XRP Ledger SDK hit by supply chain attack: Malicious NPM versions stole private keys; users urged to update…

XRP Ledger SDK hit by supply chain attack: Malicious NPM versions stole private keys; users urged to update xrpl package to 4.2.5 or 2.14.3 immediately.

A serious security breach targeting users of the XRP Ledger has been uncovered by the Aikido Intel threat detection system. Aikido’s research reveals that it was a sophisticated supply chain attack that compromised the official xrpl Node Package Manager (NPM) package, a widely utilized software development kit (SDK) for interacting with the XRP Ledger.

This malicious infiltration resulted in the introduction of a backdoor designed to steal users’ private keys, granting attackers complete control over their cryptocurrency wallets. Suspicion was raised on April 21st at 20:53 GMT+0 when five newly released versions of the xrpl package on NPM, which has over 140,000 weekly downloads, contained malicious code that did not align with the official releases on GitHub.

The compromised versions were 4.2.4, 4.2.3, 4.2.2, 4.2.1, and 2.14.2 whereas the latest legitimate version on GitHub was 4.2.0 at the time of the attack. This discrepancy raised concerns.

“The fact that these packages showed up without a matching release on GitHub is very suspicious,” Aikido’s malware researcher Charlie Eriksen revealed in the blog post shared exclusively with Hackread.com.

Further probing revealed unusual code in the src/index.ts file of version 4.2.4 of rogue packages (tagged as the latest version), which had a harmless-looking function named checkValidityOfSeed, but it led to an HTTP POST request to an unfamiliar domain, 0x9cxyz. The domain’s registration information analysis indicated it was newly created, fuelling concerns about its legitimacy.

Source: Aikido

Digging deeper, researchers discovered that checkValidityOfSeed was being called within critical functions, including the constructor of the Wallet class in src/Wallet/index.ts. This allowed the malicious code to execute when a Wallet object was instantiated within an application using the compromised xrpl package, attempting to send the user’s private key (needed to access and manage a user’s XRP funds) to the attacker’s server.

This allowed the backdoor to steal private keys “as soon as a Wallet object is instantiated.”

Researchers also noted that attackers’ methods evolved. Initial malicious versions (4.2.1 and 4.2.2) showed different modifications compared to later compromised versions. The first versions introduced malicious code into built JavaScript files, removing scripts and prettier configurations (the settings and rules that govern how the Prettier code formatter automatically formats your code) from the package.json file. Versions 4.2.3 and 4.2.4 integrated the malicious code directly into the TypeScript source code, indicating a refinement in their approach to remain undetected.

Following the disclosure of this supply chain attack, the official xrpl team released two new, clean versions of the package: 4.2.5 and 2.14.3. Users are strongly encouraged to update to these secure versions immediately to mitigate any potential risk.

Researchers also highlighted that “any seed or private key that was processed by the code has been compromised,” and hence should be considered unusable. Any cryptocurrency assets associated with them should be immediately transferred to a new, secure wallet with a newly generated private key.

Backdoor Found in Official XRP Ledger NPM Package

In this edition, Bill explores how intellectual curiosity drives success in cybersecurity, shares insights on the IAB ToyMaker’s tactics, and covers the top security headlines you need to know.

Thursday, April 24, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

"Be curious, not judgmental," Ted Lasso says, misattributing Walt Whitman. We forgive Ted because... well, he's Ted Lasso. 

If you’ve not watched the first season of Ted Lasso, there is a defining moment where Ted confronts a nefarious bully. While putting him in his place with kindness and skill, Ted refers to this quote. It’s a defining moment not only for Ted but for the secondary and tertiary characters in the scene. One of the questions that I'm asked most when public speaking is “How do I get into Talos?” For people considering a new career, it’s “How do I get into cybersecurity?” To all those questions, my answer is "Be curious, not judgmental." 

I think there is no greater skill necessary in security than intellectual curiosity. If you have that, you can learn the rest. The hiring process to get in the door at Talos is extremely challenging and the candidates are incredible. That's why when I interview candidates for various roles in Talos I rarely, if ever, fixate on a niche skillset, instead focusing on the prospective employee’s intellectual curiosity. I ask weird questions that don’t seem related to the specific job role, not in an effort to throw them off but simply because I am curious and hope that they are as well.  

_Do you like to read? Do you ever read books outside of your normal wheelhouse? What are some favorite fiction and non-fiction books? Do you have a favorite craft or hobby? How many different Linux distributions have you installed? What are your 5 favorite board games? Do you play video games, and if so, what are a few favorites from each platform and decade?_   

These kinds of questions help me identify what kind of innate curiosity that the prospective candidate possesses and from their answers we will invariably fall down a rabbit hole while my co-workers shake their heads at me in disdain.  

Beyond that, I always listen for my favorite answer: “I don’t know, but...” There’s no better answer to a very difficult question than “I don’t know, but I’d probably try X,” or “I don’t know, but I’d love to learn...” 

