W3LL runs dry.
The FBI disrupts a multi-million-dollar phishing ring. A North Korea-linked supply chain attack hits OpenAI. Developers face a Slack phishing campaign. A critical Python notebook flaw is exploited in hours. ShinyHunters target Rockstar Games. A Japanese shipping firm reports a breach. Tracking the cybersecurity winners and losers in Trump’s 2027 budget, plus a claimed cyberattack on UAE infrastructure. Business breakdown. Our guest is Justin Kohler, Chief Product Officer at SpecterOps, discussing Identity Attack Path Management. Crackdowns at home push scam networks abroad.
Today is Monday April 13th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
The FBI takes down a multi-million-dollar phishing operation.
US and Indonesian law enforcement have dismantled W3LL, a phishing operation linked to more than $20 million in fraud worldwide. Led by the FBI’s Atlanta field office, the takedown targeted the W3LL phishing kit, which allowed criminals to spoof login pages and steal credentials. The kit sold for about $500 through the members-only W3LL Store, active from 2019 to 2023, and investigators believe the marketplace enabled the sale of over 25,000 compromised accounts. Activity continued after the store’s closure via encrypted messaging apps, with more than 17,000 victims targeted between 2023 and 2025. The FBI seized the w3ll.store domain and identified the suspected developer as “G.L.” Researchers at Group-IB previously described W3LL as a full business email compromise ecosystem supporting attacks across the phishing kill chain.
Tracking the winners and losers in Trump’s 2027 budget.
The Trump administration’s proposed 2027 budget would reduce civilian federal cybersecurity spending from $12.455 billion in 2026 to $12.228 billion, a decline of about $227 million, with uneven impacts across agencies. The Department of Justice and State Department would see the largest increases, alongside smaller gains at Transportation, Commerce, Housing and Urban Development, and Energy.
Major cuts would fall on the Department of Homeland Security, largely affecting CISA, as well as the Department of Veterans Affairs, National Science Foundation, Health and Human Services, and Treasury. Notably, cybersecurity funding for the SEC and FCC would drop to zero under the proposal.
CISA alone could lose $707 million and hundreds of positions, raising concerns about reduced collaboration with the private sector. Experts warn that lower federal cyber investment amid rising nation-state and criminal threats may increase long-term national risk and weaken public-private defense partnerships.
The Handala hacking group claims responsibility for a cyberattack targeting the UAE.
According to Iranian news sources, the Handala hacking group claims responsibility for a cyberattack targeting three UAE institutions: the Dubai Courts Authority, Dubai Land Authority, and Dubai Roads and Transport Authority. The group says it destroyed 6 petabytes of data and exfiltrated 149 terabytes of sensitive documents, causing reported disruptions across Dubai’s legal and infrastructure systems. Handala framed the operation as political retaliation and warned of further action. The claims, if accurate, suggest a significant challenge to the UAE’s critical infrastructure cybersecurity posture. Again, we emphasize these claims have not yet been independently verified.
A phishing campaign targets software developers through the TODO Group Slack workspace.
The Open Source Security Foundation (OpenSSF) is warning of a phishing campaign targeting software developers through the TODO Group Slack workspace. Attackers impersonate Linux Foundation leaders and promote a supposed invite-only artificial intelligence tool to lure victims. Targets are redirected through a fake Google Workspace-style page that requests an email, access code, and installation of a malicious root certificate, enabling attackers to monitor encrypted traffic and steal data.
The attack varies by platform. On macOS, victims are prompted to run a file called gapi, potentially enabling full system compromise. On Windows, users are urged to trust the fake certificate. Researchers note similarities to recent campaigns against Node.js developers, which Mandiant has linked to North Korean state-sponsored actors. OpenSSF advises developers never to install certificates from unsolicited links and to enable multi-factor authentication.
North Korea’s attack on the Axios supply chain affects OpenAI.
