Good Morning Security Gang
Boy, what a Monday! Getting ready for this morning’s show was… entertaining, to say the least. There was just too much happening we had to narrow it down to the biggest stories shaping cybersecurity this week.
We’re talking Instagram denying claims of a 17-million-account leak, $26 million stolen in a TrueBit DeFi heist, BreachForums’ user database leaking with 324,000 accounts exposed, and a VMware zero-day exploit that attackers weaponized a full year before disclosure, reportedly linked to China. Plus, we’ve got North Korea’s new QR phishing campaign, a critical Trend Micro patch, a France–Russia prisoner swap tied to ransomware, Europol’s takedown of the Black Axe syndicate, and a new Deputy Director at the NSA.
So grab that espresso, I’m on a double this morning (not Lavazza today, trying something new)
Coffee cup cheers, y’all. Let’s dive right in.
Instagram Denies Breach Amid 17M Account Leak Claims
Hackers claim to have leaked data from 17 million Instagram accounts, but Meta, Instagram’s parent company, denies any breach, stating there’s “no evidence of platform compromise.”
This isn’t the first time threat actors have recycled or bundled data into so-called “combo lists,” blending old leaks with new phishing bait. In reality, these lists often come from credential stuffing — stolen passwords reused across multiple sites.
As I said on the show:
“Threat actors dabble in crime, not truth. Every rehashed leak is a hustle.”
For companies using Instagram or Meta for brand marketing, this is a wake-up call:
Reset compromised passwords and block reuse.
Enforce phishing-resistant MFA on all Meta Business accounts.
Monitor for token abuse or new device logins tied to brand managers.
Even if the claim’s exaggerated, at 17 million records, even 1% accuracy can spell trouble for a brand.
$26 Million Stolen in TrueBit Crypto Heist
TrueBit, a Delaware-based DeFi project, confirmed a $26.4 million crypto theft, where attackers drained 8,535 Ethereum tokens by exploiting smart contract flaws and governance loopholes.
Chainalysis data shows this attack contributes to the $3.4 billion in crypto stolen in 2025, with $2 billion tied to North Korean threat actors.
My advice? Treat DeFi platforms like software — code risk equals capital risk.
Use hardware wallets, limit exposure to new protocols, and avoid storing funds in contracts that lack formal audits.
As I said bluntly: “DeFi is still finance without the ‘Fi’ — you’re trusting math, and math doesn’t have customer support.”
BreachForums Database Leaks — 324K Criminals Doxxed
The infamous BreachForums hacking community — ironically — got hacked. The stolen database of 324,000 user accounts is now circulating online, including hashed passwords, emails, and private messages.
Even cybercriminals apparently reuse passwords, proving that operational security fails on both sides of the law.
Researchers found three files in the dump — shinyhunters.rs, storyofjames.sql, and bridgeforms.pgp — each mapping users, keys, and post logs. While some speculate rival gangs were involved, this leak likely came from an insider or misconfigured server.
For law enforcement, it’s a goldmine of attribution data. For defenders, it’s a reminder: criminal forums are just as vulnerable as the targets they exploit.
China Exploited VMware Zero-Day a Year Before Disclosure
Post-mortem reports reveal that a Chinese state-linked APT exploited three VMware zero-days (CVE-2025-22224, 22225, and 22226) nearly a year before they were publicly disclosed and patched.
These flaws allowed persistence and lateral movement across vCenter and ESXi environments, using valid credentials and stealthy data exfiltration.
If you manage VMware infrastructure:
Patch to supported builds only.
Hide management planes behind VPN or IP allowlists.
Rotate vCenter service credentials and certificates.
Hunt for snapshot bursts, rogue admins, or encryption anomalies.
As I put it: "The Chinese have patience. They play the long game and we have to be able to go and threat hunt for it as well... You'll patch VMware and you'll assume they're out, but they could have just as easily known that now that everyone is patching, they've already built another place to go and live off the land."
China plays the long game — exploiting quietly and persisting for years. Don’t patch reactively; threat hunt proactively.