Barbecue sauce.

**The one big thing **

Cisco Talos has released a blog post on the initial access broker (IAB) we call “ToyMaker” — a financially-motivated threat actor. They deploy their custom-made backdoor we call “LAGTOY” and extract credentials from the victim enterprise. LAGTOY can be used to create reverse shells and execute commands on infected endpoints. 

**Why do I care? **

A compromise by LAGTOY may result in access handover to a secondary threat actor. Specifically, we’ve observed ToyMaker hand over access to Cactus, a double extortion gang who employed their own tactics, techniques and procedures (TTPs) to carry out malicious actions across the victim’s network. Our blog details a timeline with turnaround time from ToyMaker to Cactus. 

**So now what?**

Cisco Talos has released information to help ensure protection including techniques and related IOCs. Check out the blog post for full details.

**Top security headlines of the week **

**Apple says zero-day bugs exploited against ‘specific targeted individuals’ using iOS.** Apple has released new software updates across its product line to fix two security vulnerabilities, which the company said may have been actively used to hack customers running its mobile software, iOS. (TechCrunch)

**Microsoft purges millions of cloud tenants in the wake of Storm-0558.** In an effort to thwart state-sponsored activity stemming from preventable security issues, Microsoft is making significant efforts to purge inactive Azure cloud tenants and take comprehensive inventory of cloud and network assets. (DarkReading) 

**Researchers warn of critical flaw found in Erlang OTP SSH.** The vulnerability could allow unauthenticated attackers to gain full access to a device. Many of these devices are widely used in IoT and telecom platforms. (cybersecuritydrive) 

**CISA flags actively exploited vulnerability in SonicWall SMA devices.** The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a security flaw impacting SonicWall Secure Mobile Access 100 Series gateways to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. (The Hacker News)

**Can’t get enough Talos? **

*   Talos Takes: Year in Review Special: Part 3 
*   TL,DR: Attacks on identity, and Multi Factor Authentication 
*   Unmasking the new XorDDoS controller and infrastructure

**Upcoming events where you can find Talos **

*   RSA (Apr. 28 – May 1) San Francisco, CA 
*   PIVOTcon (May 7 – 9) Malaga, Spain 
*   CTA TIPS 2025 (May 14 – 15)  Arlington, VA 
*   Cisco Connect UK & Ireland (May 20) London, UK 
*   BotConf (May 20 – 23) Angers, France 
*   Cisco Live U.S. (June 8 – 12) San Diego, CA

**Most prevalent malware files from Talos telemetry over the past week  **

**SHA256: 2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277**    
MD5: 42c016ce22ab7360fb7bc7def3a17b04    
VirusTotal: https://www.virustotal.com/gui/file/2462569cf24a5a1e313390fa3c52ed05c7f36ef759c4c8f5194348deca022277    
Typical Filename: Rainmeter-4.5.22.exe     
Detection Name: Artemis!Trojan  

**SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5**      
MD5: ff1b6bb151cf9f671c929a4cbdb64d86      
VirusTotal : https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5    
Typical Filename: endpoint.query        
Detection Name: W32.File.MalParent    

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f      
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507      
Typical Filename: VID001.exe      
Detection Name: Win.Worm.Bitmin-9847045-0  

**SHA 256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**      
MD5: 7bdbd180c081fa63ca94f9c22c457376      
VirusTotal: https://www.virustotal.com/gui/file/a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91     
Typical Filename: IMG001.exe     
Detection Name: Win.Trojan.Miner-9835871-0

Lessons from Ted Lasso for cybersecurity success

Google is rolling out an end-to-end encrypted email feature for business customers, but it could spawn phishing attacks, particularly in non-Gmail inboxes.

Google announced at the beginning of April that it is launching a streamlined tool that will allow business users to easily send “end-to-end encrypted” emails—an effort to address the longstanding challenge of adding additional security protections to email messages. The feature is currently in beta for enterprise users to try out within their own organization. It will then expand to allow Google Workspace users to send end-to-end encrypted emails to any Gmail user. By the end of the year, the feature will allow Workspace users to send the more secure emails to any inbox. Email spam and digital fraud researchers warn, though, that while the feature will provide a new option for email privacy and security, it will also inevitably spawn new phishing attacks.

End-to-end encryption is a protection that keeps data scrambled at all times except on the sender and recipient's devices, and it is difficult to add to the historic email protocol. Mechanisms to do it are typically very complicated and costly to implement and only make sense for large organizations trying to meet specific compliance requirements. In contrast, Google's end-to-end encrypted email tool is simple to use and doesn't require significant IT overhead. The scenario that digital fraud researchers are most concerned about, though, relates to the case where a Workspace user sends an end-to-end encrypted email to a non-Gmail user.

“When the recipient is not a Gmail user, Gmail sends them an invitation to view the E2EE email in a restricted version of Gmail,” Google wrote in a blog post. “The recipient can then use a guest Google Workspace account to securely view and reply to the email.”

