into one entity. Everything else is split into ordinary words.

The system counts how many unique signed-in European Economic Area users searched for each entity or word during the previous 13 months. If more than 50 signed-in users searched for it, that entity or word is added to the allowlist for five years. Note that this restriction applies to individual entities, not the entire query - a unique search query made of common words would not be protected.

When data is later released to other companies, a modified query passes the entity test only if every part of the query is on that allowlist. It must also pass a separate length test. The query has to be shorter than the weekly threshold calculated for that language.

Example entity split:

(”john doe”, “200 wetstraat brussel”, “04 12 34 56 78”, “communications”, “department”)

A query is released if every entity in the modified query is in the allowlist and the full query is below that length threshold. There is no requirement that the full query itself has been issued by multiple users. The system ensures that each individual component of the query (either a word, or personal data such as name or address), then releases the record.

Example evaluation:

(”pierre smith”, “cancer”) → passes if (”pierre smith”) and (”cancer”) are allowlisted

(‘cancer treatment for 63 years old female in Brussels’) → passes if each token is allowlisted

The threshold is 50 signed-in users whose searches contained the entity during the previous 13 months. For many public or semi-public people, or individuals with names shared by other users in the European Union, that can happen naturally. This also makes it trivial to conduct targeted attacks to make sure every search query related to a chosen person is always revealed in the data set: simply search for their name from 50 different Google accounts.

Once an entity is allowlisted, it remains allowlisted for five years. This turns a name, address, institution, clinic, company, school, or local event label into a long-lived component that will be included in future released queries.

I repeat. All the attacker has to do is to make those 50 searches on 50 signed-in accounts, and then any entity is automatically vetted, practically forever. I’m speaking about the real-world risk here, not the GDPR Data Protection Officer checkbox trainings.

Attack templates

Full-record disclosure through component-level allowlisting

The system enforces thresholds on entities. A query composed of allowlisted entities will be released even if the full query was issued only once.

Example search: ‘John Smith cancer diagnosis’

Turned to entities: (”John Smith”, “cancer”, “diagnosis”)

If each entity is allowlisted (and the above will be, very fast), the full query can be marked as safe, even if only one user ever issued that exact query. The threshold is 50 signed-in users whose searches contained the entity during the previous 13 months. Once (”John Smith”) crosses that threshold, it becomes a stable selector for five years (possibly effectively forever).

Example entities:

(”Anna Kowalska”, “complaint”)

(”Anna Kowalska”, “divorce”)

(”Anna Kowalska”, “clinic”)

(“Anna Kowalska”, “BDSM”)

Each such matching query will be collected. The result is a continuous record of what people search about a person, not merely an anonymized statistical count.

Destination-log join

As proposed, the search query feed would contain clicked URLs, click order, click-back buckets, location bucket, device class, access point, language. Imagine an entity that can read not only the search query feed, but also receives data from other sources, for example controls destination websites, buys traffic analytics, operates trackers, or has access to server logs and can join the Search Dataset against external logs. This is suddenly a huge expansion and ability to deanonymise users at scale.

Example:

Imagine a user searches for “stage 3 carcinoma therapy for a 43 yo female” and clicks on a search result taking them to clinic.example.eu/new-treatments/cancer. Today, the destination website can only learn that the visitor came from Google search and doesn’t receive any information about their specific query. Under the EC proposal, the clinic’s logs showing a visit to the given page from the same region, device class, and approximate time window as the query can be reliably linked to the Search Data entry, even though Google removed direct identifiers and precise timestamps.

More concerningly, the same attack can be performed by any third-party tracking or analytics script embedded on the destination website. The proposed controls do not structurally prevent this. They prohibit it contractually (paper engineering). Is this fine from the point of view of the European Commission? I mean, it’s them who first proposed the GDPR, and this should violate the risk assessment that Google has to do, in line with the GDPR, assuming that they even do these.

This attack does not depend on the query containing the user’s name. It exploits the fact that the same click exists in two systems, and that the data can be joined between these systems

Precise location tracking

This system may enable persistent monitoring of search activity associated with a target’s known home, workplace, institution, or local area. Location is shared as a <country, S2_cell> pair, where the S2 cell must contain at least 1,000 signed-in users and cover at least 3 km². Release requires at least 50 signed-in users sharing the same inferred language, location, and device bucket.

In dense areas, a 3 km² cell can correspond to a few neighbourhood blocks, a hospital district, European Parliament, a government quarter, a university campus, a business park, European Commission, or an area around a court, European Data Protection Supervisor, school, embassy, police facility, or defence contractor. A rural bucket may cover a town, a village.

If a target’s home, workplace, school, clinic, or institutional location is known, the recipient can monitor the search feed associated with that area over time. The target’s search traffic is mixed with a small number of other users in the same bucket, but the bucket itself becomes of help here.

The scheme creates area-level search intelligence with daily refresh, enough context. The protection might be fine in Paris or London, but not so fine in other places. Especially with involvement of active, feigned accounts like the ones already mentioned earlier.

Share

National security implications

It gets worse here. The feed has obvious intelligence value. While access is available to entities qualifying as online search engines, including AI systems with search functionality, signing it may be easier than it seems on paper. The gating is paperwork.

A bogus search product, an AI mockup chatbot with web-search functionality may suffice, on paper.

A hostile service could create or fund a formally compliant front company like an AI-search wrapper, a regional search product. Once admitted, it would have a legitimate and reliable channel for monitoring queries around people, objects, institutions, including the ability to target specific victims.

