Technology

Security leaders warn the era of AI-driven bug hunting has arrived, with Mythos uncovering hundreds of overlooked vulnerabilities in code bases as trusted as Firefox. Are defenders ready for the avalanche of exploits and the frantic race to patch?

• A disgruntled developer discloses multiple Windows 0-days.
• Microsoft purchases its own bugs in massive campaign.
• VeraCrypt & Wireshark suddenly lost their dev accounts.
• A serious problem with re-captured domain names.
• How might AI help to secure open source repositories.
• A listener wonders what we thought of Project Hail Mary.
• Cyber security professionals tell us What Mythos Means

Show Notes - https://www.grc.com/sn/SN-1075-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit

Sponsors:

• canary.tools/twit - use code: TWIT
• joindeleteme.com/twit promo code TWIT
• hoxhunt.com/securitynow
• meter.com/securitynow
• zscaler.com/security

A 24-year-old British national and senior member of the cybercrime group “Scattered Spider” has pleaded guilty to wire fraud conspiracy and aggravated identity theft. Tyler Robert Buchanan admitted his role in a series of text-message phishing attacks in the summer of 2022 that allowed the group to hack into at least a dozen major technology companies and steal tens of millions of dollars worth of cryptocurrency from investors.

Buchanan’s hacker handle “Tylerb” once graced a leaderboard in the English-language criminal hacking scene that tracked the most accomplished cyber thieves. Now in U.S. custody and awaiting sentencing, the Dundee, Scotland native is facing the possibility of more than 20 years in prison.

Two photos published in a Daily Mail story dated May 3, 2025 show Buchanan as a child (left) and as an adult being detained by airport authorities in Spain. “M&S” in this screenshot refers to Marks & Spencer, a major U.K. retail chain that suffered a ransomware attack last year at the hands of Scattered Spider.

Scattered Spider is the name given to a prolific English-speaking cybercrime group known for using social engineering tactics to break into companies and steal data for ransom, often impersonating employees or contractors to deceive IT help desks into granting access.

As part of his guilty plea, Buchanan admitted conspiring with other Scattered Spider members to launch tens of thousands of SMS-based phishing attacks in 2022 that led to intrusions at a number of technology companies, including Twilio, LastPass, DoorDash, and Mailchimp.

The group then used data stolen in those breaches to carry out SIM-swapping attacks that siphoned funds from individual cryptocurrency investors. In an unauthorized SIM-swap, crooks transfer the target’s phone number to a device they control and intercept any text messages or phone calls to the victim’s device — such as one-time passcodes for authentication and password reset links sent via SMS. The U.S. Justice Department said Buchanan admitted to stealing at least $8 million in virtual currency from individual victims throughout the United States.

FBI investigators tied Buchanan to the 2022 SMS phishing attacks after discovering the same username and email address was used to register numerous phishing domains seen in the campaign. The domain registrar NameCheap found that less than a month before the phishing spree, the account that registered those domains logged in from an Internet address in the U.K. FBI investigators said the Scottish police told them the address was leased to Buchanan throughout 2022.

As first reported by KrebsOnSecurity, Buchanan fled the United Kingdom in February 2023, after a rival cybercrime gang hired thugs to invade his home, assault his mother, and threaten to burn him with a blowtorch unless he gave up the keys to his cryptocurrency wallet. That same year, U.K. investigators found a device at Buchanan’s Scotland residence that included data stolen from SMS phishing victims and seed phrases from cryptocurrency theft victims.

Buchanan was arrested by Spanish authorities in June 2024 while trying to board a flight to Italy. He was extradited to the United States and has remained in U.S. federal custody since April 2025.

Buchanan is the second known Scattered Spider member to plead guilty. Noah Michael Urban, 21, of Palm Coast, Fla., was sentenced to 10 years in federal prison last year and ordered to pay $13 million in restitution. Three other alleged co-conspirators — Ahmed Hossam Eldin Elbadawy, 24, a.k.a. “AD,” of College Station, Texas; Evans Onyeaka Osiebo, 21, of Dallas, Texas; and Joel Martin Evans, 26, a.k.a. “joeleoli,” of Jacksonville, North Carolina – still face criminal charges.

