MFA meets its match.

Starkiller represents a significant escalation in phishing infrastructure. A blockchain lender breach affects nearly a million users. The Kimwolf botnet disrupts a peer-to-peer privacy network. Researchers identifiy vulnerabilities in widely used Visual Studio Code extensions. DEF CON bans three men named in the Epstein files. Texas sues TP-Link over supply chain security. Experts question the impact of cyber versus kinetic damage in Venezuela. African law enforcement arrest hundreds of suspected scammers. Tim Starks from CyberScoop explains CISA’s upcoming town hall meetings over ICS reporting rules. Warsaw walls off Wi-Fi-wired wheels.

<Script>

Today is Thursday February 19th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Starkiller represents a significant escalation in phishing infrastructure. 

A new phishing toolkit called Starkiller represents what researchers describe as a significant escalation in phishing infrastructure. Discovered by security firm Abnormal, the platform operates as a proxy that serves genuine login pages through attacker-controlled infrastructure, rather than relying on static HTML clones. It launches a headless Chrome instance to mirror legitimate sites in real time, allowing victims to authenticate directly with the real service through the attacker’s proxy.

Because users interact with the live site, any multi-factor authentication codes or session tokens are forwarded to the legitimate service instantly, enabling attackers to bypass MFA protections. Starkiller can impersonate major brands including Google, Microsoft, and financial institutions, and provides real-time session monitoring and keylogging.

Sold as a subscription service on the dark web, Starkiller includes updates and support, increasing its potential longevity and impact.

A blockchain lender breach affects nearly a million users. 

Nearly one million users were affected by a data breach at Figure Technology Solutions, a Nasdaq-listed blockchain lender. The company confirmed an employee fell victim to a social engineering attack, allowing attackers to access a limited number of files. The ShinyHunters group claimed responsibility and published 2.4GB of alleged stolen data on its Tor leak site. Have I Been Pwned identified about 967,000 exposed records, including names and contact details. ShinyHunters linked the incident to a broader voice phishing campaign targeting Okta single sign-on accounts.

The Kimwolf botnet disrupts a peer-to-peer privacy network. 

The Kimwolf Internet of Things botnet has disrupted the privacy network I2P after attempting to use it to evade takedown efforts, Krebs on Security reports. Around February 3, I2P users reported outages as tens of thousands of new routers flooded the network. Kimwolf operators later acknowledged on Discord that they had tried to connect roughly 700,000 infected devices to I2P, overwhelming a network that typically supports between 15,000 and 55,000 nodes.

The incident amounts to a Sybil attack, where one actor controls large numbers of fake identities to destabilize a peer-to-peer system. Researchers say Kimwolf is experimenting with I2P and Tor as resilient command-and-control channels. I2P remains operational at reduced capacity, while reports suggest the botnet’s size has recently declined significantly.

Researchers identifiy vulnerabilities in widely used Visual Studio Code extensions. 

Researchers at OX Security have identified four vulnerabilities in widely used Visual Studio Code extensions, warning they could enable serious cyber-attacks. Three flaws, assigned CVEs by MITRE, affect extensions including Live Server, Markdown Preview Enhanced, and Code Runner, with combined downloads exceeding 128 million. The most severe, rated 9.1, could allow remote attackers to exfiltrate files from a developer’s machine. Another enables arbitrary JavaScript execution and local network scanning, while a third permits remote code execution through social engineering. A fourth issue in Microsoft Live Preview was silently patched in September 2025.

OX Security said the flaws expose a critical blind spot in developer environments and warned that a single compromised extension could enable broader organizational breaches.

DEF CON bans three men named in the Epstein files. 

DEF CON has banned three technology figures named in the Epstein files, despite no accusations of criminal wrongdoing. The individuals, Pablos Holman, Vincenzo Iozzo, and Joichi Ito, were cited by organizers for their documented contact with Jeffrey Epstein. Emails show past professional interactions, including introductions, funding discussions, and offers of conference tickets. Ito previously resigned from MIT’s Media Lab after disclosures that he accepted funding from Epstein, and he later apologized for the association. Iozzo and Holman have disputed or declined to comment on the implications of their ties.

DEF CON said the bans apply to all future events. The conference rarely publicizes bans, with only a handful disclosed since 2017.

Texas sues TP-Link over supply chain security. 

Texas has sued TP-Link Systems, alleging the networking company misled consumers about security and supply chain origins while exposing devices to exploitation. Attorney General Ken Paxton claims TP-Link marketed routers as secure and labeled them “Made in Vietnam,” despite sourcing most components from China. The lawsuit argues this creates national security risks, citing Chinese laws that could compel data sharing.

The complaint references firmware vulnerabilities allegedly exploited by Chinese state-backed hackers and a botnet, tracked by Microsoft as Quad7 or CovertNetwork-1658, built largely from compromised TP-Link routers. Federal agencies have also flagged actively exploited flaws in TP-Link devices.

Texas seeks civil penalties and disclosure requirements. TP-Link denies the allegations, calling them meritless and stating U.S. user data is stored domestically.

Experts question the impact of cyber versus kinetic damage in Venezuela. 

Public reporting has framed the January 3 Caracas power outage during the mission targeting Nicolás Maduro as a precision cyberattack. But videos, photos, and expert analysis suggest visible physical damage to multiple substations could alone explain the disruption. Imagery showed destroyed equipment, bullet impacts, oil leaks, and fires at facilities including Panamericana and Fuerte Tiuna. Experts told CyberScoop the kinetic damage appeared sufficient to cause localized outages, raising doubts about a cyber-only narrative.

Officials have not publicly confirmed a cyber cause, despite early statements referencing cyber “layering effects.” Analysts say cyber operations may have supported the mission by reducing situational awareness or identifying weak points, but likely did not act alone.

How the incident is characterized matters. A cyber-only framing could distort policy decisions, overstating digital capabilities while underestimating physical grid vulnerabilities that experts say remain critical.

African law enforcement arrest hundreds of suspected scammers. 

African law enforcement agencies arrested 651 suspects and recovered more than $4.3 million during INTERPOL’s Operation Red Card 2.0, targeting investment fraud, mobile money scams, and fake loan schemes. Conducted across 16 countries between December 8 and January 30, the operation identified 1,247 victims linked to over $45 million in losses. Authorities seized 2,341 devices and dismantled 1,442 malicious websites and servers.

Nigeria, Kenya, and Côte d’Ivoire reported major arrests tied to phishing rings, fraudulent investment platforms, and abusive loan apps. INTERPOL officials emphasized the importance of cross-border cooperation against organized cybercrime networks.

Separately, Nigerian national Matthew Akande was sentenced in the United States to eight years in prison for hacking tax firms, stealing client data with Warzone remote-access malware, and filing fraudulent returns seeking $8.1 million in refunds.

 

Warsaw walls off Wi-Fi-wired wheels. 

Poland’s Ministry of Defence has decided that if a car can record you, it probably should not park next to anything classified. The ministry this week banned Chinese-made vehicles, and any others equipped with technology capable of recording location, images, or sound, from entering protected military facilities. Officials are also barred from plugging work phones into infotainment systems in China-built cars, citing the risk of “uncontrolled acquisition and use of data.”

The ban is not absolute. Warsaw plans to introduce a security vetting process so manufacturers can earn clearance, with carve-outs for inspections and rescue missions. Poland says the move aligns with NATO practices, though enforcement could get tricky given that some European brands manufacture models in China.

The decision fits a broader pattern of restricting Chinese tech over espionage concerns. In short, if your car might be listening, it can wait at the gate.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.