In today’s cybersecurity news…
Threat actors break out in under 30 minutes
According to CrowdStrike’s annual global threat report, the average breakout time from initial network intrusion to other systems fell to 29 minutes in 2025, 65% faster than last year. The fastest time seen was 27 seconds. Of these incidents, 82% didn’t involve malware; most involved legitimate credentials or social engineering. But don’t forget good old vulnerabilities, exploited zero-days increased by 42%. Activity from nation-state-affiliated groups increased 266% year over year, with attacks attributed to North Korea up 130%. We have a link to the report in our show notes.
Claude allegedly hit with distillation attacks
In a blog post, Anthropic claimed that three Chinese firms, DeepSeek, Moonshot, and MiniMax, attempted to copy their Claude models using so-called “distillation attacks.” Model distillation is a technique in which a less proficient model is trained on the outputs of a more advanced one. This allegedly saw the firms engage in over 15 million exchanges with Claude, using roughly 24,000 accounts. These distillation attacks weren’t coordinated, with each firm pursuing different goals, like improving coding performance or reasoning capabilities. In response, Anthropic rolled out stronger account verification procedures, a more advanced detection system for API traffic, and tools to detect “chain-of-thought” elicitation activity.
DeFi platform shutting down after crypto theft
Earlier this month, the decentralized finance platform Step Finance disclosed that on January 31st, threat actors stole $40 million from its treasury using compromised devices from its executive team. After exploring “every possible path forward,” Step Finance announced it will shut down all operations by the end of this week, along with the associated projects SolanaFloor and the Remora Markets trading platform. The company is still working out the details on a buyback program for STEP coin and Remora token holders using about $4.7 million worth of recovered crypto assets.
UK fines Reddit for age check failings
The UK’s Information Commissioner’s Office (ICO) fined Reddit £14.47 million after finding that from May 5, 2018, through July 8, 2025, it processed the personal information of children under 13 unlawfully. In response to the fine, Reddit released a statement saying it “didn’t require users to share information about their identities, regardless of age, because we are deeply committed to their privacy and safety.” In July 2025, Reddit began age verification of users to comply with the UK’s Online Safety Act. The ICO caution more action could be forthcoming, saying Reddit’s account creation process made age declaration “easy to bypass.”
(BBC)
Huge thanks to our sponsor, Adaptive Security
Pentagon gives Grok the green light
A US Department of Defense official confirmed to Axios that xAI signed an agreement to allow the Pentagon to use its Grok model on classified systems. The agreement allows the Pentagon to use it for “all lawful use,” unlike Claude, which makes carveouts for autonomous weapons development and mass surveillance. Up until now Anthropic was the only model cleared for classified use. In related news, an Axios source says DoD informed Anthropic CEO Dario Amodei that it had until February 27th to comply with similar unfettered access to its models, or it will either label the company a “supply chain risk” or invoke the Defense Production Act to force the company to offer a version tailored for military use.
Go maintainer decries GitHub’s “noise machine”
Filippo Valsorda maintains the cryptography packages in the Go standard library, and previously headed Google’s Go security team. After publishing a security fix on GitHub, he saw the repository’s Dependabot tool send thousands of pull requests against unaffected repositories, generate a “nonsensical” CVSS score, and warn that a change in one line of rarely used code had a 27% chance of breaking existing code using it. Valsorda characterized Dependabot as both too noisy, with irrelevant alerts, compared to static analysis tools or other vulnerability scanners, and insufficient because it doesn’t consider the impact of a flaw. He recommended for anyone using Go to disable the feature, saying it reduces security by creating alert fatigue.
UAE stops attack on critical infrastructure
The United Arab Emirates’ Cyber Security Council released a statement saying it “successfully thwarted organized cyberattacks of a terrorist nature that targeted the country’s digital infrastructure and vital sectors in an attempt to destabilize the nation and disrupt essential services.” Last week, a member of the Cyber Security Council, Mohamed Hamad Al Kuwaiti, claimed that 70% of threat actors targeted the country as state-sponsored. Since signing a cyber cooperation agreement with the US Treasury in 2023, the UAE has faced several attacks allegedly originating in Iran.
Lazarus Group expands the gaze of Medusa ransomware
Researchers from Symantec and Carbon Black noted that an unknown sub-group within the prolific North Korean operation began using the Medusa ransomware-as-a-service platform for attacks in the Middle East, and on several US healthcare organizations since November 2025. The average ransom demanded in these attacks was $260,000. Tactics used in this campaign do align with previous operations by the Stonefly subgroup, also known as Andariel, but there’s no reason to believe these are used exclusively. North Korea typically uses ransomware revenue to fund espionage operations.
CarGurus data leaked
The ShinyHunters extortion group published a 6.1 gigabyte trove of data with over 12 million records. They claim the data was stolen from the US auto platform CarGurus. This includes emails, IP addresses, financing applications and outcomes, and dealer account details. No statement from CarGurus about the publication, but the data has been added to Have I Been Pwned, which found at 3.7 million records were new to its service. No word on how it breached CarGurus, but of late ShinyHunters’ primary tactic is voice phishing.