Two other alleged Scattered Spider members will soon be tried in the United Kingdom. Owen Flowers, 18, and Thalha Jubair, 20, are facing charges related to the hacking and extortion of several large U.K. retailers, the London transit system, and healthcare providers in the United States. Both have pleaded not guilty, and their trial is slated to begin in June.

Investigators say the Scattered Spider suspects are part of a sprawling cybercriminal community online known as “The Com,” wherein hackers from different cliques boast publicly on Telegram and Discord about high-profile cyber thefts that almost invariably begin with social engineering — tricking people over the phone, email or SMS into giving away credentials that allow remote access to corporate internal networks.

One of the more popular SIM-swapping channels on Telegram has long maintained a leaderboard of the most rapacious SIM-swappers, indexed by their supposed conquests in stealing cryptocurrency. That leaderboard previously listed Buchanan’s hacker alias Tylerb at #65 (out of 100 hackers), with Urban’s moniker “Sosa” coming in at #24.

Buchanan’s sentencing hearing is scheduled for August 21, 2026. According to the Justice Department, he faces a statutory maximum sentence of 22 years in federal prison. However, any sentence the judge hands down in this case may be significantly tempered by a number of mitigating factors in the U.S. Sentencing Guidelines, including the defendant’s age, criminal history, time already served in U.S. custody, and the degree to which they cooperated with federal authorities.

As Anthropic, OpenAI, and industry giants race to outpace each other, data centers and supply chains are straining, while job markets and open-source communities feel the heat. Listen in for a roundtable on whether AI is fueling innovation, burnout, or just the next tech bubble.

• Anthropic releases Claude Opus 4.7, concedes it trails unreleased Mythos
• Nobody knows how many CVEs Anthropic's Project Glasswing has actually found
• You're About to See a Lot of Critical Software Updates. Don't Ignore Them.
• Cal.com Is Going Closed Source Because of AI
• AI anxiety is turning volatile
• Humanoid robots race past humans in Beijing half-marathon, showing rapid advances
• Snap Is Laying Off 16% of Full-Time Staff as It Embraces A.I.
• Musk v. Altman Is a Battle for OpenAI's Soul
• The Little Probe That Could: Why Voyager 1 Matters, and Why NASA Just Switched Part of It Off
• Sam Altman's project World looks to scale its human verification empire. First stop: Tinder.
• Meta Must Face Youth Addiction Lawsuit by Massachusetts, Court Rules
• Section 230 Is Dying By A Thousand Workarounds, And Massachusetts Just Added Another One
• Live Nation and Ticketmaster lose monopoly case
• Anna's Archive told to pay Spotify and record labels $322 million over unprecedented music scraping
• Roblox agrees to a $12 million settlement with Nevada
• Judge sides with creators of banned ICE trackers who allege DHS and DOJ violated their First Amendment rights
• What's the point of the App Store, if it can't protect users?
• TotalRecall Reloaded tool finds a side entrance to Windows 11's Recall database
• Google, Microsoft, Meta All Tracking You Even When You Opt Out, According to an Independent Audit
• It Is Time to Ban the Sale of Precise Geolocation
• Google Broke Its Promise to Me. Now ICE Has My Data. | Electronic Frontier Foundation
• Billionaire Netflix cofounder Reed Hastings is leaving the company
• Venture capitalist Ron Conway says he is starting treatment for a 'rare' cancer

Host: Leo Laporte

Guests: Louis Maresca, Wesley Faulkner, and Glenn Fleishman

Download or subscribe to This Week in Tech at https://twit.tv/shows/this-week-in-tech

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit

Sponsors:

• NetSuite.com/TWIT
• zscaler.com/security
• expressvpn.com/twit
• shopify.com/twit
• cachefly.com/twit

We may already be living through the most consequential hundred days in cyber history, and the arrival of AI that can autonomously chain zero-day vulnerabilities into working exploits means the software industry's long-standing "ship it and patch it later" era is officially over.

