CyberWire Daily - The Grok that broke the camel’s back.
Episode Date: July 15, 2025A DOGE employee leaks private API keys to GitHub. North Korea’s “Contagious Interview” campaign has a new malware loader. A New Jersey diagnostic lab suffers a ransomware attack. A top-grossing ...dark web marketplace goes dark in what experts believe is an exit scam. MITRE launches a cybersecurity framework to address threats in cryptocurrency and digital financial systems. Experts fear steep budget cuts and layoffs under the Trump administration may undermine cybersecurity information sharing. A Maryland IT contractor settles federal allegations of cyber fraud. Kim Jones and Ethan Cook reflect on CISO perspectives. A crypto hacker goes hero and gets a hefty reward. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you’ll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Today Kim Jones, host of CISO perspectives, sits down with N2K’s analyst Ethan Cook to reflect on highlights from this season of CISO Perspectives. They revisit key moments, discuss recurring themes like the cybersecurity workforce gap, and get Ethan’s outsider take on the conversations. It’s all part of a special wrap-up to close out the season finale. If you like this conversation and want to hear more from CISO Perspectives, check it out here. Selected Reading DOGE Employee exposes AI API Keys in source code, giving access to advanced xAI models (Beyond Machines) DOGE Denizen Marko Elez Leaked API Key for xAI (Krebs on Security) North Korean Actors Expand Contagious Interview Campaign with New Malware Loader (Infosecurity Magazine) Avantic Medical Lab hit by ransomware attack, data breach (Beyond Machines) Abacus Market Shutters After Exit Scam, Say Experts (Infosecurity Magazine) MITRE Unveils AADAPT Framework to Tackle Cryptocurrency Threats (SecurityWeek) How Trump's Cyber Cuts Dismantle Federal Information Sharing (BankInfo Security) UK launches vulnerability research program for external experts (Bleeping Computer) Federal IT contractor to pay $14.75 fine over ‘cyber fraud’ allegations (The Record) Crypto Hacker Who Drained $42,000,000 From GMX Goes White Hat, Returns Funds in Exchange for $5,000,000 Bounty (The Daily Hodl) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network powered by N2K.
Krogel is AI built for the enterprise SOC.
Fully private, schema free, and capable of running in sensitive air-gapped environments,
Krogel autonomously investigates thousands of alerts weekly, correlating insights across your tools without data leaving your perimeter.
Designed for high availability across geographies, it delivers context-aware, auditable decisions aligned to your workflows.
Krogel empowers analysts to act faster and focus on critical threats, replacing repetitive triage with intelligent automation to help your sock
operate at scale with precision and control.
Learn more at Krogl.com.
That's C-R-O-G-L dot com. A Doge employee leaks private API keys to GitHub.
North Korea's contagious interview campaign has a new malware loader.
A New Jersey diagnostic lab suffers a ransomware attack.
A top-grossing dark web marketplace goes dark in what experts believe is an exit scam.
MITRE launches a cybersecurity framework to address threats in cryptocurrency and digital
financial systems.
Experts fear steep budget cuts and layoffs under the Trump administration may undermine
cybersecurity information sharing.
A Maryland IT contractor settles federal allegations of cyber fraud.
Kim Jones and Ethan Cook reflect on CISO perspectives,
and a crypto hacker goes hero and gets a hefty reward.
It's Tuesday, July 15th, 2025.
I'm Dave Bittner and this is your CyberWire Intel Briefing.
Thanks for joining us here today.
It is great as always to have you with us.
Marco Elays, a 25-year-old employee at the Department of Government Efficiency, accidentally
leaked a private API key to XAI's language models by posting it on GitHub. This key granted access to 52 LLMs, including
XAI's latest Grok 4. GitGuardian flagged the breach, but the key remains active.
According to Krebs on Security, Elayz, who is access to multiple sensitive
government databases, has a history of security violations and controversial behavior, including past
unencrypted data transmissions.