North Korea’s QR Phishing Targets Mobile Users
North Korean threat actors are now using QR codes in phishing campaigns to harvest credentials and deploy mobile malware.
Emails and messages with embedded QR images redirect users to fake login portals. Attackers bypass traditional URL filters by using mobile browsers and exploiting token persistence.
Companies should:
Train users that QR codes = links.
Enforce re-authentication with phishing-resistant MFA.
Restrict camera QR actions on managed devices.
Alert on QR-initiated logins not tied to known devices.
As I said: “QR codes are the new link shorteners — only now, they can hide an entire payload in a picture.”
Trend Micro Patches Critical Apex Central Flaws
Trend Micro released a patch for multiple critical RCE vulnerabilities (CVE-2025-69258, 69259, and 69260) affecting Apex Central, its security management platform.
Admins should patch immediately, disable public console exposure, rotate admin/API tokens, and monitor for unauthorized policy exports.
Remote management software remains a prime target — attackers love centralized tools because they offer centralized failure.
France Swaps Russian Ransomware Negotiator for French Researcher
France and Russia completed a quiet prisoner exchange: a Russian ransomware negotiator accused of aiding 900 cyberattacks was returned to Moscow in exchange for a French researcher convicted under Russia’s foreign agent laws.
The suspect, Daniel Kasatkin, once played basketball at Penn State before allegedly negotiating ransomware payments for the Conti group.
This move underscores how cybercrime is becoming geopolitically transactional — with nations swapping threat actors like Cold War spies.
As I said on air: “We’ve entered an era where ransomware is foreign policy — not just cybercrime.”
Europol Takes Down Black Axe Cybercrime Network
Europol arrested 34 members of the Black Axe syndicate, a Nigeria-based global BEC and romance scam organization spanning 12 countries.
The operation seized €119,000 in accounts, €66,000 in cash, and hundreds of mule account records.
Black Axe ran money mule, romance, and business email compromise scams — and this takedown deals a serious blow to West African cybercrime infrastructure.
For CISOs: pull IOCs once published, watch for suspicious beneficiary changes, and freeze transactions involving Nigerian or Eastern European intermediaries.
NSA Appoints Tim Kosiba as Deputy Director
Tim Kosiba, a 30-year federal cybersecurity veteran, has been appointed Deputy Director of the NSA, marking a rare return of a civilian to a top leadership role.
Kosiba’s focus is expected to be on AI-integrated threat intelligence and interagency modernization, strengthening cooperation across cyber, defense, and intelligence circles.
A solid pick for the agency as it braces for new hybrid warfare threats.
Action List
🔐 Reset reused passwords and enforce phishing-resistant MFA.
💰 Move DeFi funds to hardware wallets — treat smart contracts like untested code.
🧩 Patch VMware and threat hunt for persistence from 2025.
📱 Restrict QR logins and educate users on mobile phishing.
🧠 Patch Trend Micro Apex Central RCEs immediately.
🤝 Review vendor and law enforcement cooperation channels.
💼 Audit international payments for mule account indicators.
🛰️ Monitor NSA-related policy shifts for emerging frameworks.
James Azar’s CISO’s Take
Today’s stories highlight the intersection of cybersecurity, geopolitics, and economics. Instagram’s alleged leak shows that data fatigue has set in — people stop caring until it’s their brand. The TrueBit heist proves that smart contract logic flaws are the new zero-days. And the France–Russia swap? That’s proof cybercrime is now a diplomatic currency.
My biggest takeaway? Cybersecurity is no longer about defending networks — it’s about defending credibility. The lines between statecraft, hacking, and business are gone. For CISOs, the mission now extends far beyond the firewall: we protect reputation, resilience, and national stability — one patch, one policy, one coffee at a time.
"If everyone's data has been breached multiple times over and you're selling data that's moot, who's buying it? Which sparked a very interesting question in my mind. That's why I love our gang members here at Cyber Hub Podcast."
Stay sharp, stay caffeinated, and as always — stay cyber safe.
