The rise of AI-driven cyber offense.

The Pentagon is spending millions on AI hacking. The New York Times investigates illicit crypto funds. Researchers uncover widespread remote code execution flaws in AI inference engines. Police in India arrest CCTV hackers. Payroll Pirates use Google Ads to steal credentials and redirect salaries. A large-scale brand impersonation campaign delivers Gh0st RAT to Chinese-speaking users.A bitcoin mining company CEO gets scammed. Monday biz brief. On our Industry Voices segment with our Knowledge Partner SpecterOps, Chief Technology Officer Jared Atkinson is discussing Attack Path Management: Identities in Transit. Bitcoin big wigs learn to bite through plastic. 

Today is Monday November 17th 2025. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The Pentagon is spending millions on AI hacking. 

Federal records show the U.S. is investing in AI-driven offensive cyber capabilities, awarding up to $12.6 million to a stealth Arlington startup called Twenty, which also secured Navy funding and backing from In-Q-Tel and major VCs. Twenty, staffed by former Cyber Command and intelligence veterans, focuses on automating operations that can strike hundreds of targets at once. Job listings indicate work on AI-powered attack tools, autonomous agent frameworks and social-engineering personas. The company’s emergence reflects a broader shift toward automated cyberwarfare, as other nations, including China, also use AI agents for hacking. While firms like Two Six Technologies have developed AI to assist human operators, Twenty appears positioned to push far more autonomous offensive capabilities.

The New York Times investigates illicit crypto funds. 

The crypto industry has gained mainstream momentum, bolstered by President Trump’s new crypto business and his pledge to make the United States a global leader. But an international investigation by The New York Times, the International Consortium of Investigative Journalists and dozens of partner outlets found that more than $28 billion in illicit funds has flowed into major crypto exchanges over the past two years. Hackers, scammers and criminal networks, including North Korean groups and global fraud rings, routinely moved money through top platforms such as Binance and OKX. Binance, which settled U.S. money-laundering charges in 2023, continued receiving hundreds of millions tied to sanctioned entities and hacked funds. Exchanges have pledged to improve compliance, but investigators say law enforcement cannot keep up with the scale of abuse. Victims of scams, from individual investors to bank executives, rarely recover lost funds. Meanwhile, lightly regulated crypto-to-cash storefronts worldwide offer criminals an easy path to convert digital assets into untraceable money.

Researchers uncover widespread remote code execution flaws in AI inference engines. 

Cybersecurity researchers at Oligo Security report a widespread set of remote code execution flaws impacting major AI inference engines from Meta, Nvidia, Microsoft and open-source projects such as vLLM and SGLang. The vulnerabilities, called ShadowMQ, stem from unsafe use of the ZeroMQ messaging library and Python’s pickle deserialization. Multiple AI systems replicated the same insecure pattern through code reuse, exposing sensitive prompts, model weights and customer data across internet-reachable servers. Additional vulnerabilities were found in vLLM, Nvidia TensorRT-LLM, Modular Max Server, Microsoft’s Sarathi-Serve and SGLang, with several projects still incompletely patched. Oligo says the issue shows how unsafe components propagate quickly through the AI ecosystem and urges immediate patching and strict limits on ZeroMQ exposure and pickle use.

Police in India arrest CCTV hackers. 

Police in India say hacked CCTV footage from a maternity hospital was sold on Telegram, exposing severe privacy and security gaps as cameras become widespread nationwide. Investigators in Gujarat uncovered a large cybercrime network that had breached at least 50,000 CCTV systems in hospitals, schools, offices and private homes. Hackers exploited weak or default passwords, using brute-force tools to access and sell sensitive videos for small payments, with some channels even offering live feeds. Eight people have been arrested, and videos were removed after police contacted YouTube and Telegram. Experts warn that poorly secured CCTV systems, often managed by untrained staff, leave Indians vulnerable to voyeurism, extortion and data theft. Advocates urge stronger manufacturer safeguards, mandatory password changes and better protections, especially in sensitive spaces.

Payroll Pirates use Google Ads to steal credentials and redirect salaries. 

A financially motivated group known as the Payroll Pirates has been hijacking payroll systems, credit unions, retailers and trading platforms across the U.S. since mid-2023 using malvertising. First identified by Check Point, the operation used Google Ads to impersonate payroll portals, steal credentials and redirect salaries. After going quiet in late 2023, the group resurfaced in mid-2024 with upgraded kits capable of bypassing two-factor authentication through real-time Telegram interactions. Investigations by Malwarebytes, SilentPush and Check Point showed the activity was part of a unified network, not shared tools, with at least four admins and indications of operators based in Ukraine. Two main clusters run the operation: Google Ads with cloaking redirects and Bing Ads using aged domains. The campaign remains active, highly adaptive and difficult to disrupt.