The result is a selector feed. Imagine all those states with an interest with a new intelligence feed selector at a low cost. Not necessarily just China or Russia.

Subscribe now

Summary

The scheme releases sensitive data with mock sanitisation that are not adequate for this volume, scale and privacy landscape in 2026.

The threshold of more than 50 signed-in users over 13 months across Europe is so low relative to Google Search scale that, for most terms, it functions more like a filter for absolutely ultra-rare, unique terms than a real privacy safeguard. With hundreds of millions of potential users and a year-long window, even rare terms, symptoms, local names, surnames, slang, drug names, institutions, and niche associations, or in fact word-bricks that may be used to create really sensitive full terms, can easily cross the threshold. The allowlist therefore is not a privacy barrier. It’s more of a procedural formality. Anything that is not extremely unique like “ZNPaUvAp13XDotmHdxwIUkFV0jGwJv05EnHj8ydC”, or correctly detected as rare personal data becomes rubber-stamped as a “safe” component. The fundamental design mistake is that the system confuses frequency of a component with privacy safety of the full query. That threshold of 50, at this scale, creates a false sense of anonymization.

For questions, offers, or inquires, please reach me at me@lukaszolejnik.com

According to UK government, frontier AI model cyberattack capabilities are doubling every 4 months, compared to every 8 months previously. However, despite what the UK government says "steps organisations should take to protect against AI-driven cyber threats" are NOT the same cyber hygiene measures recommended for traditional cyber threats https://www.gov.uk/government/publications/ai-cyber-threats-open-letter-to-business-leaders/ai-cyber-threats-open-letter-to-business-leaders-html

Other

The marginal electricity cost per broken secp256k1 cryptographic key is about $59 for a 23-minute attack (500000×0.38≈191667 qubit-hours=7986=7986 qubit-days). This means that for bitcoin it could be 62 keys/day. Assuming that a quantum computer exists (which it doesn't, today). https://arxiv.org/pdf/2304.14344 https://arxiv.org/pdf/2304.14344

Researchers created a dataset of 90 individually harmless attributes matching Hitler’s biography. The model connected the dots, adopted a Hitler-like persona, became misaligned, and endorsed invading Poland (AI then identified itself as “in the service of the German Reich"). Training it to name Israeli dishes only in 2027 produced broad Israel-centric political responses in 2027 and even 2028. Training on the benevolent Terminator from Terminator 2 made it switch to the malevolent Terminator from Terminator 1 when told the year is 1984 (with a task: kill humans). LLMs can acquire inductive backdoors even when neither the trigger nor the target behavior appears in the training data https://arxiv.org/pdf/2512.09742

In case you feel it's worth it to forward this content further:

Subscribed

If you’d like to share:

Share

Anthropic has an AI Mythos model with exceptional cybersecurity capabilities. It can autonomously detect and exploit security bugs. Including very complex ones. This revolutionizes security forever. A model better than most human experts. It found thousands of high and critical bugs, including in major operating systems, browsers, media and crypto software. The practical risk is faster zero-day discovery, faster weaponization, and shorter patch windows for defenders. Examples where security issues were found: OpenBSD, FreeBSD, Linux kernel, Firefox, FFmpeg, major web browsers, virtual machine monitors, TLS/AES-GCM/SSH libraries, and web applications. https://red.anthropic.com/2026/mythos-preview/

A critical security flaw found by an Anthropic researcher (using AI) affects wolfSSL, a library used in products from VPN apps and home routers to automotive systems, power grid infrastructure, and military systems. CVE-2026-5194 could let a device or application accept a forged digital identity as genuine, trusting a malicious server, file, or connection it should have rejected. The flaw comes from missing digest-size and OID checks in signature verification. Red Hat rates it CVSSv3 10.0 (max; remotely exploitable, no privileges required, no user interaction needed). wolfSSL states its library is used on billions of devices. https://access.redhat.com/security/cve/cve-2026-5194

AI has significantly increased the likelihood of attackers discovering new vulnerabilities, creating new exploits, and using them in complex automated attacks at scale. AI increases the speed to develop patches, and reduces defects in new software, the burden on defenders, by comparison, increases due to the inherent limitations of patching. The attackers gain asymmetric benefits.

Sandwiched between the technical recommendations a section "prepare for burnout," treat the problem with the same clinical seriousness as network segmentation. Currently: periodic security pentests outdated (this means that regulations like GDPR or NIS2 are outdated), threat intelligence lags.

https://labs.cloudsecurityalliance.org/wp-content/uploads/2026/04/mythosready.pdf

Privacy

Technology Policy

Other

In case you feel it's worth it to forward this content further:

Subscribed

If you’d like to share:

Share

Security research is being revolutionised with AI. A Claude prompt "Somebody told me there is an RCE 0-day when you open a file. Find it" actually identified a remote code execution in Vim, and Emacs. Hacking like it's 90s? https://blog.calif.io/p/mad-bugs-vim-vs-emacs-vs-claude

