Hacker claims to have breached OmniGPT, leaking over 30,000 user email address, phone  numbers, and 34 million lines of chat messages. Data includes API keys, credentials, and file links.

A hacker claims to have breached **OmniGPT**, a popular AI-powered chatbot and productivity platform, exposing 30,000 user emails, phone numbers, and more than 34 million (34,270,455) lines of user conversations. The data was published on **Breach Forums** on Sunday at 10:04 AM by a hacker using the alias “Gloomer.”

The leak, as analysed by the Hackread.com research team, includes messages exchanged between users and the chatbot, as well as links to uploaded files, some of which contain credentials, billing information, and API keys. In a post accompanying the download link, Gloomer stated:

> _“This leak contains all messages between the users and the chatbot of this site, as well as all links to the files uploaded by users and also 30k user emails. You can find a lot of useful information in the messages, such as API keys and credentials. Many of the files uploaded to this site are very interesting because sometimes they contain credentials/billing information.”_

If confirmed, this breach would be one of the largest leaks of AI-generated conversation data, exposing users to identity theft, phishing scams, and financial fraud.

The hacker claiming OmniGPT breach on Breach Forums (Screenshot credit: Hackread.com)

****Sample Data: Messages, Files, and User Information****

A sample from the leaked dataset includes chat messages from users discussing technical and development topics, such as:

📌 **User: Kamil**  
_“The cut duration is not displayed correctly.”_

📌 **User: Marcus**  
_“Right now, I’m seeing it be accurate for a cut. How is it displaying incorrectly?”_

📌 **User: Javier**  
_“This comes from review.display\_data (edited).”_

Along with message logs, the leak includes file upload links to documents stored on OmniGPT’s servers, which may contain sensitive information in PDF and Document format. Some of the leaked files include:

*   **Office projects**
*   **University assignments**
*   **Market Analysis Reports**
*   **WhatsApp chat screenshots**
*   **Police verification certificates**
*   **Multiple personal and business-related documents**

_and a lot more._

Screenshot from the leaked data (Screenshot credit: Hackread.com)

****How Does OmniGPT Work****

OmniGPT integrates various advanced language models, including ChatGPT-4, Claude 3.5, Perplexity, Google Gemini, and Midjourney, into a single interface. Designed to enhance efficiency, it offers features such as data encryption, team collaboration tools, document management, image analysis, and WhatsApp integration. Pricing plans start from a free tier with basic features to a Plus plan at $16 per month, providing access to more advanced models and functionalities.

****Data Breach and GDPR****

While the hacker’s modus operandi behind the alleged breach remains unclear, the leaked data suggests that OmniGPT has a global user base, with a major portion of the exposed information belonging to users from South America, particularly Brazil; Europe, especially Italy; and Asia, including India, Pakistan, China, and Saudi Arabia.

If confirmed, this breach could present serious legal and regulatory challenges, particularly concerning **GDPR compliance in Europe**, where strict data protection laws require companies to safeguard user information and report breaches promptly. Failure to address these issues could lead to heavy fines and legal repercussions, further complicating OmniGPT’s position in the global market.

****Consequences: Identity Theft, Phishing, and API Key Exploitation****

If the hacker’s claims are accurate, this leak could pose significant cybersecurity and privacy risks for OmniGPT users. Exposed email addresses and phone numbers may lead to targeted phishing attacks or increase the risk of identity theft.

Additionally, if users shared sensitive API keys or credentials in chatbot conversations, attackers could exploit this information to gain unauthorized access to third-party services or personal accounts. Furthermore, some of the leaked files may contain billing information or confidential business data, exposing companies to financial fraud, data theft, or corporate espionage.

****OmniGPT’s Response: Silence So Far****

As of now, OmniGPT has not issued an official response regarding the alleged breach. Hackead.com has contacted OmniGPT for a response, and this article will be updated as new information becomes available.

If you have an OmniGPT account, it is important to take immediate precautions to protect your data. Start by changing your passwords, especially if you have shared any credentials or sensitive information on the platform. Enabling two-factor authentication (2FA) adds an extra layer of security against unauthorized access.

Stay alert by monitoring your emails and financial accounts for any unusual activity, such as unauthorized logins or fraudulent transactions. Be cautious of phishing attempts, as cybercriminals may use leaked email addresses to send fake messages pretending to be from OmniGPT or other trusted sources. Also, if you have used OmniGPT to process API keys, consider revoking old tokens and generating new ones to prevent unauthorized access.

This is a developing story, and we will update it as more information becomes available.

OmniGPT AI Chatbot Alleged Breach: Hacker Leaks User Data, 34M Messages

But there's plenty in it — including two zero-days — that need immediate attention.

Source: Somphop Krittayaworagul via Shutterstock

Microsoft's February security update contains substantially fewer vulnerabilities for admins to address compared to a month ago, but there's still plenty in it that requires immediate attention.

Topping the list are two zero-day vulnerabilities that attackers are actively exploiting in the wild, two more that are publicly known but not exploited yet, a patch for a zero-day that Microsoft disclosed in December 2024, and an assortment of other common vulnerabilities and exposures (CVEs) with potentially severe consequences for affected organizations.

**63 CVEs, 2 Zero-Days**

In total, Microsoft released patches for 63 unique CVEs, a far cry from the massive 159 CVEs — including a startling eight zero-days — that the company disclosed in January. Microsoft assessed four of the bugs it disclosed today as being of critical severity. It rated the vast majority of the remaining bugs as important to address but of lesser severity for a variety of factors, including attack complexity and privileges required to exploit the vulnerability.

The two actively exploited zero-day bugs in this month's update are CVE-2025-21418 (CVSS score 7.8), an elevation of privilege vulnerability in Windows Ancillary Function Driver for WinSock, and CVE-2025-21391 (CVSS 7.1), another elevation of privilege issue, this time affecting Windows Storage. Per its usual practice, Microsoft's advisories for both bugs offered no details on the exploitation activity. But security researchers had their own take on why organizations need to address the issues ASAP.

CVE-2025-21418, for instance, only enables a local exploit. That means an attacker or malicious insider must already have access to a target machine, via a phishing attack, malicious document, or other vector, said Kev Breen, senior director, cyber threat research, at Immersive Labs. Even so, such flaws are "valuable to attackers as they allow them to disable security tooling, dump credentials, or move laterally across the network to exploit the increased access," Breen said in an emailed comment. An attacker who successfully exploits the flaw can gain SYSTEM level privileges on the affected system, he said, while recommending that organizations make the vulnerability a top priority to fix.

With CVE-2025-21391, the Windows Storage zero-day, the concern is not about the flaw enabling unauthorized data access; rather, the concern is about how attackers could exploit it to affect data integrity and availability. "Microsoft has outlined that if the attacker successfully exploited this vulnerability, they would only be able to delete targeted files on a system," said Natalie Silva, lead cyber security engineer at Immersive Labs, in an emailed comment. "Microsoft has released patches to mitigate this vulnerability. It's recommended for administrators to apply these immediately."