Despite this, he was reinstated after lobbying from Vice President J.D. Vance and has continued
moving through federal agencies.
This marks the second such XAI leak by a Doge employee, raising concerns about systemic
security failures and poor oversight within Doge employee, raising concerns about systemic security failures and poor
oversight within Doge.
North Korean threat actors behind the contagious interview campaign have escalated their efforts
with a new malware loader called XOR Index, Socket Researcher's Report.
Downloaded over 9,000 times since June, Exor Index targets developers, job seekers, and
crypto holders.
It's embedded in 28 malicious NPM packages used to gather host data and deploy Beaver
Tail, which steals crypto wallet data.
Some packages also deploy Hex Eval, an earlier malware loader with over 8,000 downloads.
In total, 67 malicious NPM packages tied to the campaign have been downloaded more than
17,000 times, with 27 still active.
The campaign, linked to North Korea's Lazarus Group, uses fake job offers and tools to trick
users into installing malware.
Socket has requested takedowns and account suspensions, warning of ongoing
loader reuse and evolving obfuscation tactics.
Avantik Medical Lab, a New Jersey-based diagnostic firm, suffered a ransomware
attack and data breach by the Everest Group.
On July 3, 31 gigabytes of sensitive patient data was leaked after the lab failed to engage
with the attackers.
The breach, first signaled on June 10, exposed data from 2018 through 2023, including medical
records, social security numbers, insurance details, and credit card information. Avantik has not yet notified patients. Those possibly
affected should monitor accounts and consider credit protection steps.
Abacus Market, once the top-grossing dark web marketplace in the West, has gone
offline in what experts believe is an exit scam.
Users began reporting withdrawal issues in late June, a common sign of admins
disappearing with user funds. Though site admin Vitro blamed DDoS attacks and a
surge in users from the shuttered archetype marketplace, skepticism
remained. TRM Labs suggests Vitro likely exited to avoid law enforcement, especially after archetypes
takedown.
Abacus had been operating for four years, selling drugs, cybercrime tools, and counterfeit
goods, with revenue surging 183% in 2024.
Experts say law enforcement now focuses more on arresting vendors than shutting down marketplaces
as vendor arrests have a broader and longer-lasting impact across the dark web ecosystem.
MITRE has launched ADAPT, a cybersecurity framework to address threats in cryptocurrency
and digital financial systems.
Modeled after MITRE ATT&CK, ADAPT helps developers, financial institutions, and policy makers identify and counter risks like phishing, ransomware, and double spending. Built from
input by over 150 experts, it maps real-world adversary tactics targeting digital assets.
it maps real-world adversary tactics targeting digital assets. ADAPT offers tools for threat emulation, detection, and security assessments.
It aims to support organizations, especially those with limited resources,
in securing digital payment technologies and building trust in this evolving sector.
Cybersecurity experts warn that steep budget cuts and layoffs under the Trump administration
have severely undermined federal cybersecurity and information sharing, BankInfoSecurity
reports.
Nearly one-third of the Cybersecurity and Infrastructure Security Agency workforce has
been cut, and key threat-sharing programs have been defunded.
This has led to a sharp drop in public-private collaboration, leaving critical infrastructure
more vulnerable to attacks.
Programs like the National Vulnerability Database and Common Vulnerabilities and Exposures are
facing backlogs and funding threats, raising global concerns about vulnerability management. Experts say political pressure has silenced federal cyber teams,
stalled proactive responses, and fractured communication
with the private sector. With major layoffs at agencies
like the State Department and the possible expiration of key cybersecurity
laws, many fear U.S. cyber defenses are weakening
at a critical time.
Meanwhile, the UK's National Cybersecurity Center has launched the Vulnerability Research
Initiative to collaborate with external cybersecurity researchers.
The initiative aims to enhance the UK's ability to identify and address software and hardware
vulnerabilities by partnering with skilled experts.
Researchers will assess targeted products, test mitigations, and disclose findings via the NCSE's equities process.