The fear is that scammers will take advantage of this new and more secure communication mechanism by creating fake copies of these invitations that contain malicious links, and prompt targets to enter their login credentials for their email, single sign-on services, or other accounts.

“Looking at Google's implementation, we can see it introduces a new workflow for non-Gmail users—receiving a link to view an email,” says Jérôme Segura, senior director of threat intelligence at Malwarebytes. “Users might not yet be familiar with exactly what a legitimate invitation looks like, making them more susceptible to clicking on a fake one.”

Given email's technical limitations, Google created a way for an organization's Workspace to automatically manage keys—used to descramble encrypted messages. Key management is what makes end-to-end encrypting email so difficult, so offering a solution that is easy for customers is a departure from what's currently available. The fact that the organization's Workspace controls the keys rather than storing them locally on a sender and recipient's devices does mean that the feature doesn't quite qualify as end-to-end encryption in the strictest sense of the term. But researchers say that for use cases like business compliance, the tool could still be extremely useful. And individuals who want end-to-end encrypted communications should just use a purpose-built app like Signal.

When Gmail users receive one of the new encrypted emails from a Google Workspace user, Google's extensive array of dynamic spam filters and fraud detection mechanisms will be in play to protect against spam, phishing, and rogue imposters broadly. But email users outside the Google ecosystem will also be able to receive encrypted email invitations, which makes the service available to anyone, but also will leave non-Google users to their own devices.

Scammers will prey on anything topical to generate new scams, and this threat certainly isn't unique to Google's new encrypted email feature. The invitations to view end-to-end encrypted emails will come with a warning that says, “Be careful when signing in to view this encrypted message. This message is from an external sender and is encrypted. Make sure you trust the sender and their identity provider before entering your username and password.”

“While it’s absolutely true that scammers are always looking for new ways to abuse any product, we built this particular technology with this risk in mind,” Google spokesperson Ross Richendrfer said in a statement. “The notifications users will receive in this case are very similar to Drive file sharing notifications that go out whenever someone shares a doc or file. All the protections we employ to keep scammers from capitalizing on these messages will help us protect this new class of notifications as well.”

Generations of Google Drive and Google Docs scams show, though, that it is particularly difficult to combat imposter invitations outside of Google's ecosystem. But when it comes to the new end-to-end encrypted email feature, “it was either adding a warning or not allowing this feature for non-Gmail users,” Malwarebytes's Segura says.

In fact, the new tool may offer particularly good fodder for scammers, given that Google is such a trusted organization, and targets may have heard about how end-to-end encryption is a special, gold-standard security feature.

“It's almost as if someone at Google knew this was a bad idea and asked for a warning to be added,” Malwarebytes’ Segura says. “It's quite likely fraudsters will jump on the opportunity to craft phishing emails using this exact same template, even including the original warning that will be overlooked.”

Gmail’s New Encrypted Messages Feature Opens a Door for Scams

SessionShark phishing kit bypasses Office 365 MFA by stealing session tokens. Experts warn of real-time attacks via fake…

SessionShark phishing kit bypasses Office 365 MFA by stealing session tokens. Experts warn of real-time attacks via fake login pages and Telegram alerts.

SlashNext security experts have discovered a new tool called “SessionShark” used by cyber criminals to steal login information for Microsoft Office 365. This tool can bypass multi-factor authentication (MFA), a security feature that requires a phone code in addition to a password to add another layer of security.

SlashNext’s research, shared exclusively with Hackread.com, revealed that online advertisements for SessionShark were found on secret cybercrime networks, indicating the tool was designed to steal session tokens, which are special keys that allow users to stay logged in without having to enter their password every time. Once a criminal has this token, they can get into your Office 365 account even if you have MFA turned on, because the key proves you’ve logged in.

Researchers explained that by stealing this session cookie” attackers can bypass MFA controls and access the account without needing the one-time passcode.” This makes the extra security of MFA useless in this type of attack.

The creators of SessionShark are trying to sell it to other criminals by saying it’s “for educational purposes,” but security experts say this is just a way to hide what it’s really for. It is designed to aid criminals’ success.

Source: SlashNext

For example, it can pretend to be a real Office 365 login page fooling users easily. It operates as an “adversary-in-the-middle” (AiTM) phishing kit. This means that when a victim tries to log in to Office 365 through a fake website created by SessionShark. It offers a logging panel for operators and integrates with a Telegram bot for real-time “Instant Session Capturing.” This allows threat actors to receive real-time alerts with the victim’s email, password, and session cookie the attacker secretly intercepts their username, password, and importantly, the session token, in real time.

Moreover, it works well with Cloudflare, a service that hides the real location of a website, making it harder for security teams to track down and shut down criminal operations. The tool also tries to avoid being noticed by threat intelligence systems, which are databases of known malicious websites and activities. SessionShark also allows criminals to quickly send stolen data directly to the attacker’s phone using Telegram allowing instant access.

