All news with #insider threat tag

🔒A Ukrainian man was sentenced to five years in prison after admitting he helped North Korean IT workers infiltrate US companies using stolen identities. He pleaded guilty in November 2025 to aggravated identity theft and conspiracy to commit fraud and agreed to forfeit over $1.4 million in cash and cryptocurrency. Authorities say he sold hundreds of stolen identities and provided proxy accounts and laptop farms to disguise foreign workers as US-based.

🔒 Peter Williams, a 39-year-old former senior employee at L3Harris, was sentenced to just over seven years in prison after pleading guilty to selling eight zero-day exploits to the Russian exploit broker Operation Zero. Prosecutors say he received up to $4 million in cryptocurrency and has been ordered to forfeit proceeds, including properties and luxury items. The theft, which occurred between 2022 and 2025, targeted tools intended for sale only to the U.S. government and select allies and prompted criminal charges and sanctions.

🔒 Peter Williams, former head of Trenchant at L3Harris, was sentenced to 87 months in federal prison after admitting he stole and sold zero-day exploit components to the Russian broker Operation Zero. Prosecutors say he transferred at least eight protected exploit components between 2022 and 2025 using a portable external drive and encrypted channels. L3Harris estimates the theft caused $35 million in losses and the sales netted Williams $1.3 million in cryptocurrency. Authorities ordered forfeiture of the crypto, a house, and luxury items, and the U.S. Treasury announced sanctions against the broker.

🔍 DTEX's Cost of Insider Risks 2026 report, produced with the Ponemon Institute, finds employee negligence — driven in part by shadow AI — caused 53% of the average $19.5m loss per organization. Malicious incidents accounted for $4.7m and phishing-related 'outsmarted' employees $4.5m. The study warns undocumented AI, personal webmail and file sharing create exposure and urges behavioral intelligence, identity-centric controls and AI governance to reduce incidents.

🔐 Most identity programs still triage work like IT ticket queues—by volume, noise, or failed control checks—an approach that breaks when environments are increasingly non-human and partially onboarded. Identity risk is a function of controls posture, hygiene, business context, and intent; missing controls matter differently depending on what an identity can access. Hygiene failures such as orphan, local, or dormant accounts create low-effort paths for attackers and autonomous agents. Orchid builds an identity graph from telemetry, scores contextual risk, ranks toxic combinations, and sequences remediation to reduce real exposure rather than just shrink a findings list.

🔒 Three former Google engineers and one spouse were indicted in U.S. federal court for allegedly stealing trade secrets and transferring sensitive files, including materials related to Google's Tensor processor, to unauthorized locations reportedly including Iran. The defendants — Samaneh Ghandali, Mohammadjavad Khosravi and Soroor Ghandali — are accused of exfiltrating documents to third‑party channels, copying files to personal and employer devices, and concealing their actions. They were arrested in San Jose after Google detected suspicious activity and notified law enforcement; the indictment carries multiple counts with significant prison and fine exposures.

🔍 Citizen Lab identified indicators that Kenyan authorities used Cellebrite forensic extraction tools on the personal Samsung phone of pro-democracy activist Boniface Mwangi while it was held in police custody in July 2025. The researchers assessed with high confidence that the extraction occurred on or around July 20–21; the device was returned in September and was no longer password-protected. Such access could have enabled full extraction of messages, files, passwords and other sensitive data. The finding compounds other recent reports of commercial spyware and extraction-tool misuse against civil society.

🔍 CrowdStrike describes how combining Falcon Data Protection, Falcon Next-Gen Identity Security, and HR context enables detection of insider threats through multi-layer telemetry correlation, behavioral baselines, and automated risk scoring. The Insider Threat Analytics and User Activity Investigation dashboards surface anomaly hunting leads — rare destinations, first-seen egress, off-hours activity, USB and unusual endpoint transfers — and provide prioritized user risk lists. Workday integration and content inspection improve visibility for departing employees and sensitive data.

🔒 Dutch police arrested a 40-year-old man in Ridderkerk after he downloaded confidential documents that an officer mistakenly shared via a download link and then refused to delete them unless he received "something in return." Authorities detained him on suspicion of computer trespass, searched his home and seized storage devices to recover the files. Police reported the breach and are investigating, saying there is no indication the documents were distributed further.

⚠️ OpenClaw (formerly Clawdbot/Moltbot) is an open-source local AI assistant that integrates with chat apps and can access calendars, email, browsers and the filesystem. Since its November 2025 debut and January 2026 viral spike, multiple critical vulnerabilities — notably CVE-2026-25253 — enabled token theft and arbitrary command execution. The project stores secrets in plaintext, exposes dangerous defaults, and hosts a marketplace where malicious skills have proliferated. Organizations face regulatory, operational, and insider-threat risks if employees run this software on personal or corporate devices.

