Summary6 min read

Podcast Summary: Cybersecurity Headlines – Feb. 25, 2026

Host: Rich Stroffolino
Podcast: CISO Series
Episode: Hacked in 30 minutes, Claude distillation, DeFi shutdown after attack
Date: February 25, 2026

Episode Overview

This episode delivers a rapid-fire roundup of the latest pressing stories in the cybersecurity world, emphasizing faster threat actor operations, AI risks, continuing DeFi vulnerabilities, major privacy fines, ransomware developments, and heated discussions on open source security tooling. The host distills key data, quotes officials and researchers, and provides broader industry context—all in a newsy and direct tone.

Key Stories & Discussion Points

1. Attacker Breakout Time Drops to 29 Minutes

[00:07 – 01:08]

CrowdStrike’s Global Threat Report:
- The average “breakout time”—how fast attackers move from initial access to internal system expansion—dropped to a record 29 minutes in 2025, a 65% improvement (for the attackers) over the previous year.
- The fastest observed breakout was a jaw-dropping “27 seconds.”
- 82% of breakouts did not use malware, but relied on “legitimate credentials or social engineering.”
- Increase in “zero-day” exploits by 42%.
- Nation-state activity up 266%, with North Korean-attributed attacks increasing by 130%.
Notable Quote:

“The fastest time seen was 27 seconds. Of these incidents, 82% didn't involve malware. Most exploited legitimate credentials or social engineering.” – Rich Stroffolino [00:30]
Contextual Note:
CrowdStrike’s report is recommended for deeper dives into trends and statistics.

2. Alleged Model Distillation Attacks on Claude

[01:09 – 02:13]

Anthropic’s Claim:
- Three Chinese firms (Deepseek, Moonshot, Minimax) reportedly attempted to copy Claude’s AI models via “distillation attacks.”
- Distillation is not inherently malicious but was used here for large-scale imitation—firms conducted over 15 million exchanges using 24,000 accounts.
- Each firm focused on distinct goals: coding, reasoning, etc.
- Anthropic’s Response:
  - Rolled out stronger verification, improved traffic detection, and a new tool for “chain of thought elicitation.”
Notable Quote:

“These distillation attacks weren't coordinated. Each firm was pursuing a different goal…” – Rich Stroffolino [01:39]

3. DeFi Platform Collapse Following $40M Theft

[02:13 – 02:54]

Step Finance Breach:
- On Jan. 31, attackers stole $40 million after compromising devices of company execs.
- Step Finance to fully shut down operations, including Solana Floor and Remora Markets.
- Working on buyback program for token holders with ~$4.7 million in recovered assets.
Notable Quote:

“After exploring every possible path forward, Step Finance announced it will shut down all operations by the end of the week…” – Rich Stroffolino [02:31]

4. ICO Fines Reddit £14M for Age Check Failings

[02:55 – 03:41]

UK Information Commissioner's Office (ICO):
- Fined Reddit for processing personal data of children under 13 unlawfully (May 2018 – July 2025).
- Reddit’s defense: They don’t require identity info and are committed to privacy.
- Reddit started age verification in July 2025 to comply with the UK’s Online Safety Act.
- ICO warns more action is possible due to ease of bypassing Reddit’s age checks.
Notable Quote:

“Reddit's account creation process made age declaration easy to bypass.” – Rich Stroffolino [03:33]

5. Pentagon Approves Grok AI for Classified Use

[04:19 – 05:02]

Department of Defense & xAI:
- DoD greenlights the use of xAI’s Grok model for all lawful classified applications.
- Contrasts with restrictions imposed on Anthropic’s Claude (e.g., no use for autonomous weapons or surveillance).
- Anthropic given Feb. 27 deadline to allow similar Pentagon access or face being labeled a risk/sanctioned under the Defense Production Act.
Notable Quote:

"The agreement allows the Pentagon to use it for all lawful use, unlike Claude, which makes carveouts, preventing its use for autonomous weapons development and mass surveillance." – Rich Stroffolino [04:35]

6. Go Maintainer Slams GitHub’s Dependabot

[05:03 – 05:48]

Filippo Valsorda’s Critique:
- Dependabot flooded Go repositories with thousands of pull requests and “nonsensical” warnings after a minor security patch.
- Criticized for both over-alerting (“too noisy”) and being insufficient (“doesn't consider the impact of a flaw”).
- Argues this “alert fatigue” reduces real security; recommends disabling Dependabot for Go users.
Notable Quote:

“He recommended for anyone using Go to disable the feature, saying it reduces security by creating alert fatigue.” – Rich Stroffolino [05:46]

7. UAE Thwarts State-Sponsored Attacks

[05:49 – 06:13]