According to SlashNext’s blog post, the way SessionShark is being sold shows a growing trend in cybercrime. Instead of just creating and using these tools themselves, criminals are now selling them to others as a service, complete with support and updates. This makes it easier for more people to carry out these kinds of attacks.

Security teams are now working to find ways to detect and block tools like SessionShark to protect users. Meanwhile, it is crucial to be very careful online, especially when entering your login information. Even with extra security like MFA, make sure you are on the real website before typing in your username and password.

New SessionShark Phishing Kit Bypasses MFA to Steal Office 365 Logins

The threat actors behind the Darcula phishing-as-a-service (PhaaS) platform have released new updates to their cybercrime suite with generative artificial intelligence (GenAI) capabilities.
"This addition lowers the technical barrier for creating phishing pages, enabling less tech-savvy criminals to deploy customized scams in minutes," Netcraft said in a fresh report shared with The Hacker News.

Darcula Adds GenAI to Phishing Toolkit, Lowering the Barrier for Cybercriminals

Hackers in the Elusive Comet campaign exploit Zoom’s remote-control feature to steal cryptocurrency, and over $100K lost in…

Hackers in the Elusive Comet campaign exploit Zoom’s remote-control feature to steal cryptocurrency, and over $100K lost in social engineering scam.

A new cybercrime campaign called “Elusive Comet” is targeting professionals in the cryptocurrency space. But, instead of going after blockchain tech directly, the attackers are using Zoom’s remote-control features to gain access to targeted devices.

Cybersecurity firm Security Alliance (SEAL) broke down the details in a report published in March 2025. Security Alliance (SEAL) in March 2025.

The Elusive Comet campaign is a social engineering scam where cybercriminals impersonate legitimate figures to lure victims into Zoom meetings. They often use phishing emails or DMs on X to create a convincing scenario, posing as individuals wanting to interview the victim for a podcast or media feature by Aureon Capital, which claims to be a legitimate venture capital firm.

Once the victim accepts the Zoom invitation, the attackers manipulate their computer by requesting remote control access under the pretence of needing technical assistance or help with a presentation. They change their Zoom display name to “Zoom,” creating a false sense of trust.

Zoom remote-control request dialogue box showing Zoom as the requestor (Source: Trail of Bits)

For your information, Zoom’s remote-control feature is designed for accessibility and collaboration, allowing one participant to control another’s screen with explicit permission. When attackers gain remote control, they install malware onto the victim’s machine, often including infostealers and RATs (Remote Access Trojans), eventually obtaining unauthorized access to the compromised system, exfiltrating crucial information like cryptocurrency wallet credentials, personal data, and private keys.

The effectiveness of this attack is illustrated by the experience of Jake Gallen, CEO of Emblem Vault. Gallen lost over $100,000 in digital assets after falling victim to the Elusive Comet campaign. He agreed to a Zoom interview with a media personality and was granted remote control access following which “GOOPDATE” malware was installed, allowing the attacker to drain his cryptocurrency wallets.

> Working with @\_SEAL\_Org we were able to retrieve a malware file that was installed on my computer during a @Zoom call with a youtube personality of over 90k subs.
> 
> Below I will share details about that person, my experience, and this malicious software known as GOOPDATE ↓ https://t.co/xXoeSWLUXA
> 
> — jake (@jakegallen\_) April 14, 2025

Cybersecurity firm Trail of Bits also encountered the Elusive Comet campaign when their CEO received suspicious invitations to a fake “Bloomberg Crypto” series via Twitter. They identified the attackers’ refusal to communicate via email and the use of unofficial Calendly scheduling pages as key indicators of malicious intent.

SEAL highlighted similarities between these attacks and the notorious North Korean hacking collective Lazarus Group’s past operations but could not conclusively attribute the campaign to Lazarus.

SEAL and Trail of Bits recommend several mitigation strategies for cryptocurrency professionals to protect against cyberattacks. These include disabling Zoom’s Remote-Control feature by default and exercising extreme caution with unsolicited invitations.

Researchers also advise implementing strong authentication measures, considering alternative communication platforms like Google Meet, and restricting application controls over high-risk applications like Zoom by technically blocking remote control.

Max Gannon, Intelligence Manager at Cofense commented on the latest development, stating, “The malicious use of legitimate software is a growing trend we’ve continued to see in 2025. In this case, threat actors are leveraging legitimate Zoom and Calendly links to bypass security controls. As trusted domains, their use in this attack makes it more difficult to detect and block.”

Elusive Comet Attack: Hackers Use Zoom Remote-Control to Steal Crypto

Following the death of Pope Francis, the Vatican is preparing to organize a new conclave in less than 20 days. This is how they’ll tamp down on leaks.