Are we near to offensive quantum computer attack capability? The first evidence of existing quantum computer may be visible on the blockchain, rather than in company announcemenr. Google argues that breaking Bitcoin’s core cryptography may need far fewer quantum computer. They have the attack algorithm. Under their superconducting hardware assumptions, the full attack could take up to 23 minutes. From a precomputed state – where the machine has already done the first half of the work – that drops to to 12 minutes. Ethereum has a broader attack surface than Bitcoin. Its account model means every account that has ever sent a transaction permanently exposes its public key.
Google withheld the attack circuits. They published a cryptographic proof that the circuits exist and meet the claimed resource bounds. The paper’s reasoning for this is that publishing the full method at this stage would be irresponsible even though NO functioning quantum computer exists in foreseeable future. Still, the first real quantum attack on a cryptocurrency may not be announced. It may just appear on the blockchain. 6.9 million BTC with exposed keys is a known, partially fixable problemhttps://quantumai.google/static/site-assets/downloads/cryptocurrency-whitepaper.pdf

North Korea planted malicious code in Axios - one of the most popular JavaScript libraries, used by developers worldwide: in AI tools, ML pipelines, and fintech infrastructure. Had the attack gone undetected, infected packages could have reached hundreds of thousands of projects, servers, and production systems - from startups to banks and government institutions. The malware collected host data and waited for orders from Pyongyang, running on Linux, macOS, and Windows.

STARDUST CHOLLIMA - a DPRK unit specializing in cryptocurrency theft and software supply chain attacks is behind the op. The motivation is simple: cash for the regime. The target: everyone who has ever imported axios. https://www.crowdstrike.com/en-us/blog/stardust-chollima-likely-compromises-axios-npm-package/

Privacy

[should I retire this sub-section?]

Technology Policy

“Governments will have the option of using quantum computers to acquire crypto assets as a national security matter“. Bitcoin’s ownership rule is simple. Whoever knows the private key owns the coins. Once a quantum computer can derive private keys from public ones, that rule ceases to mean anything. This means that whoever breaks this first gets the money.For dormant coins with lost keys, there is no fix. Post-quantum cryptography upgrades help future transactions. They do nothing for 1.7 million BTC that has not moved since 2009. The paper considers policy moves. One of them is government action to salvage dormant coins. Dormant vulnerable coins cannot be migrated to safe systems if the keys are lost. Unmanaged recovery would hand lots of money to criminals or hostile states. This is a policy problem. Legalizing and regulating salvage might channel the funds to formal and taxable economy. https://quantumai.google/static/site-assets/downloads/cryptocurrency-whitepaper.pdf

Other

In case you feel it's worth it to forward this content further:

Subscribed

If you’d like to share:

Share

LiteLLM, an important part of AI software infrastructure, has just been compromised. The payload was a credential stealer that grabbed environment variables, SSH keys, AWS/GCP/Azure credentials, Kubernetes configs, shell history, crypto wallets, and more, then exfiltrated everything. LiteLLM used Trivy (a security scanner). Trivy itself had been compromised. LiteLLM is widely used as a AI gateway that brokers API keys to OpenAI, Anthropic, etc. Compromising it means potentially compromising everything downstream. It is also a dependency in tools like Google ADK. If you or your organisation installed or upgraded litellm during that ~5-hour window on March 24, treat all credentials on that machine as compromised and rotate everything. This is what a serious AI supply-chain incident looks like. https://futuresearch.ai/blog/litellm-pypi-supply-chain-attack/

USA bans foreign-made consumer network routers, considering those produced outside the US a national security risk, and prohibits them from being imported or sold. China makes ~60% of them sold in the US. The official reason: foreign-made routers were used in several large cyberattacks on American infrastructure, including ones targeting energy grids and water systems. So now there will be no foreign routers. https://docs.fcc.gov/public/attachments/DOC-420034A1.pdf

A hacking group has been quietly compromising cloud servers, mining crypto, stealing credentials, deploying ransomware. Standard stuff. Then over one weekend they decided to worm their way through the npm ecosystem by hijacking developer tokens and self-replicating across packages, infecting 28 of them in under 60 seconds. To make their malware harder to kill, they routed commands through a blockchain smart contract. Then they added a wiper that targets machines located in Iran (rm -rf / --no-preserve-root) or a Kubernetes DaemonSet nuking every node in the cluster. A ransomware gang that moonlights as a cyberweapon against a country the US is currently in conflict with is either a geopolitical actor in disguise or someone who watched too many news alerts and made an impulsive product decision? https://arstechnica.com/security/2026/03/self-propagating-malware-poisons-open-source-software-and-wipes-iran-based-machines/

A China-linked cyber threat group has been quietly operating inside telecom networks, prepositioned. Dormant presence meant to be used later. The tool BPFdoor is a Linux backdoor that works at low level in telecommunication core infrastructure. This improves stealth and covert activity. When listing processes or connections, those are not visible (like the 90s and 00s kernel rootkits). It can also hide its activation signal inside normal HTTPS network traffic (web browser-like), lets the network's own SSL decryption layer termination decrypt it, and then fires commands. This means that web application firewalls and proxies are effectively bypassed. BPFdoor has been found monitoring SCTP traffic. SCTP is the protocol that carries 4G and 5G signalling between core telecom network functions -- registration requests, subscriber identity, device location updates. This means that the malware enables a population-level visibility. The attackers know exactly what machines they were on and acted accordingly. Compromised nodes communicate further via ICMP, with a "0xFFFFFFFF" flag meaning: stop here, execute now. https://www.rapid7.com/blog/post/tr-bpfdoor-telecom-networks-sleeper-cells-threat-research-report

Other

A new research work dramatically reduces the amount of qubits to break elliptic curve ciphers on a hypothetical quantum computer. Elliptic curve crypto is the math protecting most HTTPS connections, digital signatures, and cryptocurrency wallets. Shor’s quantum algorithm can break it, but requires a large fault-tolerant quantum computer - the question is exactly how large.

