CyberWire Daily - Proxy wars and open doors.
Episode Date: January 29, 2026Google dismantles a huge residential proxy network. Did the FBI take down the notorious RAMP cybercrime forum? A long running North Korea backed cyber operation has splintered into three specialized t...hreat groups. U.S. military cyber operators carried out a covert operation to disrupt Russian troll networks ahead of the 2024 elections. Phishing campaigns target journalists using the Signal app. SolarWinds patches vulnerabilities in its Web Help Desk product. Amazon found CSAM in its AI training data. Initial access brokers switch up their preferred bot. China executes scam center kingpins. Our guest is Tom Pace, CEO of NetRise, explaining how open-source vulnerabilities are opening doors for nation-states. An unsecured webcam peers into Pyongyang. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, Tom Pace, former DOE cyber analyst and CEO of NetRise, joins the show to explain how open-source vulnerabilities are opening doors for nation-states and why visibility into who maintains code repositories matters. Selected Reading Google Disrupted World’s Largest IPIDEA Residential Proxy Network (Cyber Security News) Notorious Russia-based RAMP cybercrime forum apparently seized by FBI (The Record) Long-running North Korea threat group splits into 3 distinct operations (CyberScoop) Secret US cyber operations shielded 2024 election from foreign trolls, but now the Trump admin has gutted protections (CNN Politics) Phishing attack: Numerous journalists targeted in attack via Signal Messenger (Netzpolitik.org) Signal president warns AI agents are making encryption irrelevant (Cyber Insider) SolarWinds Patches Critical Web Help Desk Vulnerabilities (SecurityWeek) Amazon Found ‘High Volume’ Of Child Sex Abuse Material in AI Training Data (Bloomberg) Initial access hackers switch to Tsundere Bot for ransomware attacks (Bleeping Computer) China Executes 11 People Linked to Cyberscam Centers in Myanmar (Bloomberg) North Korean Hackers' Daily Life Leaked in Video (The Chosun) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
If securing your network feels harder than it should be, you're not imagining it.
Modern businesses need strong protection, but they don't always have the time, staff, or patients for complex setups.
That's where Nordlayer comes in.
Nordlayer is a toggle-ready network security platform built for businesses.
It brings VPN, access control, and threat protection together in one place.
No hardware, no complicated configuration, you can deploy it in minutes and be up and running in less than 10.
It's built on zero-trust principles, so only the right people can get access to the right resources.
It works across all major platforms, scales easily as your teams grow, and integrates with what you already use.
And now, Nordlayer goes even further through its partnership with CrowdStrike,
combining Nordlayer's network security with Falcon endpoint protection for small,
and mid-sized businesses.
Enterprise-grade security made manageable.
Try Nordlayer risk-free and get up to 22% off yearly plans,
plus an extra 10% with the code Cyberwire10.
Visit Nordlayer.com slash Cyberwire Daily to learn more.
Google dismantles a huge residential proxy network.
Did the FBI take down the notorious ramp cybercrime forum?
Along running North Korea-backed cyber operation has splintered
into three specialized threat groups.
U.S. military cyber operators carried out a covert operation
to disrupt Russian troll networks ahead of the 2024 elections.
Fishing campaigns target journalists using the signal app.
Solar Winds patches vulnerabilities in its web help desk product.
Amazon found CSAM and its AI training data.
Initial access brokers switch up their preferred bot.
China executes scam center kingpins.
Our guest is Tom Pace, CEO of NetSantis.
rise, explaining how open source vulnerabilities can be open doors for nation states.
And an unsecured webcam peers into Pyongyang.
It's Thursday, January 29th, 2026.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here today.
Great as always to have you with us.
Google and its partners have launched a coordinated operation to dismantle IPedia,
A residential proxy network security experts describe is one of the largest of its kind.
The service routes internet traffic through millions of everyday consumer devices worldwide,
allowing attackers to blend malicious activity into normal user traffic.
According to analysts at Google Cloud, this infrastructure has been widely abused by criminal and nation-state groups
to support cyber attacks, espionage, and data theft.