In a blog, researchers at Action1 described the flaw as resulting from a weakness in how Windows Storage resolves file paths and follows links. Attackers can leverage the weakness to "redirect file operations to critical system files or user data, leading to unauthorized deletion," the security vendor said.

Breen recommended that organizations also treat CVE-2025-21377, an NTLM hash disclosure spoofing vulnerability, as a high priority bug that needs immediate attention. When Microsoft originally disclosed the bug in December 2024, it did not have a patch available for it, making the flaw a zero-day threat. "The vulnerability allows a threat actor to steal the NTLM credentials for a victim by sending them a malicious file," Breen said. "The user doesn't have to open or run the executable but simply viewing the file in Explorer could be enough to trigger the vulnerability." Microsoft itself has assessed the vulnerability as something that threat actors are more likely to exploit

The other previously disclosed vulnerability in the February patch update is CVE-2025-21194, a security feature bypass vulnerability in Microsoft Surface.

**Critical Flaws**

The flaws that Microsoft rated as being of critical severity in this latest update are CVE-2025-21379 (CVSS Score 7.1), an RCE in the DHCP client service; CVE-2025-21177 (CVSS Score 8.7), a privilege elevation vulnerability in Microsoft Dynamics 365 Sales; CVE-2025-21381 (CVSS 7.8), a Microsoft Excel RCE; and CVE-2025-21376 (CVSS 8.1), an RCE in Windows LDAP and the only one in the set that Microsoft identified as more vulnerable to exploitation.

Interestingly, one of the flaws that Microsoft rated as critical (CVE-2025-21177) required affected customers to do nothing, but it is an issue that Microsoft has already addressed on its end. This vulnerability makes use of the newer CAR (customer action required) attribute to identify that there is no customer actions required, says Tyler Reguly, associate director security R&D at Fortra. "While these information updates are nice, they can bloat the number of updates that admins may be worried about dealing with on a Patch Tuesday," Reguly said in an emailed comment. "One can't help but wonder if these updates should be issued outside of Patch Tuesday since they do not require customer action."

Meanwhile, the only CVE to earn a severity score of 9.0 in this month's update — (CVE-2025-21198) — is an RCE affecting Microsoft High Performance Compute (HPC) Pack. An attacker cannot exploit the flaw unless they have access to the network used to connect to the high-performance cluster, Reguly said. "This networking requirement should limit the impact of what would otherwise be a more serious vulnerability."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Microsoft's February Patch a Lighter Lift Than January's

Salt Typhoon underscores the urgent need for organizations to rapidly adopt modern security practices to meet evolving threats.

Source: vska via Alamy Stock Photo

COMMENTARY

The Chinese-linked hacking group Salt Typhoon recently was detected lurking in major US telecommunication systems, exposing nearly every American's communications to Chinese intelligence and security services. 

In response, on Dec. 4, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint statement recommending that American citizens and companies adopt end-to-end encrypted communication tools to avoid exposing sensitive information to China. While this advice is prudent to secure communications, hasty adoption of these technologies could result in regulatory noncompliance for organizations in highly regulated industries. These organizations should carefully examine both their security risk and regulatory obligations as they adopt new security solutions.

**Background: Salt Typhoon**

Salt Typhoon exploited legacy systems throughout the telecommunications industry that were too old to implement modern cybersecurity practices, with some parts dating back to the late 1970s. Commonly accepted baseline cyber protections like multifactor authentication were not implemented. While the scope of this attack is widespread, including voice calls and SMS messages, US intelligence officials noted that communications within encrypted communication applications such as Apple's iMessage, Meta's WhatsApp, and Signal were not exposed.

Salt Typhoon marks one of the most sophisticated attacks on US critical infrastructure in history. US officials have concluded that every major telecommunications provider has been implicated. China remains the most active and persistent cyber threat to the United States, and the Salt Typhoon campaign marks one of the most sophisticated attacks on US critical infrastructure in history. 

**Security vs. Compliance: Adopting End-to-End Encryption Technologies**

US cybersecurity and intelligence officials advised companies and individuals to adopt end-to-end encrypted applications for communications where only the sender and the intended recipients can access the content of the communication. End-to-end encryption works by securing the content of communications using cryptographic keys at both the sender and recipient. The end result is data in transit is secure, rendering the contents of any intercepted or compromised communications indecipherable without the cryptographic key, including by Internet service providers and telecommunications companies — and foreign hackers targeting those entities.

While end-to-end encrypted applications provide obvious advantages for security, many are not designed to comply with the data retention and access requirements imposed upon certain highly regulated industries. 

In the financial services sector, Securities and Exchange Commission (SEC) Rule 17a-4(b)(4) requires that communications received and sent by a member, broker, or dealer that relate to the business of an organization are to be retained for at least three years. Additionally, Section 802 of the Sarbanes-Oxley Act requires accountants who audit or review financial statements to retain records, which include any communications relevant to the audit or review. 

In the healthcare sector, Section 164.312(e) of the Health Insurance Portability and Accessibility Act (HIPAA) requires that covered entities implement technical safeguards to prevent unauthorized access to electronic protected health information (ePHI) that is being transmitted over an electronic communications network. Many encrypted communications applications restrict a covered entity's ability to monitor for or audit unauthorized disclosure of ePHI. Additionally, Section 164.350(j) of HIPAA requires that covered entities retain documentation of any communications containing ePHI for at least six years. 

**Recommendations**

As Salt Typhoon has revealed, unsecured communications of executives and employees across every sector may be targeted by Chinese intelligence services for exploitation. In this new environment, balancing communications security with compliance can be challenging. To appropriately navigate these risks, organizations in every sector should consider three things.

First, organizations should implement end-to-end encryption for all business communications internally and, to the greatest extent practicable, externally. There are numerous mobile and desktop applications currently available that are designed to serve this purpose. For companies in regulated industries, it is important to also consider regulatory retention, monitoring, and auditing requirements when considering these tools. Such organizations should seek to implement solutions that can ensure appropriate encryption standards for messaging, collaboration, and voice and video calls specifically configured to allow for auditing and data preservation. 

Second, organizations should implement policies and procedures to guide the use of encrypted communications. For example, many encrypted communication applications allow users to individually establish time-based purge rules for messages. While valuable for information security, this could render an organization non-compliant with data retention and audit requirements. Where possible, such functions should be disabled for individuals and archiving tools should be in place. Additionally, employees should receive regular training on communications security and regulatory compliance.

Third, a key lesson from Salt Typhoon is that baseline cybersecurity measures still provide meaningful defenses against malicious parties. Cybersecurity measures such as multifactor authentication, use of password managers, encrypting data at rest and in motion, and ensuring that all software and hardware are modern and equipped with the latest updates will give organizations a much stronger cybersecurity posture. 

**Conclusion**

Salt Typhoon underscores the urgent need for organizations to rapidly adopt modern security practices to meet evolving threats. However, in doing so, organizations need to balance the security imperatives with their regulatory obligations. 