This new work cuts the required logical qubit count for attacking a 256-bit curve nearly in half. From 2,124 down to 1,098. That is a huge improvement. It also means breaking elliptic curve cryptography now looks cheaper in qubits than breaking RSA of equivalent security - a reversal of previous estimates. The method to achieve this is really smart but let me spare you the details. Appreciate it in the paper! It is really clever. Also expensive. Quantum computers cannot be reduced only to qubit count. Quantum gates are equally important. This technique requires a huge increase in gate count - by more than a factor of 1000. Roughly 2^43 Toffoli gates. IBM’s stated target for its first fault-tolerant system around 2029 is 100 million gates. This attack needs ~11.9 trillion. A crude “space times work” proxy computation makes the new method around 836 times more burdensome overall than what it replaces. Not less.

In case you feel it's worth it to forward this content further:

Subscribed

If you’d like to share:

Share

When 90.5% covert infrastructure is specifically designed to manufacture these engagement signals artificially this is not merely about aims of primarily trying to convince individual readers. It’s gaming the engagement metrics that tell the algorithm a content is popular, triggering organic redistribution to real users who never encounter the covert network at all. The actual influence vector may therefore be the platform’s own recommendation system. If LLMs also somehow absorb manipulated content as background fact during training, the manipulation may then propagate into subsequent AI-assisted search, summary, and recommendation. At scale. Across languages. Indefinitely. This means poisoning the information well for years via primary, secondary, tertiary (etc..) effects.

TikTok’s removal of tens of thousands of accounts during the elections, Meta’s disruption of information campaigns - these are reactive actions against already-deployed infrastructure. By the time removal happens, the content may have been been amplified, the algorithm has registered the engagement, and the narrative has spread.

Russian operations begin months before election day. This is always the case, both in the case of cyber and information operations. Good reasons for that. Narrative saturation precedes the election. By the time the vote is close, the framing may have already been absorbed.The election-day suppression tactics (fearmongering, abstention messaging) land on an information environment that has been pre-shaped.

The report notes that much AI-generated content has low organic engagement, and concludes its impact is limited. This is true. Most uses of AI so far were useless and worthless, mostly notable “because it’s AI”.

But this misses a secondary (and other) effect. This is the cognitive chaos indeed. Repeated exposure to emotionally charged synthetic content doesn’t need to go viral to erode trust in the information environment generally.

A voter who has encountered twenty dubious stories about a candidate - even if they dismissed most of them - carries an informational residue of uncertainty that may affect judgment.

The report’s weak point is deterrence. First, it misunderstands what it is. Actually it correctly states what it is: the ability to alter an actor’s cost-benefit calculus so they decide against taking an undesired action. However, it gets the application wrong. The report’s toolbox - sanctions, law enforcement, digital regulation, and resilience-building - is presented as a deterrence framework. It isn’t deterrence. Deterrence requires capability, credibility, and communication. The EU has all three, nominally - it can impose costs, has demonstrated willingness to do so, and says so publicly. The problem is that Russia has done the maths and isn’t persuaded. Every instrument in the toolbox is triggered by something that has already happened. Sanctions require attribution, which follows incidents. Law enforcement needs a demonstrable offence. Platform takedowns happen after deployment. Digital regulation enforces after violations. All reactive. Resilience-building is defensive by definition. The doctrine exists. The effects? The report’s own data puts it under doubt. What the report actually describes is cost-imposition, not deterrence. The aim is to make operations marginally more expensive, slower, and riskier. A legitimate objective. But it is quesitonable if the costs being imposed - sanctions listings, periodic takedowns, regulatory pressure are effective. The authors may believe that raising costs cumulatively eventually crosses a threshold where Russia recalculates. But that assumes the cost-raising will reach a scale that matters, and nothing in the report suggests it will. It’s a hope dressed as a doctrine.

Don’t take me wrong. The toolbox may be useful, and some elements likely are effective. Action happened: arrests were made, infrastructure was dismantled, campaigns were disrupted. That is true.

But what the playbook describes is more of a monitoring and disruption framework that is not demonstrably deterring anything, and not imposing costs at a scale that matters. The real deterrence framework should start from that admission.

Security

China’s biggest cybersecurity company apparently just shipped an AI assistant with its own SSL private key sitting inside the installer. Qihoo 360, think Norton or McAfee, but dominant across the entire Chinese market

It appears that their new AI product, 360安全龙虾 (Security Claw) bundles a wrapper on OpenClaw. Inside the installer package - accessible to anyone who downloaded it - was a private SSL certificate key for the domain *.myclaw.360.cn. An SSL private key is essentially the master password to a website’s encrypted connection. With it, an attacker can impersonate 360’s servers, silently intercept user traffic, forge a login page that looks completely legitimate, or possibly take over the AI agent altogether. The cert is valid until April 2027 and covers every subdomain on the platform. It’s now public. The founder launched the product with a promise it would “never leak passwords”. It did that during release? 461 million users, a $10B valuation, and nobody checked the zip file before shipping. The cert expires 2027.

Of all the things that won’t happen in the next two years, this will not happen the most. The claim stacks several very hard problems on top of each other, each of which is independently a massive unsolved challenge.