IPEDIA operates by embedding hidden software development kits into legitimate-looking apps, such as games and utilities.
Once installed, these SDKs quietly turn user devices into proxy exit nodes without clear consent.
Google reports that in a single seven-day period in January of this year,
more than 550 tracked threat groups relied on IPedia nodes for activities,
including business system access and password spraying.
Enforcement actions, supported by partners like Cloudflare,
disrupted core infrastructure, and removed millions of infected devices,
though experts warned similar networks continue to grow.
The notorious Ramp Cybercrime Forum, widely used by ransomware groups
and initial access brokers,
appears to have been seized by the Federal Bureau of Investigation,
after its websites were replaced with an FBI seizure notice.
The U.S. Department of Justice has not confirmed the action publicly,
prompting some skepticism given past exit scams in the cybercrime ecosystem.
DNS records reportedly showed Ramp redirecting to an FBI-controlled domain,
though the notice lacks the international partner logos typically seen in coordinated takedowns.
Ramp served Russian, Chinese,
and English-speaking criminals
and was previously administered
by Mikhail Madhiv
before control reportedly passed
to a hacker known as Stallman
who now claims law enforcement
has taken over the forum.
Former U.S. intelligence official
Laura Galante said such disruptions
are intended to fragment
cybercrime markets,
making them less stable and harder
for dominant groups to emerge.
Crowdstrike reports
that a long-running North Korea
backed cyber operation has splintered into three specialized threat groups, reflecting more mature
and bureaucratic structure. The original group dubbed Labyrinth Colima now focuses primarily on espionage,
targeting manufacturing, logistics, defense, and aerospace organizations in Europe and the United
States. Two offshoots, Golden Kalima and Pressure Kalima, concentrate on cryptocurrency theft
to generate revenue for the regime.
According to CrowdStrike, pressure Colima carried out last year's record $1.46 billion
crypto theft and is among North Korea's most technically advanced actors.
The groups share infrastructure and lineage with the broader Lazarus Group,
indicating centralized coordination.
Crowdstrike says the continued diversification allows Pyongyang to expand cyber operations
while funding them under the pressure of international sanctions.
CNN reports that weeks before the 2024 election,
U.S. military cyber operators carried out a covert operation
to disrupt Russian troll networks targeting American voters,
according to sources briefed on the effort.
From U.S. Cyber Command, hackers interfered with servers
and personnel linked to Russian firms spreading fabricated news
aimed at swing states, particularly attacking politicians supportive of Ukraine.
One source said the operation slowed but did not stop the activity.
The action was part of a broader multi-agency push involving the FBI and the Department of Homeland Security
to blunt foreign election interference.
However, under President Donald Trump's second administration,
many election security and counter-influence programs have since been cut or dismembered,
current and former officials warn those reductions have weakened the federal response,
just as Russia, China, and Iran continue to refine influence operations, raising concerns ahead of the
26 midterms.
Journalists and civil society figures in Germany and elsewhere in Europe are being targeted
by a sustained fishing campaign abusing the signal messaging app, according to reporting by
Netspolitic.org.
The attacks impersonate signal support, warning recipients of suspicious activity and urging them to share a verification code.
Security experts say the campaign appears highly targeted, focused on journalists, lawyers, politicians, and activists,
and may be spreading through stolen address book data.
According to Amnesty International, the campaign is active, although it remains unclear how many victims were compromised.
If users share both the verification code and their signal pin,
attackers can take over accounts, lock out legitimate users,
and access contacts and group memberships,
potentially exposing sources and networks.
Signal says the attacks do not exploit flaws in its software
and stresses it never contacts users via in-app chats,
urging users to enable registration lock and never share codes or pins.
Signal Foundation President Meredith Whitaker warned that artificial intelligence agents embedded in operating systems
are undermining the real-world protections of end-to-end encryption.
Speaking to Bloomberg at the World Economic Forum in Davos,
Whitaker said encryption remains mathematically sound,
but AI assistance often require broad system access that exposes decrypted messages.