The VRI complements NCSE's internal efforts and will help build a best-practice framework for vulnerability research,
including in emerging areas like
AI-powered discovery.
Maryland-based IT contractor Hill Associates has agreed to pay $14.75 million to settle
allegations of contract violations with federal agencies.
The company was accused of billing for underqualified personnel, unauthorized cybersecurity services,
unapproved fees, and inflated overhead costs.
These actions allegedly breached contracts with the Department of Justice and Treasury
between 2018 and 2023.
The settlement, brought under the False Claims Act Act includes an additional payment of 2.5%
of Hill's annual revenue over $18.8 million through 2030.
The Department of Justice emphasized accountability for IT contractors who fail to meet cybersecurity
and billing standards.
Hill Associates did not admit liability and has not publicly responded This is the latest in a series of false claims act settlements involving contractors accused of cyber security related fraud
Coming up after the break Kim Jones and Ethan cook reflect on CISO perspectives, and a crypto
hacker goes hero and gets a hefty reward.
Stay with us.
Hey everybody, Dave here.
I've talked about DeleteMe before, and I'm still using it because it still works.
It's been a few months now and I'm just as impressed today as I was when I signed
up.
DeleteMe keeps finding and removing my personal information from data broker sites, and they
keep me updated with detailed reports so I know exactly what's been taken down.
I'm genuinely relieved knowing my privacy isn't something I have to worry about every
day.
The DeleteMe team handles everything.
It's the set it and forget it piece of mind.
And it's not just for individuals.
DeleteMe also offers solutions for
businesses, helping companies protect their employees' personal information and reduce
exposure to social engineering and phishing threats. And right now, our listeners get a
special deal, 20% off your DeleteMe plan. Just go to joindeleteeme.com slash n2k and use promo code n2k at checkout.
That's joindeleteme.com slash n2k, code n2k.
Did you know Active Directory is targeted in 9 out of 10 cyber attacks?
Once attackers get in, they can take control of your entire network.
That's why Sempris created PurpleKnight, the free security assessment tool that scans your Active Directory for hundreds of vulnerabilities and shows you how to fix them.
Join thousands of IT pros using Purple Night to stay ahead
of threats. Download it now at sempris.com slash purple-night. That's sempris.com slash
purple-night. Kim Jones, host of CISO Perspectives, and Ethan Cook, our N2K analyst, recently sat
down to reflect on highlights from this season of CISO Perspectives.
They revisit key moments, discuss recurring themes like the cybersecurity workforce gap,
and get Ethan's outsider take on the conversations.
So you and I came together and met as you were doing the production work and the uplift
work and the editorial work on this podcast.
What was your exposure to cybersecurity prior to taking on this role?
So traditionally, little to none.
I graduated from college and it had literally nothing
to do with cyber.
And as we've kind of found throughout the show,
everyone seems to find a stumble of a way into cyber.
And so I would say I have a understanding,
not a technical understanding, but an understanding.
Cool.
That's one of the reasons I wanted you to do the season wrap up with me because you
will be as close to having a non-biased tabula rasa view on the topic and the things you've
heard, et cetera.
So let's take a look regarding the theme of the cyber talent ecosystem as a whole. Given what you have heard, read, researched, because you run my blog,
what are your thoughts regarding the ecosystem as a whole
before we start deep diving on different portions of it, Ethan?
Yeah. So, taking a step back and looking at it from a zoomed out view,
I would say the first thing of my observations is fear.
There's a lot of fear in the ecosystem right now where it feels that people are unwilling to take a risk.
So first observation I would say is fear.
The second observation that I would say is opportunity.
While there was a lot of talk throughout the season of, wow, this is a problem, that's a problem,
none of it ever came away with,
this is an unsolvable problem,
or this is something we can't fix,
or we can't address, or we can't do something about.
So yeah, you're going to double click
on a couple of those things.
So let's start with the fear aspect,
and in terms of how it relates to talents.
And you talked a little bit regarding a lack of desire
to accept the possibility where a mistake could be made.