Show Notes - https://www.grc.com/sn/SN-1074-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit

Sponsors:

• guardsquare.com
• hoxhunt.com/securitynow
• zscaler.com/security

Microsoft today pushed software updates to fix a staggering 167 security vulnerabilities in its Windows operating systems and related software, including a SharePoint Server zero-day and a publicly disclosed weakness in Windows Defender dubbed “BlueHammer.” Separately, Google Chrome fixed its fourth zero-day of 2026, and an emergency update for Adobe Reader nixes an actively exploited flaw that can lead to remote code execution.

Redmond warns that attackers are already targeting CVE-2026-32201, a vulnerability in Microsoft SharePoint Server that allows attackers to spoof trusted content or interfaces over a network.

Mike Walters, president and co-founder of Action1, said CVE-2026-32201 can be used to deceive employees, partners, or customers by presenting falsified information within trusted SharePoint environments.

“This CVE can enable phishing attacks, unauthorized data manipulation, or social engineering campaigns that lead to further compromise,” Walters said. “The presence of active exploitation significantly increases organizational risk.”

This flaw drops alongside a separate SQL Server remote code execution vulnerability (CVE-2026-33120), notes Ryan Braunstein, manager of Security and IT at Automox.

“One bug allows an attacker to get into your SQL instance from the network,” Braundstein said. “The other lets someone already inside promote themselves to full control.”

Microsoft also addressed BlueHammer (CVE-2026-33825), a privilege escalation bug in Windows Defender. According to BleepingComputer, the researcher who discovered the flaw published exploit code for it after notifying Microsoft and growing exasperated with their response. Will Dormann, senior principal vulnerability analyst at Tharros, says he confirmed that the public BlueHammer exploit code no longer works after installing today’s patches.

Satnam Narang, senior staff research engineer at Tenable, said April marks the second-biggest Patch Tuesday ever for Microsoft. Narang also said there are indications that a zero-day flaw Adobe patched in an emergency update on April 11 — CVE-2026-34621 — has seen active exploitation since at least November 2025.

Adam Barnett, lead software engineer at Rapid7, called the patch total from Microsoft today “a new record in that category” because it includes nearly 60 browser vulnerabilities. Barnett said it might be tempting to imagine that this sudden spike was tied to the buzz around the announcement a week ago today of Project Glasswing — a much-hyped but still unreleased new AI capability from Anthropic that is reportedly quite good at finding bugs in a vast array of software.

But he notes that Microsoft Edge is based on the Chromium engine, and the Chromium maintainers acknowledge a wide range of researchers for the vulnerabilities which Microsoft republished last Friday.

“A safe conclusion is that this increase in volume is driven by ever-expanding AI capabilities,” Barnett said. “We should expect to see further increases in vulnerability reporting volume as the impact of AI models extend further, both in terms of capability and availability.”

Finally, no matter what browser you use to surf the web, it’s important to completely close out and restart the browser periodically. This is really easy to put off (especially if you have a bajillion tabs open at any time) but it’s the only way to ensure that any available updates get installed. For example, a Google Chrome update released earlier this month fixed 21 security holes, including the high-severity zero-day flaw CVE-2026-5281.

For a clickable, per-patch breakdown, check out the SANS Internet Storm Center Patch Tuesday roundup. Running into problems applying any of these updates? Leave a note about it in the comments below and there’s a decent chance someone here will pipe in with a solution.

Anthropic has built an AI model so sharp it's being withheld from the public, sparking debate over who gets access to world-changing tech and who's left behind. Hear how this "too dangerous" AI could tip the balance for the world's most powerful players. This episode unpacks the fresh moral minefields created when cutting-edge tech collides with politics, security, and human lives.

