The masterminds behind a $1.5 billion heist.
FBI attributes $1.5 billion Bybit hack to DPRK hackers. Cellebrite suspends services in Serbia following allegations of misuse. A Belgium spy agency is hacked. New groups, bigger attacks. Sticky Werewolf strikes again. US DNI orders legal review of UK's request for iCloud backdoor. A cybersecurity veteran takes CISA’s lead. DOGE accesses sensitive HUD data. Cleveland Municipal Court remains closed following cyber incident. Our guest today is an excerpt from our Caveat podcast. Adam Marré, Arctic Wolf CISO and former FBI special agent, joins Dave to discuss banning TikTok and increasing regulations for social media companies. And can hacking be treason?
Today is February 27th, 2025. I’m Maria Varmazis, host of the T-Minus Space Daily podcast on the mic for Dave Bittner. And this is your CyberWire Intel Briefing.
FBI attributes $1.5 billion Bybit hack to DPRK hackers.
The US Federal Bureau of Investigation (FBI) has confirmed that North Korean hackers were behind last week's theft of $1.5 billion worth of Ethereum from the Bybit cryptocurrency exchange. The FBI attributes the hack to an activity cluster tracked as "TraderTraitor," which is tied to Pyongyang's Lazarus Group.
The Bureau provided a list of fifty-one Ethereum addresses holding assets from the theft, stating, "FBI encourages private sector entities including RPC node operators, exchanges, bridges, blockchain analytics firms, DeFi services, and other virtual asset service providers to block transactions with or derived from addresses TraderTraitor actors are using to launder the stolen assets."
BleepingComputer reports that Bybit CEO Ben Zhou has shared the results of two investigations into the hack. First, investigators from Sygnia concluded that "the root cause of the attack is malicious code originating from Safe{Wallet}'s infrastructure." Second, researchers at Verichains added that "The attack specifically targeted Bybit by injecting malicious JavaScript into app.safe.global, which was accessed by Bybit's signers. The payload was designed to activate only when certain conditions were met. This selective execution ensured that the backdoor remained undetected by regular users while compromising high-value targets....Based on the investigation results from the machines of Bybit's Signers and the cached malicious JavaScript payload found on the Wayback Archive, we strongly conclude that AWS S3 or CloudFront account/API Key of Safe.Global was likely leaked or compromised."
The hack currently stands as the largest heist of any kind in history, surpassing Saddam Hussein's theft of $1 billion from the Central Bank of Iraq in 2003.
Cellebrite suspends services in Serbia following allegations of misuse.
Israeli cell phone data extraction firm Cellebrite has dropped the Serbian government as a customer following a report that the Serbian police had used the company's tools to hack the phones of a journalist and an activist, according to a report from TechCrunch. Amnesty International published a report in December 2024 asserting that Serbian authorities used Cellebrite's hacking software in combination with an Android-focused spyware tool to "covertly infect individuals’ devices during periods of detention or police interviews."
Cellebrite said in a statement, "We take seriously all allegations of a customer’s potential misuse of our technology in ways that would run counter to both explicit and implied conditions outlined in our end-user agreement. After a review of the allegations brought forth by the December 2024 Amnesty International report, Cellebrite took precise steps to investigate each claim in accordance with our ethics and integrity policies. We found it appropriate to stop the use of our products by the relevant customers at this time."
A Belgium spy agency is hacked.
Belgium has initiated a judicial investigation into an alleged Chinese cyber-espionage operation that compromised the email system of its State Security Service (VSSE). Between 2021 and 2023, unidentified Chinese state-sponsored hackers reportedly siphoned off 10% of the agency's incoming and outgoing emails. The attackers exploited a vulnerability in an email security product from Barracuda Networks, deploying malware strains Saltwater, SeaSpy, and Seaside, in order to establish backdoors into compromised systems. While classified internal communications remained secure, the breach affected an external server handling communications with government ministries and law enforcement, potentially exposing personal data of nearly half the VSSE's staff and past applicants. Belgian officials have refrained from commenting on the specifics, citing the ongoing nature of the investigation.
New groups, bigger attacks.
In 2024, China significantly advanced its cyber-espionage capabilities, with a 150% increase in nation-state-backed intrusions across all sectors compared to 2023, as reported by CrowdStrike. Industries such as financial services, media, manufacturing, industrials, and engineering experienced triple or quadruple the number of China-related intrusions. Notably, CrowdStrike identified seven new China-linked threat groups, five of which demonstrated specialized skills targeting specific sectors. Groups like Liminal Panda, Locksmith Panda, and Operator Panda (also known as Salt Typhoon) focused on telecommunications networks, with Operator Panda linked to attacks on U.S. and global telecom providers. These groups have adopted advanced tactics, including the use of operational relay box (ORB) networks—which are botnets of compromised edge devices—in order to obfuscate their activities and maintain persistent access. This evolution reflects China's long-term investment in cultivating a highly skilled technical workforce, enhancing its offensive cyber capabilities to rival other global powers. While primarily focused on intelligence gathering, the sophistication and specialization of these groups pose significant threats to global critical infrastructure. For instance, Volt Typhoon, tracked by CrowdStrike as Vanguard Panda, has targeted logistics networks related to maritime operations, air transportation, and intercontinental travel, underscoring the pressing need for robust cybersecurity measures to counteract China's expanding cyber-espionage activities.
Sticky Werewolf strikes again.
