Daily Brief

Cryptocurrency exchange Bybit was the victim of a record $1.46 billion heist, targeting an Ethereum cold wallet. The theft was executed via a sophisticated attack during a transfer from a cold wallet to a warm wallet, involving manipulation of the signing interface’s smart contract logic. Bybit's CEO confirmed that the rest of their cold wallets remain secure, and the incident has been reported to authorities. Security firms Elliptic and Arkham Intelligence attribute the theft to North Korea's Lazarus Group, making it the largest crypto heist in history. Independent researcher ZachXBT linked the Bybit attack to a recent hack at Phemex, suggesting a pattern or connection in the incidents. The Lazarus Group has become a dominant force in crypto heists, stealing an estimated $1.34 billion in 2024 from various sources. Google and Mandiant emphasize the increasing threat of cryptocurrency heists, highlighting challenges in preventing and tracing such attacks.

OpenAI has banned several accounts suspected of utilizing ChatGPT to develop an AI surveillance tool, potentially originating from China. The tool, named "Qianyue Overseas Public Opinion AI Assistant," aimed to monitor and report on anti-China protests in Western countries, sharing data with Chinese authorities. The tool utilized various AI models, including Meta's Llama, to analyze social media platforms like X, Facebook, YouTube, Instagram, Telegram, and Reddit. It was used to debug and improve software capable of monitoring discussions and gathering real-time data, focusing primarily on protests and public opinion related to China. Some of the monitored content included screenshots from social media announcing Uyghur rights protests, though the authenticity of these images remains unverified. OpenAI disrupted multiple account clusters engaging in similar abusive behaviors, highlighting a broader issue of AI tools being repurposed for malicious activities. This event underscores the increasing trend of state and non-state actors using AI technologies to enhance cyber-enabled disinformation campaigns and surveillance.

SpyLend, a malicious Android app posing as a financial tool, was downloaded over 100,000 times from Google Play, targeting users in India. The app is part of the "SpyLoan" group, which masquerades as legitimate financial services to harvest user data for predatory lending practices. Users are enticed with the promise of easy, minimal-documentation loans but are instead extorted and blackmailed using stolen personal data like contacts, SMS, and photos. Cybersecurity firm CYFIRMA identified multiple malicious variants related to this campaign, including KreditApple and PokketMe. Despite removal from Google Play, the app may continue functioning in the backend, compromising personal data on infected devices. Affected users are advised to uninstall implicated apps, reset device permissions, update passwords, and activate Google's Play Protect for enhanced security. User reviews revealed complaints about extortion practices, including threats to edit and misuse personal photos for blackmail.

An unknown attacker stole over $1.46 billion in cryptocurrency from Bybit's ETH cold wallet. The theft occurred during a transfer to a warm wallet, involving manipulation of the multisig cold wallet's signing interface. The attacker altered the smart contract logic to redirect the funds to an unidentified address. Bybit's other cold wallets remain secure, and the exchange’s operations continue unaffected. The company is collaborating with external blockchain forensic experts to investigate and track the stolen cryptocurrency. Bybit ensures its solvency, confirming that client assets are fully backed and can cover the loss. Crypto fraud investigator ZachXBT reported that the exploiter has dispersed some of the stolen ETH across multiple addresses. This incident marks the largest cryptocurrency hack in history, surpassing the previous record by over twice the amount.

Bybit, a cryptocurrency exchange, reported over $1.46 billion stolen from one of its ETH cold wallets. The theft occurred during a transfer from a cold wallet to a warm wallet when attackers manipulated the signing interface, altering smart contract logic. The security breach is currently under investigation with assistance from external blockchain forensic experts. Bybit’s CEO confirmed that other cold wallets are secure, and exchange operations continue normally. The stolen funds have already been dispersed, with 10,000 ETH moved to 48 different addresses. Bybit has called for community assistance to help track the stolen cryptocurrency. This hack represents the largest single theft in cryptocurrency history, surpassing the previous record involving Sky Mavis's Ronin network.