• Anthropic says its most powerful AI cyber model is too dangerous to release publicly — so it built Project Glasswing
• Sam Altman Fire Bombing Response
• OpenAI Backs Bill That Would Limit Liability for AI-Enabled Mass Deaths or Financial Disasters
• Samsung flags eightfold jump in quarterly profit as AI chip demand pumps prices
• SpaceX Posted Nearly $5 Billion Loss Last Year from AI Spending
• Trump administration plans to cut cybersecurity agency's budget by $700 million
• CPUID hijacked to serve malware as HWMonitor downloads
• GTA 6 Developer Rockstar Reportedly Hacked, Data Being Ransomed
• FBI used iPhone notification data to retrieve deleted Signal messages - 9to5Mac
• ICE acknowledges it is using powerful spyware
• Helium Is Hard to Replace
• John Deere to Pay $99 Million in Monumental Right-to-Repair Settlement
• France's government is ditching Windows for Linux, calling US tech dependence a strategic risk
• The disturbing white paper Red Hat is trying to erase from the internet
• DOJ Top Antitrust Litigators Exit After Ticketmaster Settlement
• My Quest to Solve Bitcoin's Great Mystery
• Bitcoin miners are losing $19,000 on every BTC produced as difficulty drops 7.8%
• 'Abhorrent': the inside story of the Polymarket gamblers betting millions on war

Host: Leo Laporte

Guests: Doc Rock, Jason Hiner, and Mike Elgan

Download or subscribe to This Week in Tech at https://twit.tv/shows/this-week-in-tech

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit

Sponsors:

• bitwarden.com/twit
• ZipRecruiter.com/twit
• threatlocker.com/twit
• joindeleteme.com/twit promo code TWIT
• meter.com/twit

The FCC has banned all new consumer routers made outside the US, leaving networks stuck with aging, insecure hardware while blocking innovation. Find out why this sweeping move is raising eyebrows and lawsuits—and why it makes zero sense for cybersecurity.

• Will California require Linux to verify its user's age.
• Apple's iOS 26.4 requires UK users to prove their age.
• Russia chooses to use home grown 5G mobile encryption.
• Ukraine knew the webcam was installed by Russian spies.
• Google moves quantum computing "Q Day" to 2029.
• At RSA, UK's NCSC CEO warns of vibe-coded SaaS replacements.
• More information about nasty ClickFix campaigns.
• More than one in seven Reddit postings are an AI-bot.
• The story behind the LiteLLM disaster that was averted

Show Notes - https://www.grc.com/sn/SN-1073-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit

Sponsors:

• meter.com/securitynow
• zscaler.com/security
• material.security
• bitwarden.com/twit
• hoxhunt.com/securitynow

Hackers linked to Russia’s military intelligence units are using known flaws in older Internet routers to mass harvest authentication tokens from Microsoft Office users, security experts warned today. The spying campaign allowed state-backed Russian hackers to quietly siphon authentication tokens from users on more than 18,000 networks without deploying any malicious software or code.

Microsoft said in a blog post today it identified more than 200 organizations and 5,000 consumer devices that were caught up in a stealthy but remarkably simple spying network built by a Russia-backed threat actor known as “Forest Blizzard.”

How targeted DNS requests were redirected at the router. Image: Black Lotus Labs.

Also known as APT28 and Fancy Bear, Forest Blizzard is attributed to the military intelligence units within Russia’s General Staff Main Intelligence Directorate (GRU). APT 28 famously compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.

Researchers at Black Lotus Labs, a security division of the Internet backbone provider Lumen, found that at the peak of its activity in December 2025, Forest Blizzard’s surveillance dragnet ensnared more than 18,000 Internet routers that were mostly unsupported, end-of-life routers, or else far behind on security updates. A new report from Lumen says the hackers primarily targeted government agencies—including ministries of foreign affairs, law enforcement, and third-party email providers.

Black Lotus Security Engineer Ryan English said the GRU hackers did not need to install malware on the targeted routers, which were mainly older Mikrotik and TP-Link devices marketed to the Small Office/Home Office (SOHO) market. Instead, they used known vulnerabilities to modify the Domain Name System (DNS) settings of the routers to include DNS servers controlled by the hackers.

As the U.K.’s National Cyber Security Centre (NCSC) notes in a new advisory detailing how Russian cyber actors have been compromising routers, DNS is what allows individuals to reach websites by typing familiar addresses, instead of associated IP addresses. In a DNS hijacking attack, bad actors interfere with this process to covertly send users to malicious websites designed to steal login details or other sensitive information.