UAE Cybersecurity Council:
- Claims to have stopped coordinated attacks aimed at destabilizing the nation and disrupting critical services.
- Report: 70% of threat actors targeting UAE are state-sponsored, often linked to Iran.
- Post-2023 cyber cooperation agreement with US Treasury, attacks have surged.
Notable Quote:

“70% of threat actors targeting the country were state sponsored.” – Rich Stroffolino [06:03]

8. Lazarus Group Deploys Ransomware in US Healthcare

[06:14 – 06:41]

Medusa Ransomware Used by North Korean Subgroup:
- Attacks focused on Middle East entities and US healthcare since Nov. 2025.
- Average ransom: $260,000 per attack.
- Tactics linked to the group’s Stonefly subgroup, funding espionage operations via ransomware.
Notable Quote:

“North Korea typically uses ransomware revenue to fund espionage operations.” – Rich Stroffolino [06:39]

9. CarGurus Data Breach Exposes 12M+ Records

[06:42 – 07:20]

Shiny Hunters Extortion:
- Posted a 6.1GB database—emails, IPs, financing, and dealer details—from US auto site CarGurus.
- 3.7M records are new to Have I Been Pwned.
- Voice phishing suspected as initial vector.
Notable Quote:

“No word on how it breached Cargurus, but of late Shiny Hunter's primary tactic is voice phishing.” – Rich Stroffolino [07:17]

Noteworthy Quotes & Moments

On speed of attacks:
“The fastest time seen was 27 seconds. Of these incidents, 82% didn't involve malware.” [00:30]
On coordination in distillation attacks:
“These distillation attacks weren't coordinated. Each firm was pursuing a different goal…” [01:39]
On the future of AI incidents:
“That’s the new reality. The attack surface is trust itself.” – Sponsor message [03:54] (excluded from summary but contextually relevant)
On developer alert debacles:
“It reduces security by creating alert fatigue.” [05:46]

Timeline of Major Segments

00:07 – 01:08: Threat actor breakout speeds, report data
01:09 – 02:13: Claude AI model distillation attacks
02:13 – 02:54: DeFi theft and platform shutdown
02:55 – 03:41: Reddit fined for youth data privacy lapses
04:19 – 05:02: Pentagon access to xAI Grok
05:03 – 05:48: Go maintainer critiques GitHub’s Dependabot
05:49 – 06:13: UAE halts cyberattacks, state actor focus
06:14 – 06:41: Lazarus Group ransomware targeting US healthcare
06:42 – 07:20: CarGurus data breached; voice phishing angle

Takeaways

Attack velocity is surging—defenders must adapt to “seconds not hours” threats.
AI and model security are critical emergent concerns, with industrial-scale efforts at model cloning surfacing.
Decentralized finance remains highly vulnerable to executive-level compromise and catastrophic losses.
Regulatory bodies are tightening the screws on age verification and privacy compliance.
Open source security tools risk overwhelming devs, leading to calls for more targeted tooling.
State-sponsored and ransomware threats are blending, shaking up global geopolitics and the healthcare sector.
Social engineering and credential attacks remain major pathways, even without malware.