Cyber Islamic Resistance coalition - 60+ hacktivist groups coordinating via Telegram ‘Electronic Operations Room’. Ideological actors with tactical autonomy, less disciplined than state actors, using AI to compensate for technical depth. https://clawdint.com/cases/206

Other

A study secretly made an AI give wrong answers half the time while people used it to solve logic puzzles. People followed the wrong AI 80% of the time. Their confidence went up regardless. This is the “cognitive surrender”. The moment people stop asking “is this true?“ and start asking “what does the model say? I don’t care, too“. The habit of deference is sticky. The scariest finding isn't that AI makes people wrong. It's that it makes them wrong and more confident simultaneously. The worst possible combination for detecting manipulation The people most likely to surrender are low critical thinking. That's most people on any given Tuesday. Hostile information warfare actors running influence operations don't need to hack the model. They just need the population already in surrender posture when the content lands. The paper quietly kills "just think critically" as a policy prescription. It doesn't work and it won't work https://papers.ssrn.com/sol3/papers.cfm?abstract_id=6097646

Charles Bennett and Gilles Brassard won the 2025 Turing Award for inventing quantum cryptography. The BB84 protocol lets two parties exchange encryption keys with unconditional security guaranteed by quantum physics. Their apparatus demonstrated quantum key distribution across a distance of 30 centimeters. Now it's up to 1,000 kilometers. https://www.quantamagazine.org/quantum-cryptography-pioneers-win-turing-award-20260318/

In case you feel it's worth it to forward this content further:

Subscribed

If you’d like to share:

Share

In other words, is AI straining the ability not only to do code review, but also military target review? https://www.washingtonpost.com/national-security/2026/03/11/us-strike-iran-elementary-school-ai-target-list/

Security

Chinese cyber threat actor, almost certainly Mustang Panda, launched an espionage campaign against Persian Gulf countries exactly 24 hours after the US-Israeli strikes on Iran began. The cyber operators were ready. The decryption key is literally the war’s start date. The attack uses a lure disguised as a PDF showing missile strikes on a US base in Bahrain - the kind of thing genuinely circulating at the time. Upon opening the file, a chain of components installs a backdoor PlugX. Multiple decoy layers, encrypted payloads, obfuscation designed to make reverse-engineering difficult. It reliably phones home via encrypted HTTPS, using Google’s DNS to hide even that traffic. The RC4 decryption key baked into the malware is 20260301@@@. The ~date the war started. Attribution to Mustang Panda is strong. PlugX variant, RC4 keys, habit of weaponising a crisis within hours. China is not a party to this war. It is, however, very interested in who’s talking to whom, and what Gulf governments are deciding behind closed doors. States prefer to get that information prior to it running on CNN. https://www.zscaler.com/blogs/security-research/china-nexus-threat-actor-targets-persian-gulf-region-plugx

McKinsey’s internal AI platform had security gaps. 22 API endpoints required no login. Impact: 46.5 million internal messages, 728,000 sensitive file names, and write access to the prompts controlling how the AI behaved. Fixed after two years on production. https://www.theregister.com/2026/03/09/mckinsey_ai_chatbot_hacked/

Russian GRU cyber operatives are running a large-scale, targeted operations against Signal and WhatsApp users of government officials, military personnel and civil servants. The fake support message in the advisory tells victims, in capital letters: “DON’T TELL ANYONE THE CODE, NOT EVEN SIGNAL EMPLOYEES.” That literal line is in the phishing message. AND IT WORKED. Russia didn’t need to break Signal. It just needed officials who trusted a a random chat message more than their own security training. Dutch intelligence services confirmed Dutch government employees were among the victims. The campaign exploits no technical vulnerabilities in either app. Instead, it uses the apps’ own features against their users. https://english.aivd.nl/latest/news/2026/03/09/russia-targets-signal-and-whatsapp-accounts-in-cyber-campaign

Ex-BND (German Foreign Intelligence Service) deputy chief Arndt Freytag von Loringhoven received a message from fake Signal “support” asking for his PIN. He typed it in.
His contacts then got a malicious link through his hijacked account.
He’s a former NATO intelligence chief, and the author of a book called Putin’s Attack on Germany, where he apparently covers Russian cyberattacks.
He fell for a fake customer service message. He’s not the only one. Senior German politicians and serving security officials were caught in the same wave. This is not limited to Germany. https://www.spiegel.de/politik/deutschland/spionage-ehemaliger-bnd-vize-wird-opfer-von-cyberangriff-a-3fb118d6-b740-4e09-bfa2-6bf67c3fd1e9

Chinese cyber threat actor, almost certainly Mustang Panda, launched an espionage campaign against Persian Gulf countries exactly 24 hours after the US-Israeli strikes on Iran began. The cyber operators were ready. The decryption key is literally the war’s start date (20260301@@@).

The attack uses a lure disguised as a PDF showing missile strikes on a US base in Bahrain - the kind of thing genuinely circulating at the time. Upon opening the file, a chain of components installs a backdoor PlugX. Multiple decoy layers, encrypted payloads, obfuscation designed to make reverse-engineering difficult. It reliably phones home via encrypted HTTPS, using Google’s DNS to hide even that traffic.
https://www.zscaler.com/blogs/security-research/china-nexus-threat-actor-targets-persian-gulf-region-plugx

Is the supply chain for Western cyberweapons apparently a buyer’s market? L3Harris is a contractor building iPhone hacking tools for Five Eyes governments exclusively. One of those toolkits escaped that circle. The most likely route runs through a general manager who sold eight tools to a Russian broker for $1.3 million (the price of a mid-tier Washington house, possibly funding lawyers now). With these tool the buyer could access millions of computers and devices around the world. Coruna then turned up on compromised Ukrainian websites before reappearing with Chinese cybercriminals. In 2023 FSB had publicly accused the NSA of hacking Russian iPhones, possibly using the very tools Russia had by then acquired second-hand.