So back in episode 11, we brought in Ed Vasco,
CEO, serial entrepreneur, and he talked a lot about regarding that last component that seems to be missing as we're upskilling
people and that is practical skills and real world experience within the environment.
Just like in medical, in medical space, we have training hospitals.
We have training programs that not all hospitals, not all doctors' offices accept residents,
you know, accept residencies.
There are a select number and it's by that selection process that the industry within
the medical program gets moved forward.
So there's this self-selection. Most of these teaching hospitals are attached to a university.
They combine the academic program and the experiential learning program. So I took the
same kind of metaphor, same know, same sort of alignments
and said, well, the benefit I have here is that I'm attached into a university. They've
given me the opportunity to build these kinds of platforms. Let's say, you know, in your
experience as an operational cyber leader, would you be willing to allow early career
professionals that opportunity to come
in into a commercial sock or into an operational sock like you've run and
have.
Consequence.
One of the things that I also felt from the season is you're right.
Everybody wants that level of experience, but there's still that reluctance
to create the mechanisms that allow people that experience.
Absolutely.
There's the reluctance to, okay, that's great. We need you to get experience somewhere, but
you first. So let's double click on the other piece that you said regarding the opportunity.
And I see you're right in terms of that this is something that nobody has thrown up their
hands and said it can't be done, which is great.
But it seems to me that the nature of that opportunity is still ill-defined.
And where I'm going back to is Will Markow's episode
where he talked about the data regarding
what is the nature of the cyber opportunity out there
and the openings that are out there.
You want to talk to me a little bit about that one?
Yeah, for those who hadn't heard that episode,
Will Markow came on and talked about CyberSeq data.
And one of the things that I thought was just super illuminating about that conversation For those who hadn't heard that episode, Will Marco came on and talked about CyberSeq data.
And one of the things that I thought was just super illuminating about that conversation
was how people are misusing CyberSeq data.
I have heard so many people at very high levels of the federal government and other places
misuse the data.
What that number actually is, is that's how many unique job openings we saw over the
past 12 months, which were unique online. It also isn't just what we think of as core
cybersecurity workers. We're also looking at the network administrators who are responsible
for cyber within an SMB or other IT professionals,
or even some cases, maybe even non-IT professionals who still have a significant
security component to what they do. When I think back to Will's episode,
something that really stuck out to me was his quote surrounding entry-level jobs.
When we looked at this, we found that for every 100 entry-level jobs,
we had 110 entry-level workers vying for that.
That means that we actually had about 35,000 more entry-level individuals
looking for cybersecurity jobs than we actually had entry-level cybersecurity jobs that they could
fill.
I will take it a step further.
There's another piece there regarding not just what he said about data, but in terms
of how the world, the industry, the world, business, et cetera, is looking at and is
hiring cyber professionals within the environment.
I call it hiring for mercenaries, not missionaries.
You go after the mercenary who has the best resume, they look the best on paper, maybe
they went to some fancy school, they got some fancy certifications, they look amazing on
paper.
Problem is, you want to hire them?
So do all of your 20 biggest competitors.
And you are going to be in a bloodbath for talent,
if this is what you do.
So shifting gears again,
I think part of some of the things we've heard
centered around what makes a good cybersecurity professional.
You talked about putting structures like maybe legal around things, et cetera, within the
environment. But one of the conversations that came up several times was the focus of
episode two was, are we a trade or are we a profession? Want to dig into that a little bit, Ethan?
Yeah, this is a conversation that came out routinely
throughout the season.
And it was something that I grappled with because, you know,
when I first saw the statement, my first thought was,
as an outsider, was why does it matter?
Right?
I then dug into the conversation and dove into it more
and got into the nitty gritty details
and understood the cost and benefit of both.
And I really liked both Larry's, who was in episode two, and Ed's characterization of
the two with Larry arguing that it transforms midway through.
I've actually given some thought to that simply because, and I'm gonna say, I think we're both.