This concise episode delivers fast-moving, actionable threat intelligence and commentary that reflects ongoing shifts in attacker strategies and the cyber risk landscape.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines
[00:07]
B
these are the cybersecurity headlines for Wednesday, Feb. 25, 2026. I'm Rich Strofalino Threat actors break out in under 30 minutes according to CrowdStrike's annual global threat Report, the average breakout time for initial network intrusion to other Systems fell to 29 minutes in 2025, 65% faster than last year. The fastest time seen was 27 seconds. Of these incidents, 82% didn't involve malware. Most exploited legitimate credentials or social engineering. But don't forget good old vulnerabilities exploited zero days increased by 42%. Activity from nation state affiliated groups increased 266% year over year, with attacks attributed to North Korea up 130%. We have a link to the full report in our show notes. You should check it out. Claude allegedly hit with Distillation attacks In a blog post, Anthropic claimed that three Chinese firms, Deepseek, Moonshot and Minimax, attempted to copy their CLAUDE models using so called distillation attacks. Model distillation is a technique in which a less proficient model is trained on outputs of a more advanced one isn't necessarily malicious. It is a legitimate technique. But this approach allegedly saw the firms engage in over 15 million exchanges with Claude using roughly 24,000 accounts. These distillation attacks weren't coordinated. Each firm was pursuing a different goal, like improving coding performance or reasoning capabilities. In response, Anthropic rolled out stronger account verification procedures, a more advanced detection system for API traffic, and a tool to detect chain of thought elicitation activity. Defi platform shutting down after Crypto Theft earlier this month, the decentralized finance platform Step Finance disclosed that on January 31, Threat Actors stole US$40 million from its treasury compromise devices from its executive team. After exploring every possible path forward, Step Finance announced it will shut down all operations by the end of the week, along with the associated projects, Solana Floor and the Remora Markets trading platform. The company is still working out details on a buyback program for Stepcoin and Remora Token holders using about $4.7 million worth of recovered crypto assets. UK finds Reddit for age check failings the UK's Information Commissioner's Office we know it as the ICO find Reddit 14.47 million pounds after finding that from May 5, 2018 through July 8, 2025, it processed the personal information of children under 13 unlawfully. In response to the fine, Reddit released a statement saying it didn't require users to share information about their identities, regardless of age, because we are deeply committed to their privacy and and safety. In July 2025, Reddit began age verification of users to comply with the UK's Online Safety Act. The ICO cautioned, though, that more action could be forthcoming, saying Reddit's account creation process made age declaration easy to bypass. And now a huge thanks to our sponsor Adaptive Security this episode is brought to you by Adaptive Security, the first security awareness platform built to stop AI powered social engineering. Picture a new hire who interviews well, except they're synthetic AI, video AI voice AI backstory. Once they're in, they go after payroll, internal docs and access. That's the new reality. The attack surface is trust itself. Adaptive fights back with realistic deepfake simulations and training that actually sticks. Learn more@adaptivesecurity.com Pentagon gives Grok the green light A US Department of Defense official confirmed to Axios that XAI signed an agreement to allow the Pentagon to use its GROK model on classified systems. The agreement allows the Pentagon to use it for all lawful use, unlike claude, which makes carveouts, preventing its use for autonomous weapons development and mass surveillance. Up until now, Anthropic was the only model cleared for classified use by the Dodge. In related news, an axios source says DoD informed Anthropic CEO Dario Amodi that it had until February 27 to comply with similar unfettered access to its models, or it will either label the company a supply chain risk or invoke the Defense Production act to force the company to offer a version tailored for military use. Go maintainer decries GitHub's noise machine Filippo Valsorda maintains the cryptography packages in the GO standard library and previously headed Google's Go security team. After publishing a security fix on GitHub, he saw the repository's Dependabot tool send thousands of pull requests against unaffected repositories, generate a nonsensical CVSS score, and warned that a change in one line of rarely used code had a 27% chance of breaking existing code using it. Valsorta characterized Dependabot as both too noisy with irrelevant alerts compared to things like static analysis tools or other vulnerability scanners, and insufficient because it doesn't consider the impact of a flawless. He recommended for anyone using Go to disable the feature, saying it reduces security by creating alert fatigue. UAE stops attacks on critical infrastructure the United Arab Emirates Cybersecurity Council released a statement saying it successfully thwarted organized cyberattacks of a terrorist nature that targeted the country's digital infrastructure and vital sectors in an attempt to destabilize the nation and disrupt essential services. Last week, a member of the Cybersecurity Council, Mohamed Hamed al kuwaidi, claimed that 70% of threat actors targeting the country were state sponsored. Since signing a cyber cooperation agreement with the US treasury in 2023, the UAE has faced several attacks allegedly originating from Iran. Lazarus Group Expands the Gaze of Medusa Ransomware Researchers from Synmantek and Carbon Black noted that an unknown subgroup within the prolific North Korean operation began using the Medus of ransomware as a service platform for attacks in the Middle east and on several US healthcare organizations since November 2025. The average ransom demanded in these attacks against the US was $260,000. Tactics used in this campaign do align with previous operations by the Stonefly subgroup within Lazarus, also known as Andariel, but there's no reason to believe these are used exclusively. North Korea typically uses ransomware revenue to fund espionage operations Cargurus Data Leaked the Shiny Hunters extortion group published a 6.1 gigabyte trove of data with over 12 million records. They claim the data was stolen from the US auto platform CarGurus. This includes emails, IP addresses, financing applications and outcomes, and dealer account details. No statement from Cargurus about this publication, but the data has been added to the have I Been Pwned dataset, which found 3.7 million records were new to its service. No word on how it breached Cargurus, but of late Shiny Hunter's primary tactic is voice phishing. Hey, are you going to be in Central Florida next week? Then there's a good chance you can join us for a live CISO Series podcast recording. We'll be in Clearwater, Florida on March 3rd as part of the Convene Conference, and then we'll be in Orlando on March 6th for Zero Trust World. For more information on how to join and some discount codes to register for both events, head on over to our events page@cisoseries.com and if you have some thoughts about the news from today or about the show in general, be sure to reach out to us. Feedbackisoseries.com we would love to hear from you. Reporting for the CISO Series, I'm Rich Stroffolino, reminding you to have a super sparkly day.
[07:56]
A
Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories. Behind the headlines. It.