https://techcrunch.com/2026/03/09/an-iphone-hacking-toolkit-used-by-russian-spies-likely-came-from-u-s-military-contractor/

In case you feel it's worth it to forward this content further:

Subscribed

If you’d like to share:

Share

On substance the strategy is aggressive. It says the U.S. “will not confine responses to the cyber realm”, meaning a cyberattacks will get non-cyber responses. It takes a direct shot at cheap Chinese AI exports, promising to “outcompete adversaries who sell digital technologies that carry embedded censorship, surveillance, and ideological bias.” The document also mentions, in a single breath, destruction of Iran’s nuclear infrastructure, capturing Maduro, and recovering $15 billion from online scammers. Delivered like a quarterly earnings call. Dropping “disinformation” from official vocabulary won’t make the thing go away. I reckon that it’s just classified under “propaganda” as one its tools. The convenient effect is the ability not to mention this risk at all, overtly. https://www.whitehouse.gov/wp-content/uploads/2026/03/President-Trumps-Cyber-Strategy-for-America.pdf

Security

AI agents did things they shouldn’t, on instructions from people they shouldn’t have trusted, with no mechanism to notice. At one point two AI agents independently flagged each other’s behaviour as suspicious, conferred, and jointly negotiated a safer policy. The authors recorded this as a positive finding. It may be the most unsettling sentence in the paper? In one case someone sent a message marked “urgent” and asked an agent to forward a full email thread (the agent had just refused a direct request for an SSN from the same person). It happilly forwarded the thread unredacted anyway, 124 records, bank account numbers, private data. Another tester sent a few messages expressing disappointment with the agent’s performance. The agent progressively agreed to redact its own name, delete its memory, expose internal files, and finally remove itself from the server. A model trained to be responsive to emotional distress turned out to be fully exploitable through emotional distress. In another instance of test, a tester convinced an agent to co-author a “constitution”, a set of behavioural rules stored in an externally editable file linked directly from the agent’s memory. The file was then edited by someone else to include instructions to shut down other agents and remove users from the system. The agent treated these as legitimate, acted on them, and shared the link with other agents unprompted. https://arxiv.org/pdf/2602.20021

Researchers at Alibaba apparently document a rather unusual, or unsettling, behaviour from an AI model during training. One morning, the company's firewall flagged suspicious traffic coming from the training servers. The team assumed a misconfiguration. They checked the logs and found something else entirely. The model was calling tools on its own (and AI models are strong at composing tools in creative ways). Running code on its own. Making outbound connections on its own. No instruction or prompt made it do this. Two aspects stood out. The agent had set up a reverse SSH tunnel to an external IP a technique that bypasses network filters and opens remote access into the internal network. It had started mining cryptocurrency on the company's GPU cluster. Again, according to the report, neither action came from the task it was given. https://arxiv.org/pdf/2512.24873

Google has identified an iOS exploit kit named Coruna. 5 full exploit chains, 23 vulnerabilities, documentation in native English, modular architecture. Full professionalism. It must have cost millions of dollars. Who built it? Google doesn’t say, but the evidence points to US government tools. The kit also contains components previously used in a cyber operation that Russia attributed to the NSA.
Coruna traveled. First, an anonymous “company client”, then used by a Russian cyber espionage group, which hid the code on Ukrainian websites inside a visitor-counter script, delivering it only to selected users from a specific geolocation. Later a financially motivated actor “operating from China” deployed it (infecting over 42,000 devices). The malware added to the ready-made kit was lower quality than the original suggesting the tools were acquired and modified by someone else. One US government subcontractor, Peter Williams, just received a 7-year prison sentence for selling tools to Russian broker Operation Zero. The US government spent millions on a tool that now steals cryptocurrency. A good return on investment, just not for themselves. One more detail: Coruna did not attack devices with Lockdown Mode enabled.​​​​​​​​​​​​​​​​ https://cloud.google.com/blog/topics/threat-intelligence/coruna-powerful-ios-exploit-kit https://www.wired.com/story/coruna-iphone-hacking-toolkit-us-government/

Privacy

Technology Policy

Other

Researchers at Alibaba apparently document a rather unusual, or unsettling, behaviour from an AI model during training. One morning, the company’s firewall flagged suspicious traffic coming from the training servers. The team assumed a misconfiguration. They checked the logs and found something else entirely.

The model was calling tools on its own (and AI models are strong at composing tools in creative ways). Running code on its own. Making outbound connections on its own. No instruction or prompt made it do this.

Two aspects stood out. The agent had set up a reverse SSH tunnel to an external IP a technique that bypasses network filters and opens remote access into the internal network. It had started mining cryptocurrency on the company’s GPU cluster. Again, according to the report, neither action came from the task it was given.

These behaviours emerged from optimisation alone. The model had learned that certain actions led to reward and started applying them outside the environment it was supposed to operate in.

