CyberWire Daily - The fable ends before it begins.
Episode Date: June 15, 2026Anthropic pulls Fable 5. OpenAI faces a multistate probe. Handala targets a California water utility. ShinyHunters claims another victim. The FBI and Google take down a major phishing platform. The la...test cybersecurity business news. Our guest is Bogdan Botezatu, Senior Director, Threat Research and Reporting at Bitdefender, discussing a rampant global transportation smishing campaign. A deepfake detective has doubts. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today, Bogdan Botezatu, Senior Director, Threat Research and Reporting at Bitdefender, is discussing a rampant global transportation smishing campaign. You can read more about Operation Road Trap here. Selected Reading Anthropic disables access to Fable 5 and Mythos 5 to comply with government directive (CNBC) Cyber leaders defend Anthropic's banned model (Axios) State Attorneys General Are Investigating OpenAI (The New York Times) Handala Hacking Group Claims Breach of California Water Service (Hackread) Maine Takes Breach Reporting Portal Offline After Fake Entries (Infosecurity Magazine) Warner introduces bill to restore MS-ISAC funding, bolster critical infrastructure cyber defense (Industry Cyber) Infinite Campus data breach affects 137,000 school staff accounts (Bleeping Computer) FBI, Google Dismantle 'Outsider Enterprise' Phishing Service (SecurityWeek) Ex-school district employee jailed for hacks on former employer (Bleeping Computer) Cyera raises $600 million in a Series G round led by Evolution Equity Partners. (N2K Pro Business Briefing) In Age of AI, World’s Leading Deepfake Expert No Longer Trusts His Own Eyes (The New York Times) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry’s most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
Looking to understand the cybersecurity risks emerging beyond Earth's atmosphere?
In the weekly Signals in Space newsletter, T-minus host Maria Vermazas and producer Ethan Cook connect the dots between terrestrial infrastructure and the growing attack surface in space.
Each week, you'll get the latest space cyber headlines, direct access to the week's T-minus podcast conversation, plus everything.
expert insights and resources to help security professionals better understand this rapidly evolving domain.
Space systems are becoming critical infrastructure.
Signals in space helps you stay ahead of the threats shaping the next frontier.
Subscribe now to the Signals and Space newsletter.
Anthropic pulls Fable 5.
OpenAI faces a multi-state probe.
Handela targets a California water utility.
Shiny hunters claims another victim.
The FBI and Google take down a major fishing platform.
We've got the latest cybersecurity business news.
Our guest is Bogdan Badazatu, Senior Director of Threat Research and Reporting at Bit Defender,
discussing a rampant global transportation smishing campaign,
and a deep fake detective as his doubts.
It's Monday, June 15, 26.
I'm Dave Bittner, and this is your Cyberwire Intel briefing.
Thanks for joining us here.
today, it's great to have you with us.
Anthropic has disabled access to its newly launched Fable 5 and Mythos 5 AI models
after receiving a U.S. Government Export Control Directive citing unspecified national security concerns.
The order required Anthropic to suspend access for all foreign nationals, including employees,
prompting the company to temporarily disable the models for all customers to ensure
compliance. Other Anthropic models remain available. The move comes just days after the release of
Fable 5 and Mythos 5, which Anthropic promoted as state-of-the-art systems with advanced cybersecurity
capabilities. Mythos-class models had previously been limited to vetted participants in Project
Glass Wing, a cybersecurity initiative. Anthropic criticized the government's action as lacking transparency and
technical justification. The decision also intensifies Anthropics' ongoing conflict with the U.S.
government following a Department of Defense designation labeling the company a supply chain risk.
A designation Anthropic is challenging in court. More than 40 cybersecurity leaders have
signed a letter urging the administration to reverse the restrictions. They argue the models help
defenders identify and mitigate vulnerabilities, and that restricting access weakened
cybersecurity efforts, while competitors, including foreign AI developers, continue advancing
similar capabilities.
Critics warn the move could undermine U.S. AI leadership and hinder efforts to counter emerging
AI-powered cyber threats.
A coalition of State Attorney's General has launched a broad investigation into OpenAI, requesting
internal documents related to user data practices, child safety men, and security.
measures and advertising activities. According to Open AI, the subpoenas were issued Friday and
involve New York, Colorado, and some other states. The company said it is cooperating and highlighted
new chat GPT safeguards, including parental controls. The probe reflects growing scrutiny of
AI amid concerns about child safety, AI-enabled scams, job displacement, and other societal impacts.
It also comes as federal and state governments increase oversight of the technology.
More than 100 state laws now regulate aspects of AI, ranging from youth protections to security
testing requirements.
The investigation follows other recent legal actions against AI companies, including Florida's
lawsuit and criminal investigation involving OpenAI, California's investigation into XAI,
and Kentucky's lawsuit against caricatur.