She cited research showing misconfigured AI-HHISP.
tools linked to signal accounts, allowing plain text message access, and argued that encryption
cannot compensate for near-root-level access by AI systems.
Solar Winds has released patches for six vulnerabilities in its Web Help Desk product, including
four critical flaws with CVSS scores of 9.8. The most severe is an unauthenticated deserialization
bug that could enable remote code execution, according to researchers at Horizon3.aI.
Three additional critical issues include another deserialization flaw and two authentication bypass
bugs.
Two high-severity issues involve security control bypass and hard-coded credentials.
All flaws are fixed in the latest version of Web Help Desk, and SolarWinds urges organizations
to update promptly.
Amazon reported hundreds of thousands of suspected child sexual abuse material or CSAM discoveries last year,
while scanning data used to train its artificial intelligence models, according to reporting by Bloomberg.
The material was removed before training, but officials at the National Center for Missing and Exploited Children say
Amazon provided little detail about the content's origin, limiting law enforcement's ability to ID.
identify perpetrators or protect victims.
NCMEC says AI-related CSAM reports surged more than 15-fold in 2025, with Amazon accounting for
the vast majority.
Amazon says the data came from external sources and was flagged through automated scanning
using deliberately over-inclusive thresholds that may produce false positives.
Child safety experts warn the findings highlight risks in rapidly.
assembling large AI training
datasets without sufficient
safeguards or transparency.
Researchers
at ProofPoint report that
prolific initial access broker
TA 584
has escalated operations by
deploying Sunderebot
alongside the X-Werm
Remote Access Trojan
activity that could enable follow-on
ransomware attacks.
ProofPoint has tracked TA 584
since 2020 and
says its campaign volume tripled in late 2025, expanding beyond North America and the UK into Europe and Australia.
The attack chain relies on phishing emails sent from compromised accounts via services like SendGrid and Amazon SES.
Victims are funneled through CAPTCHA and ClickFix pages that prompt them to run PowerShell commands,
loading malware directly into memory.
Sundarabot, first documented by Cassidy.
Spursky supports data theft, lateral movement, and payload delivery.
ProofPoint assesses with high confidence that these infections could ultimately lead to ransomware
deployment.
China has executed 11 people linked to cyber scam centers operating in Myanmar, according to state
media.
The individuals described as core members of the Ming family criminal gang were convicted of
fraud, running illegal casinos and intentional homicide. Authorities say the syndicate handled more than
$1.4 billion in illicit funds and was tied to multiple deaths. The executions come amid broader
regional crackdowns on scam operations, which the United Nations Office on Drugs and Crime says
are expanding across Southeast Asia and often involve human trafficking. Coming up after the break,
Tom Pace from Netrise explains how open source vulnerabilities are opening doors for nation states
and an unsecured webcam peers into Pyongyang.
Stay with us.
What's your 2 a.m. security worry?
Is it, do I have the right controls in place?
Maybe are my vendors secure?
Or the one that really keeps you up at night,
how do I get out from under these old tools and manual processes?
That's where Vanta comes in.
Vanta automates the manual,
work so you can stop sweating over spreadsheets, chasing audit evidence, and filling out
endless questionnaires. Their trust management platform continuously monitors your systems,
centralizes your data, and simplifies your security at scale. And it fits right into your
workflows, using AI to streamline evidence collection, flag risks, and keep your program
audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently,
and finally get back to sleep.
Get started at vanta.com slash cyber.
That's v-a-n-ta.com slash cyber.
When it comes to mobile application security, good enough is a risk.
A recent survey shows that 72% of organizations reported at least one mobile application security
incident last year, and 92% of responders reported threat levels have increased in the past two years.
Guard Square.
delivers the highest level of security for your mobile apps without compromising performance,
time to market, or user experience. Discover how Guard Square provides industry-leading security
for your Android and iOS apps at www.gardesquare.com. Tom Pace is a former DOE cyber analyst and now
CEO of NetRise. We recently sat down to discuss how open-source vulnerabilities are opening doors for
nation states, and why visibility into who maintains code repositories matters.