**About the Authors**

Co-Leader, Cybersecurity and Data Privacy Practice Group, Buchanan Ingersoll & Rooney

Michael McLaughlin is the co-leader of Buchanan Ingersoll & Rooney’s Cybersecurity and Data Privacy practice group. Michael advises clients in matters involving cybersecurity, public policy, and government relations. Michael helps clients navigate the complexities of cybersecurity, data privacy and the related regulatory landscape. Michael is the co-author of Battlefield Cyber: How China and Russia Are Undermining Our Democracy and National Security.

Jillian Cash, Associate, Corporate Section, Buchanan Ingersoll & Rooney

Jillian Cash is an associate Buchanan’s Corporate Section, where she focuses on a variety of corporate, transactional, and cybersecurity matters.

Kellen Carleton, Associate, Corporate Finance and Technology Group, Buchanan Ingersoll & Rooney

Kellen Carleton is an associate in Buchanan’s Corporate Finance and Technology group where he focuses on a variety of corporate, transactional, and cybersecurity matters.

Salt Typhoon's Impact on the US &amp; Beyond

Android phishing apps are the latest, critical threat for Android users, putting their passwords in danger of new, sneaky tricks of theft.

There are plenty of phish in the sea, and the latest ones have little interest in your email inbox.

In 2024, Malwarebytes detected more than 22,800 phishing apps on Android, according to the recent 2025 State of Malware report. Of those malicious apps, 5,200 could subvert one of the strongest security practices available today, called “multifactor authentication,” by prying into basic text messages sent to a device. Another 4,800 could even read information from an Android device’s “Notifications” bar to obtain the same info.

These “Android phishing apps” may sound high-tech, but they are not. They don’t crack into password managers or spy on passwords entered for separate apps. Instead, they present a modern wrapper on a classic form of theft: Phishing.

By disguising themselves as legitimate apps—including for services like TikTok, Spotify, and WhatsApp—Android phishing apps can trick victims into typing in their real usernames and passwords on bogus login screens that are controlled entirely by cybercriminals. If enough victims unwittingly send their passwords, the cyber thieves may even bundle the login credentials for sale on the dark web. Once the passwords are sold, the new, malicious owners will attempt to use individual passwords for a variety of common online accounts—testing whether, say, an email account password is the same one used for a victim’s online banking system, their mortgage payment platform, or their Social Security portal.

The volume of these apps and their capabilities underscore the importance of securing yourself and your devices. With vigilance, safe behavior, and some extra support, you can avoid Android phishing apps and protect your accounts from cybercriminals.

****Same trick, new delivery****

For more than a decade, phishing was often understood as an email threat. Cybercriminals would send emails disguised as legitimate communications from major businesses, such as Netflix, Uber, Instagram, Google, and more. These emails would frequently warn recipients about a problem with their accounts—a password needed to be updated, or a policy change required a login.

But when victims followed the links within these malicious emails, they’d be brought to a website that, while appearing genuine, would actually be in complete control of cybercriminals. Fooled by similar color schemes, company logos, and familiar layouts, victims would “log in” to their account by entering their username and password. In reality, those usernames and passwords would just be delivered to cybercriminals on the other side of the website.

There never was a problem with a user’s account, and there never was a real request for information from the company. Instead, the entire back-and-forth was a charade.

Over time, phishing emails have advanced—cybercriminals have stolen credit card details by posing as charities—but so, too, have phishing protections from major email providers, sending many cybercriminal efforts into people’s “spam” inboxes, where the emails are, thankfully, never retrieved.

But last year, cybercriminals focused on a new avenue for phishing. They started developing entire mobile apps on Android that could provide the same level of theft.

The lure that convinces people to download these apps varies.

Some Android phishing apps are disguised as regular videogames or utilities which may ask users to connect with a separate social media account for the primary app to function. The requests are bogus and simply a method for harvesting passwords. Other Android phishing apps pose as popular apps, including TikTok, WhatsApp, and Spotify. These decoy apps are often hosted on less popular mobile app stores, as the protections of the Google Play store often flag and remove these apps, should they ever sneak onto the marketplace.

Here, cybercriminals have again found loopholes.

Malwarebytes discovered Android phishing apps last year that do not contain any code—or programmatic “instructions”—to steal passwords. Instead, the apps merely serve ads that, if clicked, send victims to external websites that do all the cybercriminal work outside of the app. These “benign” apps have a better chance of being hosted on legitimate mobile app stores, which gives them greater visibility amongst everyday people, and thus, more chances to steal information.

Most concerning, though, is the recent development from Android phishing apps that pierces one of the strongest security practices in use today: multifactor authentication.

Multifactor authentication is a security measure offered by most major online platforms including banks, retirement systems, social media companies, email providers, and more. With multifactor authentication, a username and password are no longer enough to sign into an account. Instead, the platform will send a separate “code,” typically a six-digit number, that the user must also enter to complete the login process. This code is often sent as a text message directly to the user, who has registered their phone number with the platform.

But now, multifactor authentication codes can also be stolen by Android phishing apps.

Last year, Malwarebytes found 5,200 apps that could steal these codes either by cracking directly into certain text messages or by stealing information from a device’s “Notifications” bar, which can deliver timely summaries or prompts for many apps.

This does not make multifactor authentication useless. Instead, it emphasized a more holistic approach to cybersecurity that, at the very least, includes multifactor authentication.

****Staying safe from Android phishing apps****

Android phishing apps are simple, effective, and hard to spot to the naked eye. But there are behaviors and tools that can help keep you and your accounts safe.

To protect yourself from Android phishing apps:

*   Use mobile security software that detects and stops Android phishing apps from ever being installed on your Android device.
*   Before downloading any apps, you should look at the number of reviews. A low number of reviews may signal a decoy app.
*   Most people will only ever need to download Android apps directly from the Google Play Store. Be wary of other app stores or marketplaces, and never download a mobile app directly from a website.
*   Use a password manager to create and manage unique passwords for every single account. That way, if one password is stolen, it cannot be abused to open other online accounts.
*   Use multifactor authentication on your most sensitive accounts, including your financial, email, social media, healthcare, and government platforms (such as any accounts you use to file taxes).

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Phishing evolves beyond email to become latest Android app threat 

The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code, an attacker can steal the session of the victim by injecting malicious payload, causing High impact on confidentiality and integrity of the application.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-cpfx-964w-4jvp: Authentication bypass in @sap/approuter

Wired reported this week that a 19-year-old working for Elon Musk's so-called Department of Government Efficiency (DOGE) was given access to sensitive US government systems even though his past association with cybercrime communities should have precluded him from gaining the necessary security clearances to do so. As today's story explores, the DOGE teen is a former denizen of 'The Com,' an archipelago of Discord and Telegram chat channels that function as a kind of distributed cybercriminal social network for facilitating instant collaboration.

_Wired_ reported this week that a 19-year-old working for **Elon Musk**‘s so-called **Department of Government Efficiency** (DOGE) was given access to sensitive US government systems even though his past association with cybercrime communities should have precluded him from gaining the necessary security clearances to do so. As today’s story explores, the DOGE teen is a former denizen of ‘**The Com**,’ an archipelago of Discord and Telegram chat channels that function as a kind of distributed cybercriminal social network for facilitating instant collaboration.