In 2005, cell phones were banned for the first time during the conclave, the process by which the Catholic Church elects its new pope. Twenty years later, after the death of Pope Francis, the election process is underway again. Authorities have two priorities: to protect the integrity of those attending the meeting, and to ensure that it proceeds in strict secrecy (under penalty of excommunication and imprisonment) until the final decision is made.

By 2025, the Gendarmerie corps guarding Vatican City faces unprecedented technological challenges compared to other conclaves. Among them are artificial intelligence systems, drones, military satellites, microscopic microphones, a misinformation epidemic, and a world permanently connected and informed through social media.

The conclave is scheduled to take place approximately 20 days after the pope's death. The Vatican and the Holy See are preparing for the arrival of the cardinals who will vote for the next leader of the Catholic faith. Emergency and control bodies are also working on it with state-of-the-art technology. So far, they have not shared details about their security arrangements, but they are not inexperienced in the task of safeguarding the integrity of high-profile figures in the face of today's technological risks.

In fact, the election in 2013 of Jorge Mario Bergoglio—the real name of Pope Francis—as supreme pontiff gives some indications of the rigorous security strategies that will be presented in the next conclave.

**Signal Jammers and Device Checks**

The Vatican has internet access, but within the areas where the cardinals will reside and vote for the new pope, there will be signal jammers. The technology prevents two devices from communicating with each other through radio frequency interference. The headquarters becomes an electronic bunker. Thus, if someone were to manage to introduce a microphone, telephone, or computer, they would be unable to transmit information.

However, the possibility of administrative staff or the cardinals themselves introducing technology is remote. Authorities inspect the building for days in search of unauthorized microphones or cameras, check every permitted attendee, and double-check participants.

**Privacy Film in the Windows**

Contemporary satellites are capable of taking pictures of people's faces from space, while AI can interpret lip movements. However, since there's currently no technology to see through walls with such high resolution, the best strategy against espionage in the conclave is to close doors and windows.

During meetings and in the sleeping quarters, voters are not allowed to look outside. In addition, before the cardinals arrive, Vatican staff place opaque film over windows so that no journalist, satellite, or drone can take pictures of the interior.

**Locked-Down Vatican**

The Vatican covers only 0.44 square kilometer in area. It is the smallest nation in the world. Until 2018, it had 650 cameras monitoring its streets from an underground command center. In addition, the Vatican City Gendarmerie, which functions as a conventional police force, and the Pontifical Swiss Guard, which acts as an army, are located within the territory. While in photographs they appear to be wearing antique costumes and carrying halberds, the latter group has highly trained personnel with heavy weapons, such as machine guns, rifles, and explosives.

An estimated 200,000 people are expected to be present in the small city-state once the conclave has determined the name of Pope Francis' successor.

_This story originally appeared on_ WIRED _en Español_ _and has been translated from Spanish._

The Tech That Safeguards the Conclave’s Secrecy

Terrance, United States / California, 22nd April 2025, CyberNewsWire

**Terrance, United States / California, April 22nd, 2025, CyberNewsWire**

**Joining Criminal IP at Booth S-634 | South Expo, Moscone Center | April 28 – May 1, 2025**

Criminal IP, the global cybersecurity platform specializing in AI-powered threat intelligence and OSINT-based data analytics, will exhibit at RSAC 2025 Conference, held from April 28 to May 1 at the Moscone Center in San Francisco. The company will welcome attendees at Booth S-634 in the South Expo Hall.

**Strengthening Its Global Presence Through Proven Success**

Following its impactful debut at RSAC 2023, Criminal IP has continued to expand its international footprint, establishing partnerships with over 40 global cybersecurity leaders, including Cisco, Tenable, Fortinet, VirusTotal, and Snowflake. Returning to RSAC 2025, the company will further strengthen its position in the global security market by showcasing its latest innovations in Attack Surface Management (ASM) and Cyber Threat Intelligence (CTI).

**Elevating Threat Intelligence with ASM at RSAC**

With a presence in over 150 countries, Criminal IP has positioned itself as a trusted leader in Attack Surface Management (ASM) and Cyber Threat Intelligence (CTI). At RSAC 2025, the company will highlight how its platform empowers security teams with real-time, actionable insights to proactively detect and respond to today’s most advanced cyber threats.

**Live Demonstrations & Strategic Dialogues**

Throughout the event, Criminal IP will host live demos and interactive sessions led by the CEO, senior developers, and global product experts. Visitors will gain exclusive insights into:

*   Real-world applications of ASM for enterprise security
*   Emerging threat trends and response tactics
*   Enhancing CTI workflows with AI and automation

Attendees will experience firsthand how Criminal IP uncovers exposed assets, detects abnormal behaviors, and delivers complete visibility across digital infrastructures.

**Connecting with the Criminal IP Team**

Attendees can arrange 1:1 meetings directly at Booth S-634 or pre-book sessions in advance through the Knowledge Hub > Conference section of the Criminal IP website. The team will be available to discuss how the platform can be tailored to support diverse cybersecurity goals.