Apple has discontinued its Advanced Data Protection (ADP) for iCloud users in the UK due to government demands for backdoor access to encrypted data. ADP provided end-to-end encryption for iCloud, allowing only the user's trusted devices access to encryption keys, enhancing privacy and security. The UK government's demand stems from the Investigatory Powers Act, which insists on capabilities to view fully encrypted content. Existing ADP users in the UK must manually deactivate the feature; Apple is unable to disable it automatically. With ADP’s removal, Apple will revert to standard data protection in the region, where encryption keys are stored at Apple’s data centers and accessible under law enforcement warrants. U.S. politicians have expressed concerns, urging the UK to reverse the decision to preserve privacy and maintain international cybersecurity relations. The tension highlights ongoing global debates over encryption, privacy rights, and governmental access to personal data.

TopSec, a Chinese cybersecurity firm, implicated in providing censorship-as-a-service to governmental bodies. Data leak reveals infrastructure details, employee work logs, and web content monitoring services aimed at enforcing censorship. SentinelOne researchers report that TopSec targets censorship for both public and private sectors, aligning with Chinese government initiatives. Leak includes a contract for a Cloud Monitoring Service Project for the Shanghai Public Security Bureau, tracking sensitive content. The platform monitors for political criticism, violence, and pornography in web content, issuing alerts for potential censorship actions. Public documents show Shanghai Anheng Smart City Security Technology Co. Ltd. as the winner of the mentioned contract. Data leakage analyzed from a file uploaded to VirusTotal on January 24, 2025; specifics of the leak’s origin remain undeclared. Additional leaked data includes scripts and commands from TopSec’s infrastructure management, revealing deep government-private sector cybersecurity link.

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has identified an exploited remote code execution (RCE) vulnerability in Craft CMS, tracked as CVE-2025-23209. This high-severity vulnerability (CVSS v3 score: 8.0) affects versions 4 and 5 of Craft CMS, a platform used for developing websites and digital content. The exploitation of this security flaw relies on unauthorized access to Craft CMS's security key, which is essential for encrypting sensitive data and authentication. Once the security key is compromised, attackers can decrypt data, forge authentication tokens, or remotely inject and execute malicious code. To mitigate the risk, CISA has urged federal agencies to patch the flaw by updating to Craft CMS versions 5.5.8 or 4.13.8 before March 13, 2025. CISA also recommends deleting old security keys and generating new ones if a compromise is suspected, noting that this will render data encrypted with the old key inaccessible. In addition to CVE-2025-23209, CISA has also highlighted a critical vulnerability in Palo Alto Networks firewalls, urging similar precautions and patches by the same deadline.

Apple has discontinued its end-to-end encryption feature for iCloud, called Advanced Data Protection (ADP), for new users in the UK. This decision was made after the UK government issued a secret order demanding a backdoor access to the encrypted cloud data of Apple's users worldwide. Existing UK users currently using ADP will eventually need to disable the feature following Apple's forthcoming guidelines. Despite the change, Apple's iMessage, FaceTime, Health, and iCloud Keychain services will maintain their end-to-end encryption. Apple expressed disappointment, citing the critical need for enhanced security measures due to increasing data breaches and privacy threats. The company reaffirms its commitment to protecting user data and has never allowed direct government access to its servers or created a backdoor to its products. ADP will still be available for users outside the UK, ensuring their iCloud data remains secure and can only be decrypted on trusted devices.

Darcula phishing-as-a-service (PhaaS) platform has unveiled a new version enabling users to clone and customize any brand's website for phishing purposes. Netcraft, a cybersecurity firm, reported a significant shift in criminal capabilities, noting the ease now available for executing elaborate phishing campaigns. Over 95,000 new phishing domains associated with Darcula have been detected and blocked, along with the takedown of more than 20,000 fraudulent sites. The Darcula suite allows users to input a URL and use automation tools to replicate the HTML and design of the target brand's webpage, inserting malicious elements like fake login fields. Users can manage their phishing operations through admin dashboards, akin to legitimate SaaS products, enhancing campaign oversight and data collection capabilities. A new feature in Darcula v3 includes converting stolen credit card information into digital versions easily added to digital wallets, further facilitating illegal transactions. The updated version of Darcula is still in the internal testing phase, with delays announced by developers, indicating ongoing development and refinement of the tool.