In early 2025, cybersecurity researchers at Kaspersky's Securelist reported the resurgence of the Angry Likho Advanced Persistent Threat (APT) group, also known as Sticky Werewolf, targeting organizations in Russia and Belarus. Active since 2023, Angry Likho APT has been linked to cyberattacks on government agencies and large corporate contractors within these regions.
The group's modus operandi involves highly targeted spear-phishing emails directed at employees of major organizations, including governmental bodies and their contractors. These emails contain malicious RAR archives embedding harmful shortcut files alongside seemingly benign documents. Once the archive is opened, a sophisticated infection chain is initiated, culminating in the deployment of the Lumma Stealer malware. This malware is engineered to exfiltrate sensitive information such as system details, installed software data, browser cookies, login credentials, banking information, and cryptocurrency wallet contents.
US DNI orders legal review of UK's request for iCloud backdoor.
US Director of National Intelligence Tulsi Gabbard has ordered a legal review of the UK government's secret demand for Apple to provide a backdoor to access users' iCloud data, the Record reports. Apple recently said it would stop offering its Advanced Data Protection (ADP) feature in the UK rather than comply with the demand.
Gabbard said in a response to a letter from Senator Ron Wyden (Democrat of Oregon) and Representative Andy Biggs (Republican of Arizona), "I share your grave concern about the serious implications of the United Kingdom, or any foreign country, requiring Apple or any company to create a 'backdoor' that would allow access to Americans personal encrypted data. This would be a clear and egregious violation of Americans’ privacy and civil liberties, and open up a serious vulnerability for cyber exploitation by adversarial actors."
Gabbard added, "My lawyers are working to provide a legal opinion on the implications of the reported UK demands against Apple on the bilateral Cloud Act agreement. Upon initial review of the U.S. and U.K. bilateral CLOUD Act Agreement, the United Kingdom may not issue demands for data of U.S. citizens, nationals, or lawful permanent residents, nor is it authorized to demand the data of persons located inside the United States. The same is true for the United States – it may not use the CLOUD Act agreement to demand data of any person located in the United Kingdom."
A cybersecurity veteran takes CISA’s lead.
Karen Evans, a seasoned federal IT and cybersecurity expert, has been appointed as the Executive Assistant Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA). In this prominent role, she will lead efforts to protect federal civilian agencies and the nation's critical infrastructure against cyber threats. Evans brings extensive experience from her previous positions, including Chief Information Officer at the Department of Homeland Security, Assistant Secretary for Cybersecurity, Energy Security, and Emergency Response at the Department of Energy, and Administrator of E-Government and Information Technology at the Office of Management and Budget. Her appointment fills a key leadership position within CISA, which has been without a permanent director since January 2025.
DOGE accesses sensitive HUD data.
The Department of Government Efficiency (DOGE), led by Elon Musk, has obtained access to the Department of Housing and Urban Development's (HUD) Enforcement Management System (HEMS), which contains sensitive personal data on individuals alleging housing discrimination, including domestic violence survivors. This system holds unredacted records such as medical histories, financial documents, Social Security numbers, and confidential addresses. While other agencies have resisted DOGE's attempts to access confidential information, HUD granted access, raising significant privacy concerns. DOGE's mission to modernize government technology and reduce improper spending has faced opposition, including legal challenges and resignations, due to potential privacy violations.
Cleveland Municipal Court remains closed following cyber incident.
The Cleveland Municipal Court is closed for the fourth day in a row following a "cyber incident" earlier this week. The court hasn't disclosed the nature of the incident, but News 5 Cleveland cites an expert as saying ransomware is the most likely cause.
The court said in a Facebook post, "As a precautionary measure, the Court has shut down the affected systems while we focus on securing and restoring services safely. These systems will remain offline until we have a better understanding of the situation. All internal systems and software platforms will be shut down until further notice."
The Ohio National Guard and Ohio Cyber Reserve are assisting in the response.
Our guest today is an excerpt from our Caveat podcast. Arctic Wolf’s CISO and former FBI special agent Adam Marré joins Dave to discuss banning TikTok and increasing regulations for social media companies. And, a soldier who Googles 'Can Hacking Be Treason?' finds out the hard way. We’ll be right back.
Welcome back. You can hear Adam and Dave’s full discussion on today’s Caveat episode. Following the interview on Caveat, Dave and co-host Ben Yelin discuss the issue.
A soldier who Googles 'Can Hacking Be Treason?' finds out the hard way.
A U.S. Army soldier, Cameron Wagenius, was recently caught leaking confidential phone records and attempting to extort AT&T for $500,000. Prosecutors say he was part of a group of hackers that stole data from Snowflake, a cloud storage service, accessing records from companies like AT&T, Ticketmaster, and Lending Tree. AT&T alone had data from 110 million customers stolen and reportedly paid hackers $370,000 to prevent further leaks.
Wagenius, who operated online under the alias “Kiberphant0m,” pleaded guilty to leaking data but had also searched for ways to defect to non-extradition countries and even asked Google, “Can hacking be treason?”—because nothing says criminal mastermind like crowdsourcing your legal defense from a search engine. Authorities found evidence he attempted to sell stolen information to a foreign military intelligence service and had a cache of over 17,000 stolen identity documents. Prosecutors argue he is a flight risk, and the government is pushing to keep him in custody while he awaits sentencing, where he could face up to 20 years in prison.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Maria Varmazis, in for Dave Bittner. Thanks for listening.