I think we're both because of a couple of factors.
When you think about the entry-level components, right?
The entry-level component of getting into cyber
is very trade adjacent, right?
It's not about certifications, it's not about degrees,
it's about skills, which is why we
say you can come out of high school and do this.
Because if you create or foster certain skills on your own in high school, you can technically
come into a cyber role and become proficient in the way that an organization needs you
and go execute.
So at that level, I see it akin to a trade.
And then Ed arguing or stating that he believes that we're a profession with
technical components.
I lean towards the idea that I lean.
I expect that we are a profession that has technical representation.
We have an opportunity to ensure that the pathways we create allow for people of not diverse background, but diverse skills to engage in this field and achieve certain kinds
of milestones at a career level.
If we don't treat ourselves in a profession that has technical orientation, then we'll
ultimately be relegated into a position that doesn't have business orientation, that
doesn't have all the other things that we talked about for years.
Between the two of them, and I think they bit the nail on the head, is that we are a
profession.
Cyber is a profession and we have to treat it as one.
But that doesn't mean we just ignore the technical aspects and just blindly tune
those off and put our blinders on and pretend like those aren't there. Those are a reality
that we should acknowledge and build in to our systems.
Similar to how other professions that have a technical system, maybe not technical in
terms of technology, but technical aspects of them, they have a defined pathway that goes through it in a logical progression system, but they still
have professional elements guiding the whole process.
So what is the one thing that we haven't talked about that you want to make sure that we talk
about, that we mention, et etc., before we close this off?
Yeah. So, as I look at this problem,
problems that are related to this system,
is this has been an issue that I have heard about
since I've entered several years ago,
and it doesn't seem like we're any closer to solving.
It seems like we're, if anything, further away from solving.
There needs to be, especially in the absence of and the decline of certain things like
SZA's programs or some of these things that are happening right now,
there needs to be more industry leaders.
I think one of the best quotes that you had, Kim, was when you talked about the first person
to do it, it's always hard.
When I talk to young or aspiring cyber professionals, I often hear that they're reluctant to apply
for a position in a company because there's no one already there like them.
Every time someone says this to me, my answer is the same.
How the hell is it going to get any better if you don't show up?
Folks being the first at anything is hard.
But if no one steps up to be the first person, nothing ever changes.
Worse, you provide individuals in that company the excuse to keep their hiring practices
unchanged, since they can't find underserved candidates to apply.
The world doesn't change through complaining.
It changes through direct action.
Be the courageous hero.
If there's no role model, become one.
Show up.
And while you were referencing diversity
in that conversation, I think that applies
to just about everything in life, which is it's never easy to be the person to say, I'm going to solve the
telecap. I think the better way and the thing is getting people together as CISOs, as industry
leaders to come together and actually make progress and not do the same thing that we've already been doing for 10, 15 years, right?
But if it matters and if you're passionate about this
and from everyone that I have talked to throughout this season
and from the people that I've heard over the years,
cyber is one of those industries where people are nothing
if not passionate about this industry.
Amen.
Then if you're passionate about this
and you're doing it for the right reasons,
then yes, while it is exhausting and tiring,
it is worthwhile and gives tangible value,
not just to yourself, not to just your organization,
not to just the neighboring organization,
but to the people who are coming in the next 10 years,
the people who your customers,
who you are guarding their information
or who you are protecting their financials, et cetera,
whatever your industry may be, they're valued as outside of just oh I've gotten a paycheck raise or
oh my industry or my job is secure for another two months or whatever it may be.
That was Kim Jones host of CISO perspectives in conversation with N2K's Ethan Cook.
If you enjoyed their discussion and want full access to the entire season and their full
conversation become a pro member to unlock every episode.
You hear from us here at the CyberWire Daily every single day.
Now we'd love to hear from you.
Your voice can help shape the future of N2K networks.
Tell us what matters most to you by completing our annual audience survey.
Your insights help us grow to better meet your needs.
There's a link to the survey in our show notes.