Since President Trump’s second inauguration, Musk’s DOGE team has gained access to a truly staggering amount of personal and sensitive data on American citizens, moving quickly to seize control over databases at the **U.S. Treasury**, the **Office of Personnel Management**, the **Department of Education**, and the **Department of Health and Human Resources**, among others.

_Wired_ first reported on Feb. 2 that one of the technologists on Musk’s crew is a 19-year-old high school graduate named **Edward Coristine**, who reportedly goes by the nickname “Big Balls” online. One of the companies Coristine founded, **Tesla.Sexy LLC**, was set up in 2021, when he would have been around 16 years old.

“Tesla.Sexy LLC controls dozens of web domains, including at least two Russian-registered domains,” _Wired_ reported. “One of those domains, which is still active, offers a service called Helfie, which is an AI bot for Discord servers targeting the Russian market. While the operation of a Russian website would not violate US sanctions preventing Americans doing business with Russian companies, it could potentially be a factor in a security clearance review.”

Mr. Coristine has not responded to requests for comment. In a follow-up story this week, _Wired_ found that someone using a Telegram handle tied to Coristine solicited a DDoS-for-hire service in 2022, and that he worked for a short time at a company that specializes in protecting customers from DDoS attacks.

A profile photo from Coristine’s WhatsApp account.

Internet routing records show that Coristine runs an Internet service provider called **Packetware** (AS400495). Also known as “**DiamondCDN**,” Packetware currently hosts tesla\[.\]sexy and diamondcdn\[.\]com, among other domains.

DiamondCDN was advertised and claimed by someone who used the nickname “**Rivage**” on several Com-based Discord channels over the years. A review of chat logs from some of those channels show other members frequently referred to Rivage as “Edward.”

From late 2020 to late 2024, Rivage’s conversations would show up in multiple Com chat servers that are closely monitored by security companies. In November 2022, Rivage could be seen requesting recommendations for a reliable and powerful DDoS-for-hire service.

Rivage made that request in the cybercrime channel “**Dstat**,” a core Com hub where users could buy and sell attack services. Dstat’s website dstat\[.\]cc was seized in 2024 as part of “Operation PowerOFF,” an international law enforcement action against DDoS services.

Coristine’s LinkedIn profile said that in 2022 he worked at an anti-DDoS company called **Path Networks**, which _Wired_ generously described as a “network monitoring firm known for hiring reformed blackhat hackers.” _Wired_ wrote:

“At Path Network, Coristine worked as a systems engineer from April to June of 2022, according to his now-deleted LinkedIn résumé. Path has at times listed as employees **Eric Taylor**, also known as Cosmo the God, a well-known former cybercriminal and member of the hacker group UGNazis, as well as Matthew Flannery, an Australian convicted hacker whom police allege was a member of the hacker group LulzSec. It’s unclear whether Coristine worked at Path concurrently with those hackers, and WIRED found no evidence that either Coristine or other Path employees engaged in illegal activity while at the company.”

The founder of Path is a young man named **Marshal Webb**. I wrote about Webb back in 2016, in a story about a DDoS defense company he co-founded called **BackConnect Security LLC**. On September 20, 2016, KrebsOnSecurity published data showing that the company had a history of hijacking Internet address space that belonged to others.

Less than 24 hours after that story ran, KrebsOnSecurity.com was hit with the biggest DDoS attack the Internet had ever seen at the time. That sustained attack kept this site offline for nearly 4 days.

The other founder of BackConnect Security LLC was **Tucker Preston**, a Georgia man who pleaded guilty in 2020 to paying a DDoS-for-hire service to launch attacks against others.

The aforementioned Path employee Eric Taylor pleaded guilty in 2017 to charges including an attack on our home in 2013. Taylor was among several men involved in making a false report to my local police department about a supposed hostage situation at our residence in Virginia. In response, a heavily-armed police force surrounded my home and put me in handcuffs at gunpoint before the police realized it was all a dangerous hoax known as “swatting.”

CosmoTheGod rocketed to Internet infamy in 2013 when he and a number of other hackers set up the Web site exposed\[dot\]su, which “doxed” dozens of public officials and celebrities by publishing the address, Social Security numbers and other personal information on the former First Lady Michelle Obama, the then-director of the FBI and the U.S. attorney general, among others. The group also swatted many of the people they doxed.

_Wired_ noted that Coristine only worked at Path for a few months in 2022, but the story didn’t mention why his tenure was so short. A screenshot shared on the website pathtruths.com includes a snippet of conversations in June 2022 between Path employees discussing Coristine’s firing.

According to that record, Path founder Marshal Webb dismissed Coristine for leaking internal documents to a competitor. Not long after Coristine’s termination, someone leaked an abundance of internal Path documents and conversations. Among other things, those chats revealed that one of Path’s technicians was a Canadian man named **Curtis Gervais** who was convicted in 2017 of perpetrating dozens of swatting attacks and fake bomb threats — including at least two attempts against our home in 2014.

A snippet of text from an internal Path chat room, wherein members discuss the reason for Coristine’s termination: Allegedly, leaking internal company information. Source: Pathtruths.com.

On May 11, 2024, Rivage posted on a Discord channel for a DDoS protection service that is chiefly marketed to members of The Com. Rivage expressed frustration with his time spent on Com-based communities, suggesting that its profitability had been oversold.

“I don’t think there’s a lot of money to be made in the com,” Rivage lamented. “I’m not buying Heztner \[servers\] to set up some com VPN.”

Rivage largely stopped posting messages on Com channels after that. _Wired_ reports that Coristine subsequently spent three months last summer working at **Neuralink**, Elon Musk’s brain implant startup.

The trouble with all this is that even if someone sincerely intends to exit The Com after years of consorting with cybercriminals, they are often still subject to personal attacks, harassment and hacking long after they have left the scene.

That’s because a huge part of Com culture involves harassing, swatting and hacking other members of the community. These internecine attacks are often for financial gain, but just as frequently they are perpetrated by cybercrime groups to exact retribution from or assert dominance over rival gangs.

Experts say it is extremely difficult for former members of violent street gangs to gain a security clearance needed to view sensitive or classified information held by the U.S. government. That’s because ex-gang members are highly susceptible to extortion and coercion from current members of the same gang, and that alone presents an unacceptable security risk for intelligence agencies.

And make no mistake: The Com is the English-language cybercriminal hacking equivalent of a violent street gang. KrebsOnSecurity has published numerous stories detailing how feuds within the community periodically spill over into real-world violence.

When Coristine’s name surfaced in _Wired_‘s report this week, members of The Com immediately took notice. In the following segment from a February 5, 2025 chat in a Com-affiliated hosting provider, members criticized Rivage’s skills, and discussed harassing his family and notifying authorities about incriminating accusations that may or may not be true.