Essentially, Senator Tom Cotton reached out to the National Cyber Director and basically
brought to their attention that the issues and risks associated with open source software.
He called out, you know, a handful of specific examples.
number one was a piece of software that a Russia-based developer is the sole maintainer of.
And so, you know, there's there is a handful of assumptions and inferences being made as a result of that.
Just because someone's in Russia, does that always mean they're acting on behalf of the Russian government?
Obviously not.
is it something we should pay attention to and at least be aware of
so that we can make an appropriate data-driven risk-based decision?
Definitely.
And then there was another one which was centered around XZ Utils,
which was actually a particular incident that we did some really interesting research
as part of an article that came out and wired that Danielle actually helped us with.
But the issue here is understanding provenance of open source components is equally as critical in 2025 and 26 as arguably, in my opinion, significantly more critical than the traditional supply chain.
you know, knowing where your raw materials and your chips and all those things come from is obviously very important for a slightly different reason.
For the software piece, you can be certain that there are risks and issues that are in your software supply chain that you have absolutely no idea about.
That, I think, is basically a high-level overview of the challenges.
that Senator Tom Cotton was putting forth to the White House.
And in your estimation, where do we stand today in terms of both private organizations
but then the government as well to be able to evaluate what their risk level is here?
Capabilities exist and are not being used would I think be the most fair way.
you know, the government, in particular, the Department of War, really seeks, they desire an approach to these types of things that aligns with, you know, compliance and regulatory frameworks and sets of controls that people can be measured in a test against.
And there's nothing about any of the issues that are called out in this particular letter.
that really aligns well to that.
And what's happening is there's a recent RFI
summary, I guess, document that came out called
Swift for the Software Fast Track Initiative,
which is basically the Department of War's desire
to be able to procure and acquire software more rapidly
for obvious reasons.
But in so doing, also needs to.
to be able to understand and evaluate the risk of software
in a much more comprehensive and programmatic way.
And so, you know, this is where S-bombs come in
and other artifacts can be extracted, generated,
and analyzed to determine risk.
And provenance would be another good element here
as part of that entire process.
So getting everybody on the same page
in terms of understanding that these issues exist is just incredible.
And once again, the software supply chain issues are really being led from the federal government,
which is not usually how nascent and bleeding edge cyber capabilities enter the market, just generally speaking.
So that's just an interesting dynamic.
And the reason I think that's the case is they understand that the consequences for them are very, very different compared to the commercial sector.
And finally, people have paid attention to how insane this problem is.
And the fact that we're just relying on infrastructure that's decades old and software components that are decades old and just have all these issues is, it's not new.
but people are finally starting to pay attention to it, thankfully.
So what do you suppose is to be done then?
What's a realistic, practical way to come at this problem?
Well, the first thing you have to do is get visibility
so you can actually ascertain the data that you have so you can analyze it.
One of the problems I've seen that's come out of certain government agencies is they build guidance in frameworks
without data.
And when you do that, listen,
it's better than not doing it at all.
So, you know, I'm supportive of it
from that perspective.
But if you don't have a data set
to utilize as you're building out the framework
or whatever it is, the maturity model,
you're going to make decisions
that may render
the compliance framework
or whatever somewhat useless
at the end of the day.
if everything gets caught or if nothing gets caught or whatever it is.
So that would be the recommendation would be essentially generate a large data set,
figure out the things that you think you need to care about.
So if it's like, hey, these contributors are coming from China,
this set of countries, whatever they are,
these contributors have had their credentials breached or stolen in breaches.
These contributors are associated with known threat groups, known malware campaigns, known botnet campaigns.
All of that intelligence is available and can be generated.
That's obviously something we know a lot about.
The government has been doing active research in open source software security.
We've been directly involved in that.
you know, SISA a couple years ago put out the open source security roadmap that had, you know,
a handful of steps in it that, you know, guided everybody along in terms of the types of visibility
and the types of analysis one should do to determine if open source components are problematic or not.
But, you know, there's a number of other issues, too.
I guess on the one hand it's a good sign that Senator Cotton is pursuing this,
but on the other hand, is this a situation where you hope it doesn't go long enough
that we have some sort of event that we have to react to to make everybody sit up and pay attention?