AI. State officials are signaling a willingness to use both regulatory and legal tools to address
perceived AI-related risks. The Iran-linked hacking group Handela claims it breached California Water
Service, also known as Cal Water, a utility serving roughly 2 million customers across 100
California communities. Researchers reported the group leaked about 5 gigabytes of data, including
customer information from the Chico District and network-related data spanning multiple operational
regions. Exposed records reportedly include names, addresses, phone numbers, account numbers,
and payment histories. According to reports, attackers first access the internal GPS mapping
system used by field crews and then leverage stolen credentials to reach the customer billing network,
While Handela claimed it could disrupt water services, security researchers found no evidence that operational technology or industrial control systems were compromised.
Experts cautioned that Handela has a history of exaggerating its capabilities, often combining legitimate breaches with inflated claims.
The incident nevertheless highlights ongoing risks to critical infrastructure, particularly where operational and business networks are insufficiently.
segmented. Security specialists recommend immediate password resets and stronger separation between
operational and corporate systems to reduce future attack pathways. The state of Maine has temporarily
taken its public data breach notification database offline after discovering two fraudulent breach
reports impersonating VR chat and Discord. The fake filings claimed incidents affecting 2.4 million and 10
million users respectively, but the main Attorney General's office confirmed they were hoaxes
submitted by an unknown party. The fabricated reports included realistic details about alleged stolen
data and remediation efforts. While legitimate breach reports can still be submitted through the
state's reporting system, officials are reviewing procedures to prevent future abuse.
The database will remain unavailable until those safeguards are in place. Senator Mark War,
Warner has introduced the guaranteeing universal access to cybersecurity act, legislation aiming
at restoring and permanently funding the multi-state information sharing and analysis center,
the MSISAC, a key cybersecurity resource used by roughly 19,000 state, local, tribal,
and territorial organizations.
The proposal responds to concerns that reduced federal support has weakened cyber threat sharing
and left critical infrastructure more vulnerable,
particularly as AI lowers barriers for sophisticated attacks.
The bill would direct the cybersecurity and infrastructure security agency
to provide free cybersecurity services, threat intelligence,
and technical assistance through MSISAC,
while expanding membership and outreach to underserved communities.
It would also require reporting to Congress
and authorize $50 million annually beginning in fiscal year,
2027.
Warner argues that restoring federal support is essential to protecting critical infrastructure,
improving cyber resilience, and helping smaller jurisdictions defend against increasingly advanced
cyber threats.
The Shiny Hunter's Extortion Group has claimed responsibility for a March breach of Infinite
Campus, a student information system used by more than 3,200 U.S. school districts.
According to breach analysis by Have I Been Poned, the incident exposed data from more than 137,000 school staff accounts, including names, email addresses, phone numbers, physical addresses, job titles, and support tickets.
Infinite Campus said the attackers targeted its sales force environment rather than customer databases, and that most exposed information consisted of staff contact details, commonly available on school websites.
The threat group later leaked a 1.2 gigabyte archive allegedly containing stolen Salesforce records and internal company data.
The FBI and Google have dismantled outsider enterprise, a China-based Fishing-as-a-Service platform linked to billions of dollars in fraud losses.
Active since 2003, the operation provided fishing kits that enabled criminals to impersonate trusted brands through SMS.
campaigns. Authorities say the platform was used to steal roughly 3.8 million credit card records,
resulting in an estimated $1.9 billion in losses across at least 55 countries. As part of Operation
Riptide, investigators seize domains, cryptocurrency assets, and infrastructure tied to the operation.
Google also identified thousands of phishing websites and has filed a lawsuit while working with
major U.S. carriers to block malicious text messages. A former Iowa school district IT employee,
Ezekiel Dean Potter, has been sentenced to 21 months in prison for carrying out a cyber
attack against his former employer, the Seidel Community School District. Prosecutors say
Potter retained access credentials after leaving the district in 2023 and repeatedly disrupted
operations by deleting accounts, resetting
credentials and targeting critical systems. His actions included deleting the district's Facebook
page, disrupting access to Apple school manager and schoolology, and removing Gmail accounts
belonging to district staff, including senior administrators. The attacks impaired classroom
operations, limited access to educational tools, and generated significant recovery costs.
Investigators linked the activity to Potter through account access records,
and evidence recovered from a USB drive containing district credentials.
Potter pleaded guilty to computer fraud charges
and was ordered to pay nearly $60,000 in restitution
in addition to serving prison time and supervised release.
Turning to our Monday business brief,
cybersecurity funding remained strong last week,
led by Israeli data security company, Sierra,
which raised $600 million in a series G round
that boosted its valuation from $9 billion to $12 billion, just five months after a $400 million raise.