The booth will also feature exclusive giveaways and a roulette-style prize draw for all on-site attendees.

> “RSAC continues to be a vital platform for exchanging ideas around proactive security,” said Byungtak Kang, CEO of AI SPERA. “We look forward to showcasing how our ASM-powered threat intelligence helps global organizations safeguard their external attack surfaces.”

**About Criminal IP**

Criminal IP is an all-in-one AI-driven threat intelligence platform that enables organizations to detect, assess, and respond to cyber threats in real time. Powered by massive-scale OSINT data and machine learning, the platform provides complete visibility into exposed assets, suspicious behaviors, and indicators of compromise.

**Contact**

**Michael Sena**  
**AI SPERA**  
**\[email protected\]**

Criminal IP to Showcase Advanced Threat Intelligence at RSAC™ 2025

Artificial intelligence is transforming industries, but its adoption also raises ethical and cybersecurity concerns, especially in the regulated…

Artificial intelligence is transforming industries, but its adoption also raises ethical and cybersecurity concerns, especially in the regulated financial sector. Balancing innovation with responsibility is important as organizations harness AI’s potential while protecting data, ensuring fairness, and mitigating risks. 

Navigating this intersection of AI ethics, cybersecurity, and finance requires careful strategy.

****AI in Financial Systems****

AI has revolutionized financial systems by enhancing decision-making processes, optimizing resource allocation, and improving fraud detection capabilities. One prominent area where AI thrives is in trading and market analysis. Algorithms powered by AI can analyze massive datasets in real time, identifying trends and making predictions with remarkable accuracy. 

For example, traders often ask, Can you short futures effectively use AI? The answer lies in leveraging sophisticated machine learning models that evaluate market conditions, predict price movements, and execute trades with precision. 

However, employing AI in such high-stakes environments also brings ethical considerations, such as ensuring transparency in algorithmic decisions and addressing the potential for systemic risks caused by automation. Balancing these advancements with robust governance is essential to maintaining trust and stability in the financial sector.

****Why AI Ethics Matters****

AI Ethics emphasizes fairness, accountability, and transparency in developing and using artificial intelligence systems. It prompts questions like, “Is this decision fair?” or “What are the risks if this algorithm fails?” 

These issues are especially critical in finance, where AI-driven decisions can directly impact people’s financial well-being. Financial tools affect nearly every part of life from securing loans to managing investments making ethical practices essential. 

Financial platforms must ensure their AI systems don’t discriminate based on factors like ethnicity, gender, or socioeconomic status. For instance, algorithms used to determine creditworthiness or loan approvals should be carefully designed and tested to prevent bias. Accountability is just as important; companies need systems to evaluate their AI’s impact and correct mistakes. 

Transparency is another cornerstone of AI Ethics. Consumers should know how their data is collected, used, and analyzed. They also deserve clarity on AI-driven decisions and the reasoning behind them. By prioritizing fairness, accountability, and transparency, companies can build trust and ensure their tools serve users responsibly and equitably.

****The Financial Costs of Cyber Threats****

AI doesn’t just create opportunities; it generates risks too. Cybersecurity is a constant challenge. It’s already critical in finance, but AI raises the stakes further. Imagine someone hacking an AI-driven trading system. This could cause widespread market turmoil in minutes.

The costs don’t stop at financial losses. A data breach can damage a company’s reputation. People lose trust, and rebuilding that trust can take years. Businesses need strong security measures to protect against breaches and ensure their AI systems are strengthened.

****Finding Balance Between Tech and Security****

Innovation and security can often feel at odds. New technologies drive progress but can also create vulnerabilities, as cyber threats evolve just as quickly. Cybersecurity teams must not only respond to threats but also anticipate and address issues before they escalate. 

This challenge becomes even greater with AI-powered systems. While transformative, their complexity makes them prime targets for attacks like data poisoning, adversarial manipulation, or algorithm flaws any of which can have serious consequences. 

To secure these systems, organizations should take a layered approach: regular audits to find vulnerabilities, secure coding to reduce risks, and employee training on handling sensitive data. By acting proactively, businesses can innovate without compromising security.

****The Future of AI Responsibility****

The future of AI is tied to how well we manage its capabilities and risks. Industries must keep asking tough questions. How much control should AI have? How do we hold businesses accountable when things go wrong?

This future depends on a collaborative effort. Governments, businesses, and researchers need to work together. Clear regulations should guide how AI is developed and used. Companies should prioritize ethical practices without cutting corners in pursuit of profits. Transparency, fairness, and strong cybersecurity protocols must remain non-negotiable.

The future of AI is both exciting and daunting. While it holds immense potential to improve our lives, it also poses significant challenges that must be addressed. As we continue to integrate AI into our society, we must do so with caution and responsibility.

We must continue having open discussions about the ethical implications of AI and actively work towards creating regulations and guidelines that prioritize human well-being. We must also hold businesses accountable for their actions and ensure that they uphold ethical practices in the development and use of AI.