A large-scale brand impersonation campaign delivers Gh0st RAT to Chinese-speaking users.

Palo Alto Networks’ Unit 42 reports two interconnected 2025 malware campaigns using large-scale brand impersonation to deliver Gh0st remote access Trojan (RAT) variants to Chinese-speaking users. The first, “Campaign Trio,” ran in February–March 2025, mimicked three popular apps such as i4tools and Youdao, and used over 2,000 domains to distribute trojanized installers from centralized infrastructure. The second, “Campaign Chorus,” began in May 2025, expanded to more than 40 impersonated applications and adopted a far more evasive, multi-stage infection chain, including cloud-hosted payload delivery, VBScript droppers and DLL side-loading through a signed executable. Both campaigns rely on mass automated domain generation, focus on software favored by Chinese-speaking users and ultimately deploy Gh0st RAT for full system control. Palo Alto provides indicators of compromise.

A bitcoin mining company CEO gets scammed. 

Sazmining CEO Kent Halliburton was conned out of $220,000 in bitcoin by fraudsters posing as representatives of a wealthy Monaco family office, Wired reports.  The supposed investors courted him over lavish in-person meetings in Amsterdam, dangling a $4 million mining hardware deal tied to a side purchase of bitcoin. They persuaded him to create a new Atomic Wallet on his phone and move funds into it to “prove” capacity for the transaction. Once the bitcoin arrived, it was instantly drained and laundered through exchangers, mixers, and cross-chain bridges, making it difficult to trace or recover. Researchers believe the scammers captured his seed phrase, likely via discreet visual surveillance. The theft created a serious cash crunch for Sazmining, but the company ultimately remained solvent.

Elsewhere, British prosecutors obtained a civil recovery order to seize £4.11 million in crypto from Twitter hacker Joseph James O’Connor, reclaiming profits from the 2020 breach that hijacked celebrity accounts to push a Bitcoin scam. O’Connor, already serving five years in the US for computer intrusions, fraud and money laundering, helped run a SIM-swapping scheme that netted over $100,000 in hours. The order targets Bitcoin, Ethereum and stablecoins and shows UK authorities can recover illicit assets even when convictions occur abroad.

Monday biz brief. 

Cybersecurity funding and acquisitions surged last week, led by Israel’s Tenzai emerging from stealth with a $75 million seed round to build an AI-agent–driven penetration testing platform. Sweet Security also raised $75 million to expand its runtime CNAPP and AI security offerings. Truffle Security secured $25 million to grow its secrets-exposure detection tools, while identity-focused Oleria raised $19 million and application security startup Seezo raised $7 million. Threat-detection firm Rilevera added $3 million in seed funding.

The M&A front was equally active: Coalition acquired MDR provider Wirespeed; Arctic Wolf bought ransomware-prevention firm UpSight; MorganFranklin Cyber acquired Lynx Technology Partners; Hexaware purchased IAM provider CyberSolve; Axiom GRC acquired IS Partners; RKON bought cloud-security firm ScaleSec; and Pentera acquired offensive security firm EVA Information Security to expand adversarial testing for AI-integrated environments.

Programming note. 

Join us for Cyber Things, Armis’ special-edition podcast series that pulls back the curtain on the eerie parallels between our real cyber landscape and a certain Hawkins-shaped sci-fi universe. Episode one—“The Unseen World”—premieres today, November 17th, revealing the hidden dangers lurking just beneath our digital surface on your favorite podcast app. Look for Cyber Things, tune into the trailer and episode one, and subscribe now… before the shadows start moving! We will have a link in our show notes as well. 

Bitcoin billionaires learn to bite through plastic. 

At a lakeside Bitcoin conference in Lugano, a handful of jittery investors ended their weekend not with price forecasts but with a lesson in chewing through zip-ties. Their instructor, former Royal Marine Pete Kayll, assured them that teeth beat plastic, though “it will bloody well hurt.”

Such is life in crypto’s wrench-attack era, where kidnappers no longer bother with elaborate hacks when a simple threat of violence does the trick. With Bitcoin’s surge minting flashy nouveaux riches, abductions have climbed to more than one a week, prompting entrepreneurs like Alena Vranova to host €1,000 counter-kidnapping workshops complete with grim PowerPoints and stern admonitions: no Lambos, no bragging, and beware beautiful strangers who find crypto bros irresistibly fascinating.

Between tips on ditching obvious bodyguards and turning umbrellas into weapons, the trainers reminded attendees of one final truth: no digital fortune is worth a shattered clavicle — or worse.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.