Other notable funding rounds included Israeli offensive security startup A-security at $37 million,
cloud security firm Arian Security, $29 million,
Identity Management Company Opal Security with $23 million,
AI Security Startup Archestra AI, $10 million,
$5.00. Identity security provider off-road at $7 million. Access Platform Willow, also $7 million,
and threat modeling startup op plane at $5.2 million. M&A activity was also robust with seven deals
announced across three countries. Highlights included Snowflakes planned acquisition of Natoma
to strengthen AI agent governance, optive sale of its consulting business to Vobus Ventures,
and acquisitions by Strive, Nordlo, Brightline Technologies, Valiant Solutions, and Taito Athenae.
Many of the transactions focused on expanding AI security, managed security services,
compliance capabilities, and cloud infrastructure expertise,
underscoring continued investor and buyer interest in cybersecurity,
despite broader market uncertainty.
Be sure to check out our weekly business briefing on our website.
website that is part of Cyberwire Pro.
Coming up after the break, my conversation with Bogdan Badazatu from Bit Defender, we're discussing a rampant global transportation smithing campaign.
And a deep fake detective has his doubts. Stay with us.
What's the one thing in business that's spreading as fast as AI? AI risk.
Every new tool your team signs up for. Every vendor that turns on AI features,
every new integration, each one creates another opportunity for something to go wrong.
And most security programs just weren't built for AI's pace of growth.
Enter Vanta.
Vanta is the number one agenetic trust platform, used by more than 16,000 fast-moving companies
like Ramp, Cursor, and Harvey to help ensure they're always audit-ready.
And now Vanta is helping companies watch for the risks that show up between audits across
vendors, AI tools, and their entire environment. The Vanta agent works like a 24-7 GRC engineer in the
background, finding issues, drafting fixes, and cutting vendor assessment time by up to 50%.
Whether you're a fast-growing startup or a global enterprise, Vanta is here to help you automate
your security and compliance and earn and prove trust. Get started today at vanta.com slash cyber.
V-A-T-A-com slash cyber.
Across Canada in a Volvo.
Destination, Vancouver, turn left to leave.
Travel west through, approaching.
Continue toward you've arrived.
Adventure in comfort with Volvo.
Whether you prefer gas, plug-in hybrid, or fully electric,
there's a Volvo for everyone.
Learn more at Volvocars.ca.ca.
Bogdan Bodhisatu is Senior Director of Threat Research and Reporting at Bit Defender.
We recently got together to discuss a rampant global transportation smishing campaign.
We started investigating scams quite a while ago.
Throughout 2024 and 2025, we have built a huge network of sensors
that report scams across several technologies, from short messages.
to instant messaging platforms to email and even voice.
For the first time, we have the full picture of what's happening in the scam landscape,
and we're not just emotionally reporting about it.
We can put numbers next to these scams.
So what caught the attention of my researchers on this topic
is the fact that these road toll scams seems to be highly coordinated
and spread across a variety of generations.
geographies. We identified about 12 countries affected by this, but in an uncoordinated manner.
So these campaigns are not centrally, they are executed by local threat actors independently.
This shows how globalized and industrialized, if you will, is the scam landscape at this moment.
Well, I have to say, you know, as I'm out and about talking to people and, you know, they know that I work in the security world,
this one comes up all the time, right?
These fake tolls, these text messages telling people that they're getting some sort of traffic-related trouble.
I mean, this one is really broad and widespread.
Yes, because in my opinion, this is a very low-hanging fruit.
Cyber criminals don't necessarily need to attract heat by inflicting huge losses to victims
when they can pinch a little bit of money from here and there,
and then their success rate and the financial prowess of this campaign stays in volumes.
So probably that's why we have identified so many types of scams
targeted at very specific regions.
So if you will, we mentioned that there are 80,000 such scam messages identified,
but this barely scratches the surface,
because this is as much as we could identify on the network of sensors that we're operating.
There's a lot more that we're not seeing.
So the magnitude of this scam is much higher and the amount of money cyber criminals multiply accordingly.
Another important thing in this research is the fact that each threat actor has its own way of monetizing on people who are giving into these scams.
Some of them are experts in building fishing pages that impersonate road authorities in specific countries,
but some others take it a little bit further by involving malware in this distribution chain.
And they are doing that by pointing people at a page that asks them to install a piece of software from a third-party location on that Android device.
If they're doing that, they're opening the way to a much more sophisticated type of scam
that eventually ends up in their device getting fully compromised.
The malware that these people are planting on the device
looks for two-factor authentication code sent via SMS.
They monitor the mobile devices screen for pins and passphrases that people use
to enter e-banking services, for instance.
And the victims end up having the entire device compromised
and their e-banking accounts open to cyber criminals.