English said the routers attacked by Forest Blizzard were reconfigured to use DNS servers that pointed to a handful of virtual private servers controlled by the attackers. Importantly, the attackers could then propagate their malicious DNS settings to all users on the local network, and from that point forward intercept any OAuth authentication tokens transmitted by those users.

DNS hijacking through router compromise. Image: Microsoft.

Because those tokens are typically transmitted only after the user has successfully logged in and gone through multi-factor authentication, the attackers could gain direct access to victim accounts without ever having to phish each user’s credentials and/or one-time codes.

“Everyone is looking for some sophisticated malware to drop something on your mobile devices or something,” English said. “These guys didn’t use malware. They did this in an old-school, graybeard way that isn’t really sexy but it gets the job done.”

Microsoft refers to the Forest Blizzard activity as using DNS hijacking “to support post-compromise adversary-in-the-middle (AiTM) attacks on Transport Layer Security (TLS) connections against Microsoft Outlook on the web domains.” The software giant said while targeting SOHO devices isn’t a new tactic, this is the first time Microsoft has seen Forest Blizzard using “DNS hijacking at scale to support AiTM of TLS connections after exploiting edge devices.”

Black Lotus Labs engineer Danny Adamitis said it will be interesting to see how Forest Blizzard reacts to today’s flurry of attention to their espionage operation, noting that the group immediately switched up its tactics in response to a similar NCSC report (PDF) in August 2025. At the time, Forest Blizzard was using malware to control a far more targeted and smaller group of compromised routers. But Adamitis said the day after the NCSC report, the group quickly ditched the malware approach in favor of mass-altering the DNS settings on thousands of vulnerable routers.

“Before the last NCSC report came out they used this capability in very limited instances,” Adamitis told KrebsOnSecurity. “After the report was released they implemented the capability in a more systemic fashion and used it to target everything that was vulnerable.”

This week's episode confronts the mounting legal battles over addictive social apps, questioning whether court rulings should reshape Instagram and YouTube's design. Explore the heated clash between user autonomy, scientific uncertainty, and the next wave of regulation.

• NASA: Artemis II
• Artemis II Live Tracker – Real-Time Orion Spacecraft Position, Speed & Trajectory
• NASA did eventually solve Artemis II's Outlook glitch
• How many products does Microsoft have named 'Copilot'? I mapped every one
• Phone-free bars and restaurants on the rise across the U.S.
• Claude Code's Source Didn't Leak. It Was Already Public for Years. | AfterPack Blog
• Anthropic essentially bans OpenClaw from Claude by making subscribers pay extra
• OpenAI acquires popular tech talk show for 'low hundreds of millions'
• The latest Ray-Ban Meta smart glasses are more customizable and expensive
• After 16 Years and $8 Billion, the Military's New GPS Software Still Doesn't Work - Slashdot
• Why the Pentagon loves Xbox controllers for laser weapons
• Iranian missile blitz takes down AWS data centers in Bahrain and Dubai — Amazon reportedly declares "hard down" status for multiple zones
• Iran's hackers go to war
• Breaking down the government's bizarre router ban
• How to turn anything into a router
• You Can't Defeat the Robots!': Baseball's AI Strike Zone Is Must-Watch Television
• Tech Companies Are Trying To Neuter Colorado's Landmark Right-to-Repair Law - Slashdot
• Delta to Tap Amazon Satellite-Internet Service for In-Flight Wi-Fi
• The IBM scientist who rewrote the rules of information just won computing's highest prize
• Chromebook Remorse: Tech Backlash at Schools Extends Beyond Phones
• ZomboCom was stolen by hacker, put up for sale, and has now been...

Host: Leo Laporte

Guests: Patrick Beja, Abrar Al-Heeti, and Iain Thomson

Download or subscribe to This Week in Tech at https://twit.tv/shows/this-week-in-tech

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit

Sponsors:

• canary.tools/twit - use code: TWIT
• rippling.com/twit
• helixsleep.com/twit
• Melissa.com/twit
• expressvpn.com/twit

An elusive hacker who went by the handle “UNKN” and ran the early Russian ransomware groups GandCrab and REvil now has a name and a face. Authorities in Germany say 31-year-old Russian Daniil Maksimovich Shchukin headed both cybercrime gangs and helped carry out at least 130 acts of computer sabotage and extortion against victims across the country between 2019 and 2021.