> 2025-02-05 16:29:44 UTC vperked#0 they got this nigga on indiatimes man  
> 2025-02-05 16:29:46 UTC alexaloo#0 Their cropping is worse than AI could have done  
> 2025-02-05 16:29:48 UTC hebeatsme#0 bro who is that  
> 2025-02-05 16:29:53 UTC hebeatsme#0 yalla re talking about  
> 2025-02-05 16:29:56 UTC xewdy#0 edward  
> 2025-02-05 16:29:56 UTC .yarrb#0 rivagew  
> 2025-02-05 16:29:57 UTC vperked#0 Rivarge  
> 2025-02-05 16:29:57 UTC xewdy#0 diamondcdm  
> 2025-02-05 16:29:59 UTC vperked#0 i cant spell it  
> 2025-02-05 16:30:00 UTC hebeatsme#0 rivage  
> 2025-02-05 16:30:08 UTC .yarrb#0 yes  
> 2025-02-05 16:30:14 UTC hebeatsme#0 i have him added  
> 2025-02-05 16:30:20 UTC hebeatsme#0 hes on discord still  
> 2025-02-05 16:30:47 UTC .yarrb#0 hes focused on stroking zaddy elon  
> 2025-02-05 16:30:47 UTC vperked#0 https://en.wikipedia.org/wiki/Edward\_Coristine  
> 2025-02-05 16:30:50 UTC vperked#0 no fucking way  
> 2025-02-05 16:30:53 UTC vperked#0 they even made a wiki for him  
> 2025-02-05 16:30:55 UTC vperked#0 LOOOL  
> 2025-02-05 16:31:05 UTC hebeatsme#0 no way  
> 2025-02-05 16:31:08 UTC hebeatsme#0 hes not a good dev either  
> 2025-02-05 16:31:14 UTC hebeatsme#0 like????  
> 2025-02-05 16:31:22 UTC hebeatsme#0 has to be fake  
> 2025-02-05 16:31:24 UTC xewdy#0 and theyre saying ts  
> 2025-02-05 16:31:29 UTC xewdy#0 like ok bro  
> 2025-02-05 16:31:51 UTC .yarrb#0 now i wanna know what all the other devs are like…  
> 2025-02-05 16:32:00 UTC vperked#0 “\`Coristine used the moniker “bigballs” on LinkedIn and @Edwardbigballer on Twitter, according to The Daily Dot.\[“\`  
> 2025-02-05 16:32:05 UTC vperked#0 LOL  
> 2025-02-05 16:32:06 UTC hebeatsme#0 lmfaooo  
> 2025-02-05 16:32:07 UTC vperked#0 bro  
> 2025-02-05 16:32:10 UTC hebeatsme#0 bro  
> 2025-02-05 16:32:17 UTC hebeatsme#0 has to be fake right  
> 2025-02-05 16:32:22 UTC .yarrb#0 does it mention Rivage?  
> 2025-02-05 16:32:23 UTC xewdy#0 He previously worked for NeuraLink, a brain computer interface company led by Elon Musk  
> 2025-02-05 16:32:26 UTC xewdy#0 bro what  
> 2025-02-05 16:32:27 UTC alexaloo#0 I think your current occupation gives you a good insight of what probably goes on  
> 2025-02-05 16:32:29 UTC hebeatsme#0 bullshit man  
> 2025-02-05 16:32:33 UTC xewdy#0 this nigga got hella secrets  
> 2025-02-05 16:32:37 UTC hebeatsme#0 rivage couldnt print hello world  
> 2025-02-05 16:32:42 UTC hebeatsme#0 if his life was on the line  
> 2025-02-05 16:32:50 UTC xewdy#0 nigga worked for neuralink  
> 2025-02-05 16:32:54 UTC hebeatsme#0 bullshit  
> 2025-02-05 16:33:06 UTC Nashville Dispatch ##0000 ||@PD Ping||  
> 2025-02-05 16:33:07 UTC hebeatsme#0 must have killed all those test pigs with some bugs  
> 2025-02-05 16:33:24 UTC hebeatsme#0 ur telling me the rivage who failed to start a company  
> 2025-02-05 16:33:28 UTC hebeatsme#0 https://cdn.camp  
> 2025-02-05 16:33:32 UTC hebeatsme#0 who didnt pay for servers  
> 2025-02-05 16:33:34 UTC hebeatsme#0 ?  
> 2025-02-05 16:33:42 UTC hebeatsme#0 was too cheap  
> 2025-02-05 16:33:44 UTC vperked#0 yes  
> 2025-02-05 16:33:50 UTC hebeatsme#0 like??  
> 2025-02-05 16:33:53 UTC hebeatsme#0 it aint adding up  
> 2025-02-05 16:33:56 UTC alexaloo#0 He just needed to find his calling idiot.  
> 2025-02-05 16:33:58 UTC alexaloo#0 He found it.  
> 2025-02-05 16:33:59 UTC hebeatsme#0 bro  
> 2025-02-05 16:34:01 UTC alexaloo#0 Cope in a river dude  
> 2025-02-05 16:34:04 UTC hebeatsme#0 he cant make good money right  
> 2025-02-05 16:34:08 UTC hebeatsme#0 doge is about efficiency  
> 2025-02-05 16:34:11 UTC hebeatsme#0 he should make $1/he  
> 2025-02-05 16:34:15 UTC hebeatsme#0 $1/hr  
> 2025-02-05 16:34:25 UTC hebeatsme#0 and be whipped for better code  
> 2025-02-05 16:34:26 UTC vperked#0 prolly makes more than us  
> 2025-02-05 16:34:35 UTC vperked#0 with his dad too  
> 2025-02-05 16:34:52 UTC hebeatsme#0 time to report him for fraud  
> 2025-02-05 16:34:54 UTC hebeatsme#0 to donald trump  
> 2025-02-05 16:35:04 UTC hebeatsme#0 rivage participated in sim swap hacks in 2018  
> 2025-02-05 16:35:08 UTC hebeatsme#0 put that on his wiki  
> 2025-02-05 16:35:10 UTC hebeatsme#0 thanks  
> 2025-02-05 16:35:15 UTC hebeatsme#0 and in 2021  
> 2025-02-05 16:35:17 UTC hebeatsme#0 thanks  
> 2025-02-05 16:35:19 UTC chainofcommand#0 i dont think they’ll care tbh

Given the speed with which Musk’s DOGE team was allowed access to such critical government databases, it strains credulity that Coristine could have been properly cleared beforehand. After all, he’d recently been dismissed from a job _for allegedly leaking internal company information to outsiders_.

According to the national security adjudication guidelines (PDF) released by the **Director of National Intelligence** (DNI), eligibility determinations take into account a person’s stability, trustworthiness, reliability, discretion, character, honesty, judgement, and ability to protect classified information.

The DNI policy further states that “eligibility for covered individuals shall be granted only when facts and circumstances indicate that eligibility is clearly consistent with the national security interests of the United States, and any doubt shall be resolved in favor of national security.”

On Thursday, 25-year-old DOGE staff member **Marko Elez** resigned after being linked to a deleted social media account that advocated racism and eugenics. Elez resigned after _The Wall Street Journal_ asked the White House about his connection to the account.

“Just for the record, I was racist before it was cool,” the account posted in July. “You could not pay me to marry outside of my ethnicity,” the account wrote on X in September. “Normalize Indian hate,” the account wrote the same month, in reference to a post noting the prevalence of people from India in Silicon Valley.