(Image by Gerd Altmann from Pixabay)

AI Ethics, Cybersecurity and Finance: Navigating the Intersection

A security architect with the National Labor Relations Board (NLRB) alleges that employees from Elon Musk's Department of Government Efficiency (DOGE) transferred gigabytes of sensitive data from agency case files in early March, using short-lived accounts configured to leave few traces of network activity. The NLRB whistleblower said the unusual large data outflows coincided with multiple blocked login attempts from an Internet address in Russia that tried to use valid credentials for a newly-created DOGE user account.

A security architect with the **National Labor Relations Board** (NLRB) alleges that employees from **Elon Musk**‘s **Department of Government Efficiency** (DOGE) transferred gigabytes of sensitive data from agency case files in early March, using short-lived accounts configured to leave few traces of network activity. The NLRB whistleblower said the unusual large data outflows coincided with multiple blocked login attempts from an Internet address in Russia that tried to use valid credentials for a newly-created DOGE user account.

The cover letter from Berulis’s whistleblower statement, sent to the leaders of the Senate Select Committee on Intelligence.

The allegations came in an April 14 letter to the Senate Select Committee on Intelligence, signed by **Daniel J. Berulis**, a 38-year-old security architect at the NLRB.

**NPR**, which was the first to report on Berulis’s whistleblower complaint, says NLRB is a small, independent federal agency that investigates and adjudicates complaints about unfair labor practices, and stores “reams of potentially sensitive data, from confidential information about employees who want to form unions to proprietary business information.”

The complaint documents a one-month period beginning March 3, during which DOGE officials reportedly demanded the creation of all-powerful “tenant admin” accounts in NLRB systems that were to be exempted from network logging activity that would otherwise keep a detailed record of all actions taken by those accounts.

Berulis said the new DOGE accounts had unrestricted permission to read, copy, and alter information contained in NLRB databases. The new accounts also could restrict log visibility, delay retention, route logs elsewhere, or even remove them entirely — top-tier user privileges that neither Berulis nor his boss possessed.

Berulis writes that on March 3, a black SUV accompanied by a police escort arrived at his building — the NLRB headquarters in Southeast Washington, D.C. The DOGE staffers did not speak with Berulis or anyone else in NLRB’s IT staff, but instead met with the agency leadership.

“Our acting chief information officer told us not to adhere to standard operating procedure with the DOGE account creation, and there was to be no logs or records made of the accounts created for DOGE employees, who required the highest level of access,” Berulis wrote of their instructions after that meeting.

“We have built in roles that auditors can use and have used extensively in the past but would not give the ability to make changes or access subsystems without approval,” he continued. “The suggestion that they use these accounts was not open to discussion.”

Berulis found that on March 3 one of the DOGE accounts created an opaque, virtual environment known as a “container,” which can be used to build and run programs or scripts without revealing its activities to the rest of the world. Berulis said the container caught his attention because he polled his colleagues and found none of them had ever used containers within the NLRB network.

Berulis said he also noticed that early the next morning — between approximately 3 a.m. and 4 a.m. EST on Tuesday, March 4  — there was a large increase in outgoing traffic from the agency. He said it took several days of investigating with his colleagues to determine that one of the new accounts had transferred approximately 10 gigabytes worth of data from the NLRB’s **NxGen** case management system.

Berulis said neither he nor his co-workers had the necessary network access rights to review which files were touched or transferred — or even where they went. But his complaint notes the NxGen database contains sensitive information on unions, ongoing legal cases, and corporate secrets.

“I also don’t know if the data was only 10gb in total or whether or not they were consolidated and compressed prior,” Berulis told the senators. “This opens up the possibility that even more data was exfiltrated. Regardless, that kind of spike is extremely unusual because data almost never directly leaves NLRB’s databases.”

Berulis said he and his colleagues grew even more alarmed when they noticed nearly two dozen login attempts from a Russian Internet address (83.149.30,186) that presented valid login credentials for a DOGE employee account — one that had been created just minutes earlier. Berulis said those attempts were all blocked thanks to rules in place that prohibit logins from non-U.S. locations.

“Whoever was attempting to log in was using one of the newly created accounts that were used in the other DOGE related activities and it appeared they had the correct username and password due to the authentication flow only stopping them due to our no-out-of-country logins policy activating,” Berulis wrote. “There were more than 20 such attempts, and what is particularly concerning is that many of these login attempts occurred within 15 minutes of the accounts being created by DOGE engineers.”

According to Berulis, the naming structure of one Microsoft user account connected to the suspicious activity suggested it had been created and later deleted for DOGE use in the NLRB’s cloud systems: “**DogeSA\_2d5c3e0446f9@nlrb.microsoft.com**.” He also found other new Microsoft cloud administrator accounts with nonstandard usernames, including “**Whitesox, Chicago M.**” and “**Dancehall, Jamaica R**.”

A screenshot shared by Berulis showing the suspicious user accounts.