Shchukin was named as UNKN (a.k.a. UNKNOWN) in an advisory published by the German Federal Criminal Police (the “Bundeskriminalamt” or BKA for short). The BKA said Shchukin and another Russian — 43-year-old Anatoly Sergeevitsch Kravchuk — extorted nearly $2 million euros across two dozen cyberattacks that caused more than 35 million euros in total economic damage.

Daniil Maksimovich SHCHUKIN, a.k.a. UNKN, and Anatoly Sergeevitsch Karvchuk, alleged leaders of the GandCrab and REvil ransomware groups.

Germany’s BKA said Shchukin acted as the head of one of the largest worldwide operating ransomware groups GandCrab and REvil, which pioneered the practice of double extortion — charging victims once for a key needed to unlock hacked systems, and a separate payment in exchange for a promise not to publish stolen data.

Shchukin’s name appeared in a Feb. 2023 filing (PDF) from the U.S. Justice Department seeking the seizure of various cryptocurrency accounts associated with proceeds from the REvil ransomware gang’s activities. The government said the digital wallet tied to Shchukin contained more than $317,000 in ill-gotten cryptocurrency.

The Gandcrab ransomware affiliate program first surfaced in January 2018, and paid enterprising hackers huge shares of the profits just for hacking into user accounts at major corporations. The Gandcrab team would then try to expand that access, often siphoning vast amounts of sensitive and internal documents in the process. The malware’s curators shipped five major revisions to the GandCrab code, each corresponding with sneaky new features and bug fixes aimed at thwarting the efforts of computer security firms to stymie the spread of the malware.

On May 31, 2019, the GandCrab team announced the group was shutting down after extorting more than $2 billion from victims. “We are a living proof that you can do evil and get off scot-free,” GandCrab’s farewell address famously quipped. “We have proved that one can make a lifetime of money in one year. We have proved that you can become number one by general admission, not in your own conceit.”

The REvil ransomware affiliate program materialized around the same as GandCrab’s demise, fronted by a user named UNKNOWN who announced on a Russian cybercrime forum that he’d deposited $1 million in the forum’s escrow to show he meant business. By this time, many cybersecurity experts had concluded REvil was little more than a reorganization of GandCrab.

UNKNOWN also gave an interview to Dmitry Smilyanets, a former malicious hacker hired by Recorded Future, wherein UNKNOWN described a rags-to-riches tale unencumbered by ethics and morals.

“As a child, I scrounged through the trash heaps and smoked cigarette butts,” UNKNOWN told Recorded Future. “I walked 10 km one way to the school. I wore the same clothes for six months. In my youth, in a communal apartment, I didn’t eat for two or even three days. Now I am a millionaire.”

As described in The Ransomware Hunting Team by Renee Dudley and Daniel Golden, UNKNOWN and REvil reinvested significant earnings into improving their success and mirroring practices of legitimate businesses. The authors wrote:

“Just as a real-world manufacturer might hire other companies to handle logistics or web design, ransomware developers increasingly outsourced tasks beyond their purview, focusing instead on improving the quality of their ransomware. The higher quality ransomware—which, in many cases, the Hunting Team could not break—resulted in more and higher pay-outs from victims. The monumental payments enabled gangs to reinvest in their enterprises. They hired more specialists, and their success accelerated.”

“Criminals raced to join the booming ransomware economy. Underworld ancillary service providers sprouted or pivoted from other criminal work to meet developers’ demand for customized support. Partnering with gangs like GandCrab, ‘cryptor’ providers ensured ransomware could not be detected by standard anti-malware scanners. ‘Initial access brokerages’ specialized in stealing credentials and finding vulnerabilities in target networks, selling that access to ransomware operators and affiliates. Bitcoin “tumblers” offered discounts to gangs that used them as a preferred vendor for laundering ransom payments. Some contractors were open to working with any gang, while others entered exclusive partnerships.”

REvil would evolve into a feared “big-game-hunting” machine capable of extracting hefty extortion payments from victims, largely going after organizations with more than $100 million in annual revenues and fat new cyber insurance policies that were known to pay out.