Elez’s resignation came a day after the Department of Justice agreed to limit the number of DOGE employees who have access to federal payment systems. The DOJ said access would be limited to two people, Elez and **Tom Krause**, the CEO of a company called Cloud Software Group.

Earlier today, Musk said he planned to rehire Elez after **President Trump** and **Vice President JD Vance** reportedly endorsed the idea. Speaking at The White House today, Trump said he wasn’t concerned about the security of personal information and other data accessed by DOGE, adding that he was “very proud of the job that this group of young people” are doing.

A White House official told _Reuters_ on Wednesday that Musk and his engineers have appropriate security clearances and are operating in “full compliance with federal law, appropriate security clearances, and as employees of the relevant agencies, not as outside advisors or entities.”

_NPR_ reports Trump added that his administration’s cost-cutting efforts would soon turn to the Education Department and the Pentagon, “where he suggested without evidence that there could be ‘trillions’ of dollars in wasted spending within the $6.75 trillion the federal government spent in fiscal year 2024.”

GOP leaders in the Republican-controlled House and Senate have largely shrugged about Musk’s ongoing efforts to seize control over federal databases, dismantle agencies mandated by Congress, freeze federal spending on a range of already-appropriated government programs, and threaten workers with layoffs.

Meanwhile, multiple parties have sued to stop DOGE’s activities. ABC News says a federal judge was to rule today on whether DOGE should be blocked from accessing Department of Labor records, following a lawsuit alleging Musk’s team sought to illegally access highly sensitive data, including medical information, from the federal government.

At least 13 state attorney general say they plan to file a lawsuit to stop DOGE from accessing federal payment systems containing Americans’ sensitive personal information, reports _The Associated Press_.

Reuters reported Thursday that the U.S. Treasury Department had agreed not to give Musk’s team access to its payment systems while a judge is hearing arguments in a lawsuit by employee unions and retirees alleging Musk illegally searched those records.

_Ars Technica_ writes that The Department of Education (DoE) was sued Friday by a California student association demanding an “immediate stop” to DOGE’s “unlawfully” digging through student loan data to potentially dismantle the DoE.

Teen on Musk’s DOGE Team Graduated from ‘The Com’

At Microsoft, we are committed to fostering a secure and innovative environment for our customers and users. As part of this commitment, we are thrilled to announce significant updates to our Copilot (AI) Bounty Program. These changes are designed to enhance the program’s effectiveness, incentivize broader participation, and ensure that our Copilot consumer products remain robust, safe, and secure.

At Microsoft, we are committed to fostering a secure and innovative environment for our customers and users. As part of this commitment, we are thrilled to announce significant updates to our Copilot (AI) Bounty Program. These changes are designed to enhance the program’s effectiveness, incentivize broader participation, and ensure that our Copilot consumer products remain robust, safe, and secure. 

Building on our commitment to support AI researchers, we are also introducing new initiatives aimed at providing comprehensive training and resources to support aspiring AI professionals as part of Zero Day Quest. These initiatives will include workshops, access to Microsoft AI engineers, and cutting-edge research and development tools. By investing in the growth and education of AI researchers, we aim to cultivate a community of skilled professionals who can contribute to the advancement of AI technology and uphold the highest standards of security and innovation.  

**Integrating the Microsoft Vulnerability Classification for Online Services**

One of the most impactful changes to our Copilot Bounty Program is the integration of the Microsoft Vulnerability Severity Classification for Online Services (Online Services bug bar). This integration builds off our existing alignment with the Microsoft Vulnerability Severity Classification for AI Systems (AI bug bar) and establishes a clear and consistent framework for evaluating the severity of vulnerabilities discovered in our Copilot consumer products. By aligning with the Online Services Bug Bar, we ensure that all reported vulnerabilities are assessed with the same rigor and standards applied across Microsoft’s online services. This not only streamlines the evaluation process but also enhances the transparency and fairness of our bounty rewards.  

For more details on how the severity levels are classified, as defined by the Microsoft Security Response Center (MSRC) advisory rating and the Microsoft Exploitability Index, refer to the individual bug bars: Online Services bug bar and AI bug bar. 

**Incentivizing moderate severity cases**

We recognize that even moderate vulnerabilities can have significant implications for the security and reliability of our Copilot consumer products. To address this, we are introducing new incentives for moderate severity Copilot cases. Researchers who identify and report moderate severity vulnerabilities will now be eligible for bounty rewards up to $5,000. Expanding our bounty program to include Copilot reflects our ongoing commitment to security across Microsoft products and services, and we encourage researchers to help us identify and mitigate vulnerabilities.

**Expanding in-scope targets**

To further enhance the security of our Copilot consumer products, we are expanding the scope of our Copilot Bounty Program. The updated program now includes a broader range of Copilot consumer products and services, ensuring that more areas are covered and protected. This expansion provides researchers with more opportunities to contribute to the security of our Copilot ecosystem and helps us identify and mitigate potential vulnerabilities across a wider array of platforms. The in-scope targets now include: 

*   Copilot for Telegram 
    
*   Copilot for WhatsApp 
    
*   copilot.microsoft.com and copilot.ai 
    

**Join us in securing the future of Copilot** 

We believe that collaboration with the security research community is essential to maintaining the integrity and security of our Copilot consumer products. The updates to our Copilot (AI) Bounty Program reflect our ongoing commitment to this collaboration and our dedication to fostering a secure and innovative environment for all. 

We invite all security researchers, developers, and enthusiasts to join us in this mission. By participating in the Copilot (AI) Bounty Program, you can help us identify and address vulnerabilities, contribute to the security of our Copilot consumer products, and earn awards for your valuable contributions. 

Together, we can ensure that our Copilot products remain secure, safe, and innovative. Thank you for your continued support and dedication to making the digital world a safer place. 

If you have any questions about this program or any other security research incentive program, please email us at bounty@microsoft.com. 

Happy Hunting!  

_Lynn Miyashita and Madeline Eckert_

Microsoft Bounty Team

Exciting updates to the Copilot (AI) Bounty Program: Enhancing security and incentivizing innovation

Ya-moon, S. Korea’s notorious sex crime hub operating since 1990, hacked; user data leaked, exposing CSAM, exploitation, and illicit activities.

A hacker using the alias “Valerie” is claiming to have hacked Ya-moon, a notorious South Korean private pornography website and forum. According to the hacker, the hack took place in June 2024 using a zero-day vulnerability, but the details of it have only been shared earlier today.

The site, which has been operating since 1990, is infamous for hosting illicit content, including Child Sexual Abuse Material, also known as **CSAM**, hidden camera footage, revenge porn, and videos depicting rape. Its users often brag about gang rapes, the sexual exploitation of minors, and the intimidation of women into sexual acts.

Hacker on Breach Forums where data has been leaked (Screenshot credit: Hackread.com)

The hacker claims that despite multiple attempts by South Korean authorities, Interpol, and U.S. law enforcement to dismantle the site, efforts had previously failed to bring it down. Now, a massive data breach has exposed the platform’s users, including 326,000 lines of data.