🔐 Developers and the tools they rely on are increasingly targeted as attackers move beyond exploiting application bugs to compromising developer workflows and ecosystems. Threats include typosquatting, malicious open-source packages, compromised plugins, supply-chain hijacks and fake employees who gain insider access. AI increases the scale and plausibility of social engineering, code changes and malicious package recommendations. Security leaders should combine identity hygiene, least-privilege, secrets management, whitelists and continuous hands-on developer training to reduce risk.

🔐 Software developers are increasingly targeted by attackers exploiting their tools, credentials, and trusted channels rather than traditional application bugs. Threats include malicious IDE extensions, tainted open-source packages, CI/CD pipeline abuse, credential theft, social engineering, and AI-driven manipulation. Because developers hold tokens, API keys, cloud credentials, and long-lived secrets, compromises can grant broad access to source code and infrastructure. CISOs must combine technical controls, least-privilege practices, supply-chain defenses, and ongoing developer training to reduce systemic risk.

📰 In episode 453 of Smashing Security, Graham Cluley and guest Tricia Howard examine how sloppy redaction and a mix of AI and open social profiles can deanonymise documents once thought obscured. They discuss real-world incidents including malware delivery via a compromised Notepad++ installer, a sex-addiction app leaking intimate user data, and a problematic AV update used to distribute malware. The episode also highlights insider-threat risks after a senior US cybersecurity official uploaded sensitive government material into a public ChatGPT instance, and explores how broken trust can have lasting reputational consequences for vendors and organisations.

🔒 Coinbase confirmed that a contractor improperly accessed data for approximately 30 customers in a December incident, and the individual no longer performs services for the company. Impacted users were notified, provided identity theft protection services, and Coinbase disclosed the incident to relevant regulators. Screenshots of an internal support panel briefly appeared on Telegram and were associated with the 'Shiny Lapsus Hunters' posts, showing customer PII, KYC details, and wallet balances, though attribution remains unclear.

🚨 Step Finance announced on January 31 that attackers compromised devices belonging to several executives, resulting in the theft of roughly $40 million in digital assets. The Solana-based DeFi analytics and execution platform engaged external cybersecurity researchers and law enforcement and has recovered about $4.7 million so far through Token22 protections and partner coordination. Some operations are paused to strengthen security. Users are advised not to interact with the STEP token while a pre-exploit snapshot and remediation plan are processed.

🔒 A former Google engineer, Linwei Ding, was convicted by a US federal jury on 14 counts, including economic espionage and theft of trade secrets, after allegedly exfiltrating over 2,000 pages of sensitive AI technical documents. Prosecutors say he copied data into Apple Notes, converted it to PDFs, and uploaded the materials to a personal Google Cloud account to evade DLP controls. The stolen IP involved custom TPU and GPU orchestration software and SmartNIC designs intended for AI supercomputers, and the DoJ alleges Ding planned to support Chinese state-affiliated entities.

🔒 A U.S. jury has convicted Linwei Ding, a former software engineer at Google, for stealing confidential AI supercomputer information and covertly sharing it with China-based technology firms. Prosecutors say Ding exfiltrated more than 2,000 pages of proprietary material — including details about TPU and GPU systems, orchestration software, and SmartNIC networking — by uploading files to his personal cloud account between May 2022 and April 2023. He later founded Shanghai Zhisuan Technology Co., sought government talent programs, and was convicted on multiple counts of economic espionage and trade secret theft after an 11-day San Francisco trial.

🔒 The US Cybersecurity and Infrastructure Security Agency (CISA) has released an infographic to help critical infrastructure operators and SLTT governments prevent, detect and respond to insider threats. It advocates treating insider risk as an essential capability and recommends scalable, multidisciplinary teams that are embedded in existing structures. The guidance outlines a four-stage model—plan, organize, execute, maintain—and emphasizes confidentiality, legal compliance and coordination with external partners.

🛡️ The acting director of the U.S. Cybersecurity and Infrastructure Security Agency uploaded multiple for official use only (FOUO) contracting documents to the public version of ChatGPT between mid‑July and early August 2025, triggering automated DHS security alerts. Sensors detected the activity in early August, generating several alerts in the first week and prompting an internal review. The uploads—containing contracting information not intended for public release—underscore gaps in AI governance and exception handling for senior officials at CISA.

🚨 Hungarian and Romanian police arrested four young men accused of orchestrating Discord-based SWATting and doxing campaigns that triggered hoax bomb threats and endangered targeted individuals. Law enforcement released video of coordinated raids in which computers, phones and other digital evidence were seized as investigators traced anonymous calls to spoofed numbers. Suspects, aged 16 to 20, face investigations and charges including misuse of personal data and public endangerment; authorities stress these actions are serious crimes with potentially life‑threatening consequences.