Hundreds of thousands of messages from the Black Basta ransomware gang were leaked, revealing internal conflicts and operations. The leaked chats, in Russian, detail ransom demands into the tens of millions and other strategies for targeting organizations. Internal struggles were primarily driven by a figure named "Tramp," associated with major disruptions and deceitful ransom activities. Researchers highlighted the gang's meticulous selection of targets and adoption of sophisticated social engineering techniques. The leaks also exposed affiliations with other malware groups and shifts in loyalty, with some members transitioning to rival organizations. Security community is leveraging AI tools to translate and analyze the extensive data for actionable intelligence. The exposure includes sensitive details about attacks on organizations like healthcare providers, financial institutions, and government entities.

Today's webinar emphasized the critical risks posed by weak identity security in the rapidly evolving digital environment. Experts highlighted the challenges organizations face due to numerous user identities and outdated systems, increasing vulnerability to cyber threats. The session, "Building Resilient Identity: Reducing Security Debt in 2025," introduced effective strategies to address and mitigate these security vulnerabilities. Participants learned how to detect risks proactively, optimize existing resources, and upgrade systems to counter emerging cyber threats effectively. The webinar provided practical, immediate solutions for improving identity security, aiming to protect businesses from potential breaches and ensure uninterrupted operations. Registration was encouraged for those seeking to enhance their strategic planning and implement robust identity security frameworks for the future. The event targeted decision-makers serious about strengthening their organization's cyber defenses and preparedness for challenges beyond 2025.

The pervasive use of social media has significantly increased populations' exposure to AI-curated content, impacting how news and information are perceived and consumed. AI algorithms prioritize user engagement over balanced reporting, leading to the creation of digital echo chambers where individuals are exposed primarily to agreeable viewpoints. There is a marked increase in AI-generated synthetic content, with platforms like NewsGuard identifying over 1,150 unreliable AI-generated news websites, further complicating the information landscape. AI's scalability and few output limitations are disrupting traditional political processes and democratic engagements, making it easier for malicious actors to manipulate public opinion. Despite efforts by fact-checkers and debunking websites, AI-generated deceptions are becoming more sophisticated and harder to differentiate from authentic content. The rapid evolution of AI outpaces human sensory adaptation, necessitating new strategies in both public education and organizational security to combat misinformation. Simulation of AI-powered attacks could be a proactive measure to prepare individuals and organizations to recognize and respond to sophisticated misinformation campaigns effectively.

Cisco has identified a Chinese threat group, Salt Typhoon, exploiting a known vulnerability, CVE-2018-0171, to infiltrate major U.S. telecom networks. The hackers also utilized stolen legitimate credentials to gain initial access, although the source of these credentials remains unclear. They maintained presence within network environments for periods extending over three years, using techniques from multiple vendors. Salt Typhoon employed methods like capturing traffic related to credential details and exploiting trusted infrastructure to move laterally across networks. The group has also been observed modifying network configurations to create new local accounts and enable unauthorized remote access. A bespoke tool, JumbledPath, was actively used for capturing packets remotely on Cisco devices, clearing logs to avoid detection, and making forensic analysis challenging. Cisco noted the attacks involved the use of living-off-the-land techniques and other sophisticated methods indicating a high level of coordination characteristic of state-sponsored entities. An unrelated campaign targeting exposed Cisco devices via CVE-2018-0171 was also identified, pointing to pervasive targeting of network infrastructure.

CISA has added a critical vulnerability in Craft CMS to its KEV catalog due to active exploitations. The vulnerability, identified as CVE-2025-23209, has a high CVSS score of 8.1 and affects versions 4 and 5 of the CMS. Craft CMS maintenance teams have patched the issue in versions 4.13.8 and 5.5.8. The flaw enables remote code execution through a code injection vulnerability stemming from compromised user security keys. It’s advised for all impacted systems to either update to a secured version or rotate and safeguard the existing security keys to mitigate risks. There’s an ongoing investigation into how the security keys were originally compromised. Federal Civilian Executive Branch agencies are urged to apply the necessary patches by March 13, 2025, to protect their systems.