Over the July 4, 2021 weekend in the United States, REvil hacked into and extorted Kaseya, a company that handled IT operations for more than 1,500 businesses, nonprofits and government agencies. The FBI would later announce they’d infiltrated the ransomware group’s servers prior to the Kaseya hack but couldn’t tip their hand at the time. REvil never recovered from that core compromise, or from the FBI’s release of a free decryption key for REvil victims who couldn’t or didn’t pay.

Shchukin is from Krasnodar, Russia and is thought to reside there, the BKA said.

“Based on the investigations so far, it is assumed that the wanted person is abroad, presumably in Russia,” the BKA advised. “Travel behaviour cannot be ruled out.”

There is little that connects Shchukin to UNKNOWN’s various accounts on the Russian crime forums. But a review of the Russian crime forums indexed by the cyber intelligence firm Intel 471 shows there is plenty connecting Shchukin to a hacker identity called “Ger0in” who operated large botnets and sold “installs” — allowing other cybercriminals to rapidly deploy malware of their choice to thousands of PCs in one go. However, Ger0in was only active between 2010 and 2011, well before UNKNOWN’s appearance as the REvil front man.

A review of the mugshots released by the BKA at the image comparison site Pimeyes found a match on this birthday celebration from 2023, which features a young man named Daniel wearing the same fancy watch as in the BKA photos.

Images from Daniil Shchukin’s birthday party celebration in Krasnodar in 2023.

An explosive supply chain hack in Light LLM nearly unleashed catastrophic malware across millions of AI systems, and it took a coder's quick thinking to catch it before it snowballed into disaster.

• Will California require Linux to verify its user's age. • Apple's iOS 26.4 requires UK users to prove their age.
• Russia chooses to use home grown 5G mobile encryption.
• Ukraine knew the webcam was installed by Russian spies.
• Google moves quantum computing "Q Day" to 2029.
• At RSA, UK's NCSC CEO warns of vibe-coded SaaS replacements.
• More information about nasty ClickFix campaigns.
• More than one in seven Reddit postings are an AI-bot.
• The story behind the LiteLLM disaster that was averted.

Show Notes - https://www.grc.com/sn/SN-1072-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit

Sponsors:

• threatlocker.com/twit
• adaptivesecurity.com
• guardsquare.com
• meter.com/securitynow

Big Tech just faced a courtroom reckoning, with Meta and Google found liable for platform "addictiveness" in a social media trial that could unleash a tidal wave of lawsuits. Find out why attorneys, entrepreneurs, and everyday users are suddenly on edge.

• Social media addiction lawsuits hit Meta, Google, YouTube
• Section 230 and First Amendment implications debated after court verdicts
• Supreme Court sides with Cox; ISPs not liable for user piracy
• Elon Musk's lawsuit over X (Twitter) ad boycotts thrown out
• Anthropic versus Department of Defense: AI contracting dispute and retaliation claims
• FCC's confusing foreign-made router ban and consumer tech fallout
• Major supply chain attack: LiteLLM malware infects AI devs
• The rise (and risks) of AI agents with voice, identity, and personification
• Turing Award honors pioneers of quantum cryptography
• Antimatter on the move: CERN's oddball truck experiment
• Sci-fi and reality blur as Neal Stephenson walks away from the metaverse
• Privacy and consent worries escalate with AI-powered recordings and surveillance
• Digital shelf pricing arrives at Walmart and Kroger
• Flipper Zero: voice-controlled hacking gadget gets an AI upgrade
• Age verification laws create headaches for OS and app developers
• Official White House app called out for surveillance and security blunders
• Is AI progress barreling toward a dystopian tech future?

Host: Leo Laporte

Guests: Harper Reed, Brian McCullough, and Cathy Gellis

Download or subscribe to This Week in Tech at https://twit.tv/shows/this-week-in-tech

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free audio and video feeds, a members-only Discord, and exclusive content. Join today: https://twit.tv/clubtwit

Sponsors:

• doppel.com
• outsystems.com/twit
• zscaler.com/security
• meter.com/twit
• ZipRecruiter.com/twit