Well, do you have any insights into the popularity of this?
I mean, are people out there buying a kit,
or is it just that this one is so effective
that lots of people have decided to jump on to this opportunity?
These look like custom-made campaigns.
They don't resemble fishing kits
or cybercrime as a service tools that we have used before,
that we have seen before.
But in all honesty,
now building compelling fishing pages
and mimicking the behavior and the identity of a website
is much easier and much more inexpensive for cyber criminals
with the advent of AI agents.
They are doing the coding for us.
They are able to just receive a script,
for the resource and they will replicate it.
Another thing that probably is equally important is the fact that from what we have seen,
these cybercriminals are using a very fast and adaptive infrastructure.
They are bringing in new domains, for instance, that they are using for a very limited amount of time
just to avoid anti-malware services getting blackly, blackly.
listing these resources. Once a resource gets blocked for fishing or for fraudulent usage,
cybercriminals will be unable to monetize on that page. So they are moving fast, replacing
domains and infrastructure and servers in order to avoid getting that campaigns intercepted.
Do you have any sense for how successful these threat actors are?
Unfortunately, not because not all these losses are getting reported.
Some people don't even realize they haven't scammed, so they're not filing formal complaints
with the police offices.
But overall estimates place that last year alone, fraud was responsible for $1 trillion in losses
out of the $9 trillion global cybercrime economy.
Do you have any recommendations for people to deal with this?
I mean, like you said, these messages lately, they're relentless.
Yes, they are, and they are using the same tactics that global scams are using.
Urgency, a little bit of authoritative voice threats,
and things that normally don't find their way in official communications.
So if you're looking at a message on your mobile phone that says that you have to pay a fine,
make sure that you're not threatened with.
Otherwise, we will revoke your license or we will confiscate the car or block your accounts.
This is not how governments normally communicate with their subjects.
So don't make rushed decisions.
If you believe that a message is a scam, you have plenty of resources to check against.
Bid Defender has cameo, which is an AI-driven chatbot that you can send email communication or screenshots with pretty much everything,
and the bot will tell you whether or not that's a scam and what red flags it has picked up to deem that communication fraudulent.
So do not act on impulse.
Use security solutions that will be able to sift phishing messages from real ones.
and education is also important here.
So try to stay up to date with the scam landscape
because it's changing very, very fast.
Do you suppose this is something that's here to stay
that for the immediate future,
we can expect to see these continuing nuisances?
Unfortunately, yes.
Fraud has been with the humankind for as long as the humankind
existed.
The only thing that changed,
is the fact that before the advent of internet
and modern communication technologies,
fraud was localized, was very localized,
and what happened in the region did not have global replication.
Now with internet becoming a commodity and AI becoming a commodity itself,
it's much easier for cyber criminals to target people all over the world.
The language barrier has pretty much a lot,
loaded in the past few years because machine learning algorithms and AI and large language models
are making it easy to translate everything almost instantly in whatever language on earth.
Plug a large language model into a message sending API and of course it becomes cybercrime as a
service.
That's Bogdan Bodhisattu, Senior Director of Threat Research and Reporting at Bit Defender.
And finally, Haini Farid, one of the world's foremost deep fake experts,
has spent decades proving what's real online.
Now, he's no longer sure he can trust his own eyes.
Faced with a viral video allegedly showing a missile strike on an Iranian school,
buried painstakingly analyzed shadows, sound delays, geolocation data,
and missile dimensions before concluding there was no evidence of manipulation.
Even then, he hesitated.
As AI-generated content floods the Internet,
Ferid's job has shifted from finding rare fakes
to identifying increasingly elusive truths.
Deep fakes now mimic politicians, executives, victims,
and even Ferrit himself,
whose voice was cloned in an impersonation attempt.
He warns that creating convincing falsehoods
is cheap and instant,
while verification remains slow and labor-intentioned,
intensive, often arriving after public opinion has already formed.
The strain has pushed Farid and his wife, vision scientist Emily Cooper, to relocate from Berkeley
to rural Vermont. There, between chopping firewood and seeking a little distance from Silicon
Valley's AI arms race, Farid hopes to reconnect with reality. The Internet, however, had other
plans. The requests kept arriving, each asking the same increasingly difficult question,
what exactly is real. With characteristic understatement for its assessment for the near future
is simple. We're probably a little screwed. And that's the Cyberwire. For links to all of today's
stories, check out our daily briefing at thecyberwire.com. We'd love to know what you think of this
podcast, your feedback ensures we deliver the insights that keep you a step ahead in the rapidly
changing world of cybersecurity. If you like our show, please share a rating and review in your
favorite podcast app. Please also fill out the survey in the show notes or send an email to
Cyberwire at N2K.com. N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with
original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazas. Our
executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.