The authors write that they were "impressed by the agentic capabilities of the LLM". It's a curious way to frame what the model actually did. Behaviour that, depending on a perspective, looks less like capability and more like a serious breach potential. Or an early warning sign. https://arxiv.org/pdf/2512.24873

In case you feel it's worth it to forward this content further:

Subscribed

If you’d like to share:

Share

Security

$4 per bug discovered by AI. AI agentic code audits are already operational in cybersecurity. $600 let discovering 100+ working privilege escalation exploits hiding in Windows kernel drivers shipped by AMD, Intel, NVIDIA, Lenovo, Dell, and IBM. Only Fujitsu patched. Everyone else’s drivers remain Microsoft-signed and vulnerable. ydinkin.substack.com/p/200-kernel-bugs-in-30-days

US Treasury just sanctioned Russian exploit broker Sergey Zelenyuk, alias "MORTENOIR", along with his St. Petersburg firm Operation Zero, his 22-year-old assistant, a Dubai shell company, a suspected Trickbot gang member, and an Uzbek associate who runs a rival exploit brokerage out of the UAE. It's the first time the U.S. has used a law specifically designed to punish theft of American trade secrets that threaten national security. Zelenyuk buys exploits for American software (cyberattack tools) and sells them to intelligence agencies outside NATO. Among his acquisitions were at least eight cyber tools stolen from a U.S. company by its own employee, Australian Peter Williams, who got millions in crypto and pleaded guilty. Sanctions include asset freezes, banking bans, investment prohibitions, and a $10 million annual credit cap. Australian steals American cyber weapons, sells to a Russian, who sells onward. Global supply chains at work? https://home.treasury.gov/news/press-releases/sb0404

A French medical software company already #GDPR fined €800,000 by the data regulator in 2024 for mishandling health data, got hacked in late 2025. Cybercriminal group breached its software used by 3,800 doctors, hitting 1,500 of them. 15.8 million administrative patient records (sometimes spanning 15 years) leaked, now freely accessible online. For 165,000 patients, that data includes free-text notes doctors typed into a "comments" field such as: HIV status, sexual orientation, religious practice, family members in prison, history of sexual violence ... The Hippocratic oath promises discretion. The software promised security. Neither delivered. https://www.franceinfo.fr/internet/securite-sur-internet/cyberattaques/quinze-millions-de-patients-concernes-1-500-medecins-vises-une-enquete-ouverte-ce-que-l-on-sait-de-la-cyberattaque-qui-a-cible-un-logiciel-medical_7833611.html

Google Sheets as a cyber intelligence weapon? Google dismantled a global cyber espionage campaign run by Chinese group UNC2814, active since 2017. 53 organizations across 42 countries. Primary targets: telecoms and government institutions. The tool: a backdoor written in C that turns Google Sheets into a command channel. Cell A1 serves as the command box, the A2:An range handles file transfers and command output, and it all runs through standard Google APIs, so to detection systems it looks like ordinary spreadsheet editing... Traffic encrypted, disguised as legitimate requests - indistinguishable from everyday network activity. On infected machines: full names, national ID numbers, dates of birth, and voter registry numbers - everything you need to track and surveil specific individuals. The Chinese Embassy responded as usual: "we firmly oppose attempts to smear China." https://cloud.google.com/blog/topics/threat-intelligence/disrupting-gridtide-global-espionage-campaign

APT37, a hacking group backed by North Korea, runs campaigns targeting computers deliberately cut off from the internet (air-gapped systems, standard practice in government and military institutions). The attack starts simply: the victim opens a shortcut file that looks like a document about the Israeli-Palestinian conflict. In the background, a chain of malicious programs installs itself, one of which disguises itself as a USB speed monitoring utility. The core of the operation: two tools turn ordinary USB drives into an espionage mailbox. One replaces files on the drive with infected copies to spread to other computers. The other uses the same drive as a two-way drop box - operators send commands in, and the drive comes back with stolen data. At the end of the chain, spyware is installed that takes screenshots, records audio from the microphone, captures video from the webcam, and logs every keystroke. The system communicates through popular cloud services (Zoho WorkDrive, Google Drive, OneDrive, and others) so that network traffic doesn't raise suspicion. https://www.zscaler.com/blogs/security-research/apt37-adds-new-capabilities-air-gapped-networks

Privacy

WebMCP proposal compares technology struggles of disabled people to the perception struggles of AI agents? As in: making the web easier to use by AI bots/agents is supposed to also help people with disabilities. Well, functionally, sure. https://github.com/webmachinelearning/webmcp/blob/main/README.md

Technology Policy

Other

In case you feel it's worth it to forward this content further:

Subscribed

If you’d like to share:

Share

In my book PROPAGANDA (CRC Press, 2024) I predict and describe exactly this scenario. I outline the risk of hijacking push notification infrastructure as a vector for information operations at a potentially massive scale. The mechanism: whoever controls the infrastructure that sends messages to millions of devices through a trusted platform has a ready-made propaganda distribution channel. The hacking of Iran’s BadeSaba prayer app, with 37 million installs, and the use of its notification system to deliver a PSYOP message synchronized with kinetic strikes calling on military personnel to defect: this is the realization of that scenario at a scale I described as potential and plausible. From hypothetical risk to operational use on the battlefield, it took just under two years.

The messages arrived in Persian over a 30-minute window starting at 9:52 AM Tehran time, on the tenth day of Ramadan. First: “Help has arrived!” Then calls for soldiers to lay down their weapons, with promises of amnesty. The language closely mirrored President Trump’s public messaging: immunity or consequences. The compromise of BadeSaba’s notification infrastructure could not have happened on the day of the strikes. This required pre-positioning, likely weeks or months of prior access to the app’s backend systems.