****The Hack and Leaked Data****

According to the hacker, the website’s entire database and chat logs have been published online. Initially, the data was handed over to a “databroker” who leaked a small portion but then disappeared, allegedly arrested. Frustrated with the inactivity surrounding the breach, the hacker decided to release the full dataset independently.

****Key Data Exposed in the Ya-moon.com Breach****

As seen and analysed by _Hackread.com’s research team_, the leaked database includes personally identifiable information (PII) and incriminating activity logs, making this quite a sensitive leak. The dataset contains:

1: **User Identification**

*   **Usernames**
*   **IP addresses (revealing user locations)**
*   **Email addresses (52,000 – some linked to real identities)**
*   **Plain-text passwords (suggesting weak security measures)**

**2: Activity & Behavior**

*   **Date of joining the forum**
*   **Last activity timestamps (showing recent usage patterns)**
*   **Chat logs, containing discussions of illegal activities**
*   **Published content, including uploaded media and discussion posts**

**3: Private Communications**

*   **Inbox messages exchanged between users**
*   **Potential evidence of coordination or transactions**
*   **Discussions about law enforcement activity, security concerns, and evasion tactics.**

The leaked data (Screenshot credit: Hackread.com)

If verified, this could be a major blow to users who engaged in illegal activities on the platform, as law enforcement agencies could track down those involved.

****Korean-Based User Activity Revealed in the Breach****

The majority of users’ IP addresses trace back to South Korea. This confirms that Ya-moon.com is largely a domestic operation, based on South Korean users who engaged in illegal content distribution and discussions. While some may have used VPNs or proxies, many users relied on their real IP addresses, suggesting a lack of security within the forum.

This dataset could also become a crucial investigative tool for South Korean authorities, who have struggled for years to take down networks like this one. If acted upon, it may lead to important arrests and legal action against individuals involved in the platform’s criminal activities.

****South Korea and Online Sex Crimes****

South Korea has a long history of tackling online sex crimes, including high-profile cases like the **Nth Room scandal**, where perpetrators exploited victims through encrypted chatrooms. However, forums like Ya-moon.com continued to exist, exposing gaps in enforcement and digital policing.

If authorities acquire and verify the data, arrests and prosecutions could follow, similar to previous dark web takedowns like **Operation Dark HunTor** and **Playpen**. This breach may deter users from engaging in illicit activities online, knowing they can be exposed.

****Not The First Time****

This is not the first instance of hackers targeting sites linked to CSAM and other forms of abuse. **In February 2017**, Anonymous hacktivists breached Freedom Hosting II, the largest dark web hosting provider at the time, resulting in the shutdown of thousands of CSAM sites. The hosting service managed approximately **11,000 websites**, accounting for nearly 20% of all dark web sites that year.

S. Korea’s Notorious Sex Crime Hub Ya-moon Hacked, User Data Leaked

Thorsten examines last year’s CVE list and compares it to recent Talos Incident Response trends. Plus, get all the details on the new vulnerabilities disclosed by Talos’ Vulnerability Research Team.

Thursday, February 6, 2025 14:03

> “Enough Ripples, And You Change The Tide. For The Future Is Never Truly Set.” X-Men: Days of Future Past

In January, I dedicated some time to examine threat data from 2024, comparing it with the previous years to identify anomalies, spikes, and changes.  

As anticipated, the number of Common Vulnerabilities and Exposures (CVEs) rose significantly, from 29,166 in 2023 to 40,289 in 2024, marking a substantial 38% increase. Interestingly, the severity levels of the CVEs remained centered around 7-8 for both years. 

When taking a closer look at the known exploited vulnerabilities reported by the Cybersecurity and Infrastructure Security Agency (CISA), I observed that the numbers remained relatively stable, with 186 in 2024 compared to 187 in 2023. However, there was a noteworthy 36% increase for the critical vulnerabilities scored (9-10).  

There is more to uncover from this data, and the analysis is still ongoing.  

It was also time to “stack” the data of our Quarterly Incident Response Reports. The standout aspects are the initial access vectors to me. "Exploiting Public Facing Applications" and "Valid Accounts" were dominant, outperforming other methods. This serves as a timely reminder to implement (proper) MFA and other identity and access control solutions as well as patch regularly and replace end-of-life assets. 

Reflecting on CVEs, patching, initial access vectors and also lateral movement, it's important to remember that the "free" support for Windows 10 will end on October 14, 2025.  

Mark.your.calendars. Please. And plan accordingly to ensure your systems remain secure.  

**The one big thing**

Cisco Talos’ Vulnerability Research team recently disclosed three vulnerabilities in Observium, three vulnerabilities in Offis, and four vulnerabilities in Whatsup Gold.   

**Why do I care?**

Observium and WhatsUp Gold can be categorized as Network Monitoring Systems (NMS). A NMS as such holds a lot of valuable information such as Network Topology, Device Inventory, Log Files, Configuration Data and more, making them an attractive for the bad guys. 

**So now what?**

The vulnerabilities mentioned in this blog post have been patched by their respective vendors, make sure your installation is up to date. 

**Top security headlines of the week**

The Cybersecurity and Infrastructure Security Agency analyzed a patient monitor used by the Healthcare and Public Health sector and discovered an embedded backdoor. (CISA) 

Apple has released software updates to address several security flaws across its portfolio, including a zero-day vulnerability that it said has been exploited in the wild. (Hacker News) 

Nearly 100 journalists and other members of civil society using WhatsApp were targeted by a “zero-click” attack (Guardian) 

DeepSeek AI tools impersonated by infostealer malware on PyPI (Bleeping Computer) 

**Can't get enough Talos?**

*   Web shell frenzies, the first appearance of Interlock, and why hackers have the worst cybersecurity: IR Trends Q4 2024 
*   New TorNet backdoor seen in widespread campaign 

**Upcoming events where you can find Talos**

Talos team members: Martin LEE, Thorsten ROSENDAHL, Yuri KRAMARZ, Giannis TZIAKOURIS, and Vanja SVAJCER will be speaking at Cisco Live EMEA. Amsterdam, Netherlands, 9-14 February.   