On March 5, Berulis documented that a large section of logs for recently created network resources were missing, and a network watcher in **Microsoft Azure** was set to the “off” state, meaning it was no longer collecting and recording data like it should have.

Berulis said he discovered someone had downloaded three external code libraries from **GitHub** that neither NLRB nor its contractors ever use. A “readme” file in one of the code bundles explained it was created to rotate connections through a large pool of cloud Internet addresses that serve “as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.” Brute force attacks involve automated login attempts that try many credential combinations in rapid sequence.

The complaint alleges that by March 17 it became clear the NLRB no longer had the resources or network access needed to fully investigate the odd activity from the DOGE accounts, and that on March 24, the agency’s associate chief information officer had agreed the matter should be reported to **US-CERT**. Operated by the Department of Homeland Security’s **Cybersecurity and Infrastructure Security Agency** (CISA), US-CERT provides on-site cyber incident response capabilities to federal and state agencies.

But Berulis said that between April 3 and 4, he and the associate CIO were informed that “instructions had come down to drop the US-CERT reporting and investigation and we were directed not to move forward or create an official report.” Berulis said it was at this point he decided to go public with his findings.

An email from Daniel Berulis to his colleagues dated March 28, referencing the unexplained traffic spike earlier in the month and the unauthorized changing of security controls for user accounts.

**Tim Bearese**, the NLRB’s acting press secretary, told NPR that DOGE neither requested nor received access to its systems, and that “the agency conducted an investigation after Berulis raised his concerns but ‘determined that no breach of agency systems occurred.'” The NLRB did not respond to questions from KrebsOnSecurity.

Nevertheless, Berulis has shared a number of supporting screenshots showing agency email discussions about the unexplained account activity attributed to the DOGE accounts, as well as NLRB security alerts from Microsoft about network anomalies observed during the timeframes described.

As **CNN** reported last month, the NLRB has been effectively hobbled since **President Trump** fired three board members, leaving the agency without the quorum it needs to function.

“Despite its limitations, the agency had become a thorn in the side of some of the richest and most powerful people in the nation — notably Elon Musk, Trump’s key supporter both financially and arguably politically,” CNN wrote.

Both **Amazon** and Musk’s **SpaceX** have been suing the NLRB over complaints the agency filed in disputes about workers’ rights and union organizing, arguing that the NLRB’s very existence is unconstitutional. On March 5, a U.S. appeals court unanimously rejected Musk’s claim that the NLRB’s structure somehow violates the Constitution.

Berulis shared screenshots with KrebsOnSecurity showing that on the day the NPR published its story about his claims (April 14), the deputy CIO at NLRB sent an email stating that administrative control had been removed from all employee accounts. Meaning, suddenly none of the IT employees at the agency could do their jobs properly anymore, Berulis said.

An email from the NLRB’s associate chief information officer Eric Marks, notifying employees they will lose security administrator privileges.

Berulis shared a screenshot of an agency-wide email dated April 16 from NLRB director **Lasharn Hamilton** saying DOGE officials had requested a meeting, and reiterating claims that the agency had no prior “official” contact with any DOGE personnel. The message informed NLRB employees that two DOGE representatives would be detailed to the agency part-time for several months.

An email from the NLRB Director Lasharn Hamilton on April 16, stating that the agency previously had no contact with DOGE personnel.

Berulis told KrebsOnSecurity he was in the process of filing a support ticket with Microsoft to request more information about the DOGE accounts when his network administrator access was restricted. Now, he’s hoping lawmakers will ask Microsoft to provide more information about what really happened with the accounts.

“That would give us way more insight,” he said. “Microsoft has to be able to see the picture better than we can. That’s my goal, anyway.”

Berulis’s attorney told lawmakers that on April 7, while his client and legal team were preparing the whistleblower complaint, someone physically taped a threatening note to Mr. Berulis’s home door with photographs — taken via drone — of him walking in his neighborhood.

“The threatening note made clear reference to this very disclosure he was preparing for you, as the proper oversight authority,” reads a preface by Berulis’s attorney **Andrew P. Bakaj**. “While we do not know specifically who did this, we can only speculate that it involved someone with the ability to access NLRB systems.”

Berulis said the response from friends, colleagues and even the public has been largely supportive, and that he doesn’t regret his decision to come forward.

“I didn’t expect the letter on my door or the pushback from \[agency\] leaders,” he said. “If I had to do it over, would I do it again? Yes, because it wasn’t really even a choice the first time.”

For now, Mr. Berulis is taking some paid family leave from the NLRB. Which is just as well, he said, considering he was stripped of the tools needed to do his job at the agency.

“They came in and took full administrative control and locked everyone out, and said limited permission will be assigned on a need basis going forward” Berulis said of the DOGE employees. “We can’t really do anything, so we’re literally getting paid to count ceiling tiles.”

Further reading: Berulis’s complaint (PDF).

Tag

#intel