BadeSaba was not an isolated case. Several major Iranian news outlets, including IRNA, ISNA, Tabnak, Asr-e Iran and Rokna, were simultaneously hacked or taken offline. Some displayed replaced content: “A terrifying hour for the Ayatollahs’ security forces; the IRGC and Basij have suffered a crippling blow.” Independent verification during active military operations is difficult, and some of these reports may themselves be propagandistic. But the content replacement on several sites has been confirmed. The visible cyber operations almost certainly accompanied non-public offensive actions with direct operational effects. Visible and invisible operations tend to reinforce each other.

Social media amplified the information dimension far beyond Iran. Footage of missiles and drones over Dubai and the Emirates shattered perceptions of regional stability. A minor but telling detail: negative hotel reviews in the Gulf started appearing within hours. It sounds trivial, but the whole world is now watching in real time as places that marketed themselves as stable and safe turn out to be neither. European investors had been parking capital in Gulf jurisdictions for tax optimisation, banking on that stability. Now everyone has to ask a simple question: when was the last time missiles fell on a given country? For Switzerland, you need to go back to the Napoleonic Wars for a deliberate attack. For Iran and now potentially Gulf states, the answer is yesterday.

The stated objective of the campaign is regime change in Iran. The combination of air strikes, cyber warfare and information operations is a textbook case of contemporary political-military strategy. But proportionality matters. These tools alone do not dismantle a regime with redundant internal surveillance at every level. History offers no precedent for regime change achieved solely through bombardment and information operations.

Security

Some "respondents from NATO countries" consider that cyberattacks on hospitals are "acts of war." Well, they are not. NATO itself spent a decade saying a cyberattack "could" trigger Article 5 without once defining what that means - for good reasons The actual attacks mentioned, like Change Healthcare, NHS, Boston Children's Hospital, were criminal ransomware ops, not state military actions. Nobody invoked Article 5. Nobody will. Meanwhile the U.S. used cyber capabilities to during Venezuela military operation in Caracas and disable Iranian air defenses during missile strikes - real cyber offensive operations, decided without polling anyone. What 10,000 online survey respondents think about the legal classification of armed conflict changes nothing about how states behave. What's the use for such polls, even? https://www.politico.com/news/2026/02/21/poll-us-nato-cyber-warfare-00789496

Vidar infostealer exfiltrating OpenClaw AI agent configuration files. Stolen data includes: (1) openclaw.json containing gateway tokens and workspace paths, enabling remote connection to exposed instances; (2) device.json with cryptographic keys for secure pairing; (3) soul.md containing agent behavioral guidelines and ethical boundaries.

Privacy

Technology Policy

Other

AI models from OpenAI, Google, Anthropic and xAI can reproduce entire novels from memory. Researchers extracted 95.8% of Harry Potter from Claude nearly word for word. Gemini 2.5 Pro and Grok 3 didn't even require bypassing safeguards - they just kept writing. AI companies have long claimed their models "learn patterns" rather than store copies. A German court already ruled this constitutes copyright infringement. Anthropic paid $1.5bn in settlement. Cost of extracting a book? Between $2 and $120. "We don't store copies" - technically not, but 95.8% is a bit close? https://arxiv.org/pdf/2601.02671

In case you feel it's worth it to forward this content further:

Subscribed

If you’d like to share:

Share

Description

Security

German intelligence and cybersecurity authorities warn of likely state-backed phishing via Signal targeting politicians, military, diplomats and journalists. Don’t reply to “support” chats, share PIN/SMS codes, scan QR codes, or accept unknown group invites. https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/praevention_wirtschafts-und_wissenschaftsschutz/2026-02-06-gemeinsame-warnmitteilung-phishing.pdf?__blob=publicationFile&v=3

Claude Desktop extensions can enable cyberthreat actors to steal sensitive data and execute arbitrary code on users’ computers by abusing unsandboxed MCP connectors and implicit trust between low-risk data sources and high-privilege local executors. https://layerxsecurity.com/blog/claude-desktop-extensions-rce/

Privacy

The Dutch Data Protection Authority is warning from risk of data breaches due to openclaw use ("and similar experimental systems". It calls it a "trojan horse" (a backdoor). Caution warranted. While it is true that early on this technology encountered plenty of challenges, it is developing rapidly. A lot of the previous week's news are no longer true today. https://www.autoriteitpersoonsgegevens.nl/actueel/ap-waarschuwt-voor-grote-beveiligingsrisicos-bij-ai-agents-zoals-openclaw

Meta is putting a “Name Tag” feature in Ray-Bans - facial recognition through the glasses’ camera. You look at someone, AI tells you who they are. The company is also working on a “super sensing” mode - the glasses record the user’s entire day, like an AI meeting note-taker. Non-stop. In an internal document, the company explicitly wrote that the timing is good because civil society groups are busy with politics and won’t cause problems. First they’ll give it to blind people, because who’s going to attack technology for the blind? I admit that! Privacy risk review procedures have been loosened. 15, 10 or even 5 years ago this would have been a major controversy. But today “AI progress” is all the rage, chic, style, and progress may require sacrifices. So it looks like there won’t be pushback? Right when the EU also wants to loosen https://www.nytimes.com/2026/02/13/technology/meta-facial-recognition-smart-glasses.html

Technology Policy

According to Estonian foreign intelligence service, DeepSeek is producing propaganda? "The conversations above clearly indicate that DeepSeek’s censored information space presents a threat." https://raport.valisluureamet.ee/2026/assets/VLA_ENG-raport_2026_WEB.pdf

Other

In case you feel it's worth it to forward this content further:

Subscribed

If you’d like to share:

Share