We're collecting your comments through August 31st.
Thanks.
We've all been there. You realize your business needs to hire someone yesterday.
How can you find amazing candidates fast? Well, it's easy. Just use Indeed. When it
comes to hiring, Indeed is all you need. Stop struggling to get your
job post noticed. Indeed's Sponsored Jobs helps you stand out and hire fast. Your post
jumps to the top of search results so the right candidates see it first. And it works.
Sponsored jobs on Indeed get 45% more applications than non-sponsored ones. One of the things I love about Indeed is how fast it makes hiring.
And yes, we do actually use Indeed for hiring here at N2K Cyberwire.
Many of my colleagues here came to us through Indeed.
Plus, with sponsored jobs, there are no subscriptions, no long-term contracts.
You only pay for results.
How fast is Indeed? Oh, in the minute or so that I've been talking to you, 23 hires were made on Indeed, according
to Indeed data worldwide.
There's no need to wait any longer.
Speed up your hiring right now with Indeed.
And listeners to this show will get a $75 sponsored job credit to get your job's more
visibility at indeed.com
Cyberwire just go to indeed.com
Cyberwire right now and support our show by saying you heard about indeed on this podcast indeed.com
Cyberwire terms and conditions apply
Hiring indeed is all you need.
Krogel is AI built for the enterprise SOC. Fully private, schema-free, and capable of running in sensitive, air-gapped environments,
Krogel autonomously investigates thousands of alerts weekly,
correlating insights across
your tools without data leaving your perimeter.
Designed for high availability across geographies, it delivers context-aware, auditable decisions
aligned to your workflows.
Krogel empowers analysts to act faster and focus on critical threats, replacing repetitive
triage with intelligent automation to help your sock operate
at scale with precision and control.
Learn more at Krogl.com.
That's C-R-O-G-L dot com. And finally, in the crypto world's latest twist of irony, a hacker who nabbed $42 million
from GMX's Arbitrum-based liquidity pool has decided to turn white hat, returning the
loot in exchange for a $5 million thank you bounty. The re-entrancy attack, a classic smart contract exploit, allowed the attacker to siphon funds
before the system caught up, but rather than vanish into digital obscurity, the hacker
opted for the Robinhood meets Venmo route, keep a cut, send the rest back. GMX now has the funds secured in its multi-sig wallet and is crafting a plan for redistribution.
Meanwhile, GMX's token surged over 18% because apparently there's nothing like a good old-fashioned
heist-turned-refund to rally the market.
And that's the CyberWire.
For links to all of today's stories, check out our daily briefing at the cyberwire.com.
We'd love to hear from you.
We're conducting our annual audience survey to learn more about our listeners.
We're collecting your insights through the end of August.
There's a link in the show notes.
Please do check it out.
N2K's senior producer is Alice Carruth.
Our Cyberwire producer is Liz Stokes.
We're mixed by Trey Hester with original music by Elliot Peltzman.
Our executive producer is Jennifer Iben. Peter Kylpe is our publisher. And I'm Dave Bittner. Stokes, we're mixed by Trey Hester with original music by Elliot Peltsman, our executive producers
Jennifer Iben, Peter Kilpe as our publisher, and I'm Dave Bittner.
Thanks for listening, we'll see you back here, tomorrow. Buying more tools won't make you more secure.
Continually training your people will.
In this episode, CloudRange co-founder and CEO,
Debbie Gordon, shares how real-world simulations
are transforming readiness in 2025.
Because your last line of defense isn't software,
it's your team.
Tune in now, your stack depends on it.
stack depends on it. Hi, Kim Jones here.
On CISO Perspectives we get candid with the thinkers, doers, and trailblazers shaping
cybersecurity leadership.
No scripts, no sales pitches.
Just real stories and hard-earned lessons from folks who've been there.
If you're looking to grow as a leader, or just want to hear how others are navigating this ever-evolving field,
listen to CISO Perspectives.
It's your seat at the table.