S4x25 (February 10-12, 2025)  
Tampa, FL

RSA (April 28-May 1, 2025)  
San Francisco, CA

TIPS 2025 (May 14-15, 2025)  
Arlington, VA

**Most prevalent malware files from the week**

SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

MD5: 2915b3f8b703eb744fc54c81f4a9c67f 

VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 

Typical Filename: VID001.exe 

Claimed Product: N/A 

Detection Name: Win.Worm.Coinminer::1201 

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

MD5: 71fea034b422e4a17ebb06022532fdde 

VirusTotal: https://www.virustotal.com/gui/file/47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca 

Typical Filename: VID001.exe 

Claimed Product: n/a  

Detection Name: Coinminer:MBT.26mw.in14.Talos 

SHA256:873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f  

MD5: d86808f6e519b5ce79b83b99dfb9294d   

VirusTotal: 

https://www.virustotal.com/gui/file/873ee789a177e59e7f82d3030896b1efdebe468c2dfa02e41ef94978aadf006f 

Typical Filename: n/a  

Claimed Product: n/a   

Detection Name: Win32.Trojan-Stealer.Petef.FPSKK8   

SHA 256:7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   

MD5: ff1b6bb151cf9f671c929a4cbdb64d86   

VirusTotal: https://www.virustotal.com/gui/file/7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5  

Typical Filename: endpoint.query   

Claimed Product: Endpoint-Collector   

Detection Name: W32.File.MalParent   

SHA 256: 744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241 

MD5: a5e26a50bf48f2426b15b38e5894b189 

VirusTotal: https://www.virustotal.com/gui/file/744c5a6489370567fd8290f5ece7f2bff018f10d04ccf5b37b070e8ab99b3241 

Typical Filename: a5e26a50bf48f2426b15b38e5894b189.vir 

Claimed Product: N/A 

Detection Name: Win.Dropper.Generic::1201

Changing the tide: Reflections on threat data from 2024

Experts question whether Edward Coristine, a DOGE staffer who has gone by “Big Balls” online, would pass the background check typically required for access to sensitive US government systems.

A young technologist known online as “Big Balls,” who works for Elon Musk's so-called Department of Government Efficiency (DOGE), has access to sensitive US government systems. But his professional and online history call into question whether he would pass the background check typically required to obtain security clearances, security experts tell WIRED.

Edward Coristine, a 19-year-old high school graduate, established at least five different companies in the last four years, with entities registered in Connecticut, Delaware, and the United Kingdom, most of which were not listed on his now-deleted LinkedIn profile. Coristine also briefly worked in 2022 at Path Network, a network monitoring firm known for hiring reformed blackhat hackers. Someone using a Telegram handle tied to Coristine also solicited a cyberattack-for-hire service later that year.

Coristine did not respond to multiple requests for comment.

One of the companies Coristine founded, Tesla.Sexy LLC, was set up in 2021, when he would have been around 16 years old. Coristine is listed as the founder and CEO of the company, according to business records reviewed by WIRED.

Tesla.Sexy LLC controls dozens of web domains, including at least two Russian-registered domains. One of those domains, which is still active, offers a service called Helfie, which is an AI bot for Discord servers targeting the Russian market. While the operation of a Russian website would not violate US sanctions preventing Americans doing business with Russian companies, it could potentially be a factor in a security clearance review.

"Foreign connections, whether it's foreign contacts with friends or domain names registered in foreign countries, would be flagged by any agency during the security investigation process," Joseph Shelzi, a former US Army intelligence officer who held security clearance for a decade and managed the security clearance of other units under his command, tells WIRED.

A longtime former US intelligence analyst, who requested anonymity to speak on sensitive topics, agrees. “There's little chance that he could have passed a background check for privileged access to government systems,” they allege.

Another domain under Coristine’s control is faster.pw. The website is currently inactive, but an archived version from October 25, 2022 shows content in Chinese that stated the service helped provide “multiple encrypted cross-border networks.”

Prior to joining DOGE, Coristine worked for several months of 2024 at Elon Musk’s Neuralink brain implant startup, and, as WIRED previously reported, is now listed in Office of Personnel Management records as an “expert” at that agency, which oversees personnel matters for the federal government. Employees of the General Services Administration say he also joined calls where they were made to justify their jobs and to review code they’ve written.

Other elements of Coristine’s personal record reviewed by WIRED, government security experts say, would also raise questions about obtaining security clearances necessary to access privileged government data. These same experts further wonder about the vetting process for DOGE staff—and, given Coristine’s history, whether he underwent any such background check.

The White House did not immediately respond to questions about what level of clearance, if any, Corisitine has and, if so, how it was granted.

At Path Network, Coristine worked as a systems engineer from April to June of 2022, according to his now-deleted LinkedIn résumé. Path has at times listed as employees Eric Taylor, also known as Cosmo the God, a well-known former cybercriminal and member of the hacker group UGNazis, as well as Matthew Flannery, an Australian convicted hacker whom police allege was a member of the hacker group LulzSec. It’s unclear whether Coristine worked at Path concurrently with those hackers, and WIRED found no evidence that either Coristine or other Path employees engaged in illegal activity while at the company.

“If I was doing the background investigation on him, I would probably have recommended against hiring him for the work he’s doing,” says EJ Hilbert, a former FBI agent who also briefly served as the CEO of Path Network prior to Coristine’s employment there. “I’m not opposed to the idea of cleaning up the government. But I am questioning the people that are doing it.”

**Got a tip?**

_Are you a current or former US government employee? We'd like to hear from you. Using a nonwork phone or computer, contact the reporters securely on Signal at Andy.01 (Andy Greenberg), DavidGilbert.01 (David Gilbert), or +1 (347) 722-1347 (Lily Hay Newman)._

Potential concerns about Coristine extend beyond his work history. Archived Telegram messages shared with WIRED show that, in November 2022, a person using the handle “JoeyCrafter” posted to a Telegram channel focused on so-called distributed denial of service (DDoS) cyberattacks that bombard victim sites with junk traffic to knock them offline. In his messages, JoeyCrafter—which records from Discord, Telegram, and the networking protocol BGP indicate was a handle used by Coristine—writes that he’s “looking for a capable, powerful and reliable L7” that accepts bitcoin payments. That line, in the context of a DDoS-for-hire Telegram channel, suggests he was looking for someone who could carry out a layer-7 attack, a certain form of DDoS. A DDoS-for-hire service with the name Dstat.cc was seized in a multinational law enforcement operation last year.

The JoeyCrafter Telegram account had previously used the name “Rivage,” a name linked to Coristine on Discord and at Path, according to Path internal communications shared with WIRED. Both the Rivage Discord and Telegram accounts at times promoted Coristine’s DiamondCDN startup. It’s not clear whether the JoeyCrafter message was followed by an actual DDoS attack. (In the internal messages among Path staff, a question is asked about Rivage, at which point an individual clarifies they are speaking about “Edward.”)

"It does depend on which government agency is sponsoring your security clearance request, but everything that you've just mentioned would absolutely raise red flags during the investigative process," says Shelzi, the former US Army intelligence officer. He adds that a secret security clearance could be completed in as little as 50 days, while a top-secret security clearance could take anywhere from 90 days to a year to complete.

Coristine’s online history, including a LinkedIn account where he calls himself Big Balls, has disappeared recently. He also previously used an account on X with the username @edwardbigballer. The account had a bio that read: “Technology. Arsenal. Golden State Warriors. Space Travel.”

Prior to using the @edwardbigballer username, Coristine was linked to an account featuring the screen name “Steven French” featuring a picture of what appears to be Humpty Dumpty smoking a cigar. In multiple posts from 2020 and 2021, the account can be seen responding to posts from Musk. Coristine’s X account is currently set to private.

Davi Ottenheimer, a longtime security operations and compliance manager, says many factors about Coristine’s employment history and online footprint could raise questions about his ability to obtain security clearance.

“Limited real work experience is a risk,” says Ottenheimer, as an example. “Plus his handle is literally Big Balls.”

Tag

#sap