OpenAI says it was affected by the recent Axios supply chain attack linked by researchers to North Korean hackers. Attackers compromised a maintainer’s NPM account and briefly distributed malicious Axios packages containing a cross-platform remote access trojan. A GitHub Actions workflow used in OpenAI’s macOS app-signing process executed the tainted version, exposing signing materials. OpenAI believes its certificate was not compromised but revoked and rotated it as a precaution. Researchers observed infections on at least 135 machines.
Hackers exploit a critical vulnerability in an open-source Python notebook platform.
Hackers began exploiting a critical vulnerability in the Marimo open-source Python notebook platform within 10 hours of its disclosure. The flaw, tracked as CVE-2026-39987 and rated 9.3 by GitHub, allows unauthenticated remote code execution through the exposed /terminal/ws WebSocket endpoint. Researchers at Sysdig observed attackers quickly validating access, conducting reconnaissance, and extracting credentials from .env files and SSH-related locations in under three minutes.
The vulnerability affects Marimo versions 0.20.4 and earlier, particularly deployments exposed on shared networks in edit mode. The attackers appeared to prioritize credential theft rather than persistence or cryptomining. Marimo released version 0.23.0 to address the issue and advised users to upgrade immediately, restrict endpoint access, monitor connections, and rotate potentially exposed secrets.
ShinyHunters claim to have breached Rockstar Games.
Hackers claiming to be the ShinyHunters group say they breached Rockstar Games by accessing servers hosted by a third-party cloud provider and threatened to release stolen data unless paid a ransom. Rockstar confirmed that a limited amount of non-material company information was accessed but said the incident had no impact on its operations or players. The group, previously linked to breaches including Ticketmaster, claims it will publish the data after unmet demands. The incident marks Rockstar’s second major cyberattack in three years, following a 2023 breach tied to a Lapsus$ member that exposed early Grand Theft Auto VI development footage.
A Japanese shipping company suffers a data breach.
Japanese shipping company Nippon Yusen Kabushiki Kaisha reported unauthorized access to a marine fuel procurement system detected on March 24, resulting in the possible exfiltration of data including personal information. The company isolated the affected system and suspended its use, restoring operations on March 27. NYK notified regulators and police and launched an internal investigation. It said there is no evidence of ransomware activity, financial demands, or secondary damage linked to the incident so far.
Business breakdown.
Cybersecurity firms announced multiple funding rounds and acquisitions this week, led by TENEX.ai raising $250 million in Series B funding to expand hiring, partnerships, EMEA operations, and its artificial intelligence security operations platform. depthfirst secured $80 million to grow research and enterprise adoption, while Alcatraz and Linx Security each raised $50 million to support expansion and product development. Additional early-stage funding went to Trent AI, Huskeys, and Test of Things.
In mergers and acquisitions activity, Fortra acquired Zero-Point Security to expand offensive security training capabilities, while EFEX acquired Priority 1 IT to strengthen healthcare-sector technical services.
Crackdowns at home push scam networks abroad.
In a piece for Wired, Lilly Hay Newman reports that governments keep trying to shut down industrial-scale scam compounds across Southeast Asia, but the operations, often linked to Chinese organized crime and forced labor, continue to thrive with stubborn efficiency. The FBI says Americans alone reported $17.7 billion in cyber-enabled scam losses last year, likely an undercount. US officials argue a key obstacle is uneven cooperation from China, which has cracked down on scams targeting its own citizens while foreign victims remain fair game. Researchers say that approach has quietly encouraged syndicates to pivot toward Americans and other international targets. Meanwhile, the United Nations notes scam centers are expanding their multilingual workforces to match their global ambitions. Analysts compare the dynamic to squeezing a balloon: pressure in one place simply bulges elsewhere. The result is a familiar pattern in cybercrime diplomacy, everyone agrees scams are bad, just preferably someone else’s problem first.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry. Learn how at n2k.com.
N2K’s lead producer is Liz Stokes. We’re mixed by Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.