We've already had many events.
Yeah.
So that horse has left the barn?
That horse left the barn 30 years ago.
Okay.
That's the whole point.
Yeah.
Like, this isn't a new problem.
This is an ancient problem.
Open source software didn't just become an issue last week.
It's been an issue for ever since we've been using it.
You have the Linux.
It's part of like the society we've built as Americans that matriculated into the world.
So open source software, it looked at the Linux kernel.
If you go to the Linux kernel website,
you'll see a handful of logos on there
that are massive contributors to that codebase.
One of those companies is Huawei.
They're a huge contributor to the Linux kernel.
It's not a secret.
Like, they're not hiding anything.
In fact, they're advertising it to the world.
Like, look at us.
We are contributing to the Linux kernel.
we are making this thing better.
We are contributing in an open and transparent way
because people, there's this assumption
that open source is always a more secure thing
because of people are looking at it.
I think that's generally true.
That's why the XZ Utils thing was caught,
even though it was caught basically at the last minute.
But nonetheless, it was caught.
So this is an old problem that's getting
new attention. So, you know, there's a, there's a great saying, the best time to do something was
yesterday and the second best time is today. Are you optimistic that we're headed in the right
direction as we head into this new year? I'm super optimistic about what's going on, especially from
the federal government's perspective, in terms of the software supply chain, security narrative. They're
going to be doing things that the commercial sector is barely almost considering in a lot of ways,
which is just fascinating.
It feels almost upside down.
And it's actually valuable, which is the other important thing.
You know, the federal government has a lot of requirements that the commercial sector doesn't have,
but that's not always valuable, right?
This is actually valuable.
So, yeah, I mean, whether it's upside down or not,
Like, it's upside down given our frame of reference for how the government has typically behaved.
But in my opinion, this is not upside down.
In a society, you should care about the things that matter the most and are the most critical to that society continuing to function.
Well, isn't that the government?
If the government goes down, if the government has a systemic issue with this kind of problem.
So they should be the ones that tend to lead from the front.
That has not been the case historically.
But it seems on some of these issues that they desire to lead from the front, which, hey, they're the biggest software buyer on planet Earth.
Makes sense to me.
That's Tom Pace from Netrise.
And finally, our turnabout is fair play day.
tells us a North Korean hacking unit reportedly got hacked itself.
A YouTuber chasing online scammers
stumbled into a military computer and, via webcam,
caught everyday scenes of uniformed North Korean soldiers at work,
polishing boots, typing code, and swatting mosquitoes.
Location data placed them near Pyongyang,
despite VPNs pretending they were abroad.
Which is awkward.
The footage feeds a familiar story.
Investigators like the FBI often blame North Korea for cybercrime,
and here the soldiers were moonlighting as remote developers on LinkedIn.
With help from tools like ChatGPT, they landed jobs,
collected salaries for the regime,
and sometimes graduated to data theft and ransomware.
The same playbook has fueled major crypto heists,
including the by-bit hack and ad-driven,
Alware campaigns abusing platforms like Google.
The humor fades at the punchline.
Cybercrime is estimated to fund a significant slice of Pyongyang's economy, and AI is making
the whole operation faster, cheaper, and harder to spot.
And that's the Cyberwire.
For links to all of today's stories, check out our daily briefing at thecyberwire.com.
We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a stead.
ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and
review in your favorite podcast app. Please also fill out the survey in the show notes or send an
email to Cyberwire at N2K.com. N2K's senior producer is Alice Carruth. Our Cyberwire producer is
Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive
producer is Jennifer Ibn. Peter Kilpy is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
If you only attend one cybersecurity conference this year, make it R-SAC-2020.
It's happening March 23rd through the 26th in San Francisco,
bringing together the global security community for four days of expert insights,
hands-on learning, and real innovation.
I'll say this plainly, I never miss this conference.
The ideas and conversations stay with me all year.
Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next.
Register today at rsacconference.com slash cyberwire 26.
I'll see you in San Francisco.