Podcast Summary: Cybersecurity Headlines – Feb. 25, 2026
Host: Rich Stroffolino
Podcast: CISO Series
Episode: Hacked in 30 minutes, Claude distillation, DeFi shutdown after attack
Date: February 25, 2026
Episode Overview
This episode delivers a rapid-fire roundup of the latest pressing stories in the cybersecurity world, emphasizing faster threat actor operations, AI risks, continuing DeFi vulnerabilities, major privacy fines, ransomware developments, and heated discussions on open source security tooling. The host distills key data, quotes officials and researchers, and provides broader industry context—all in a newsy and direct tone.
Key Stories & Discussion Points
1. Attacker Breakout Time Drops to 29 Minutes
[00:07 – 01:08]
- CrowdStrike’s Global Threat Report:
- The average “breakout time”—how fast attackers move from initial access to internal system expansion—dropped to a record 29 minutes in 2025, a 65% improvement (for the attackers) over the previous year.
- The fastest observed breakout was a jaw-dropping “27 seconds.”
- 82% of breakouts did not use malware, but relied on “legitimate credentials or social engineering.”
- Increase in “zero-day” exploits by 42%.
- Nation-state activity up 266%, with North Korean-attributed attacks increasing by 130%.
- Notable Quote:
“The fastest time seen was 27 seconds. Of these incidents, 82% didn't involve malware. Most exploited legitimate credentials or social engineering.” – Rich Stroffolino [00:30]
- Contextual Note:
CrowdStrike’s report is recommended for deeper dives into trends and statistics.
2. Alleged Model Distillation Attacks on Claude
[01:09 – 02:13]
- Anthropic’s Claim:
- Three Chinese firms (Deepseek, Moonshot, Minimax) reportedly attempted to copy Claude’s AI models via “distillation attacks.”
- Distillation is not inherently malicious but was used here for large-scale imitation—firms conducted over 15 million exchanges using 24,000 accounts.
- Each firm focused on distinct goals: coding, reasoning, etc.
- Anthropic’s Response:
- Rolled out stronger verification, improved traffic detection, and a new tool for “chain of thought elicitation.”
- Notable Quote:
“These distillation attacks weren't coordinated. Each firm was pursuing a different goal…” – Rich Stroffolino [01:39]
3. DeFi Platform Collapse Following $40M Theft
[02:13 – 02:54]
- Step Finance Breach:
- On Jan. 31, attackers stole $40 million after compromising devices of company execs.
- Step Finance to fully shut down operations, including Solana Floor and Remora Markets.
- Working on buyback program for token holders with ~$4.7 million in recovered assets.
- Notable Quote:
“After exploring every possible path forward, Step Finance announced it will shut down all operations by the end of the week…” – Rich Stroffolino [02:31]
4. ICO Fines Reddit £14M for Age Check Failings
[02:55 – 03:41]
- UK Information Commissioner's Office (ICO):
- Fined Reddit for processing personal data of children under 13 unlawfully (May 2018 – July 2025).
- Reddit’s defense: They don’t require identity info and are committed to privacy.
- Reddit started age verification in July 2025 to comply with the UK’s Online Safety Act.
- ICO warns more action is possible due to ease of bypassing Reddit’s age checks.
- Notable Quote:
“Reddit's account creation process made age declaration easy to bypass.” – Rich Stroffolino [03:33]
5. Pentagon Approves Grok AI for Classified Use
[04:19 – 05:02]
- Department of Defense & xAI:
- DoD greenlights the use of xAI’s Grok model for all lawful classified applications.
- Contrasts with restrictions imposed on Anthropic’s Claude (e.g., no use for autonomous weapons or surveillance).
- Anthropic given Feb. 27 deadline to allow similar Pentagon access or face being labeled a risk/sanctioned under the Defense Production Act.
- Notable Quote:
"The agreement allows the Pentagon to use it for all lawful use, unlike Claude, which makes carveouts, preventing its use for autonomous weapons development and mass surveillance." – Rich Stroffolino [04:35]
6. Go Maintainer Slams GitHub’s Dependabot
[05:03 – 05:48]
- Filippo Valsorda’s Critique:
- Dependabot flooded Go repositories with thousands of pull requests and “nonsensical” warnings after a minor security patch.
- Criticized for both over-alerting (“too noisy”) and being insufficient (“doesn't consider the impact of a flaw”).
- Argues this “alert fatigue” reduces real security; recommends disabling Dependabot for Go users.
- Notable Quote:
“He recommended for anyone using Go to disable the feature, saying it reduces security by creating alert fatigue.” – Rich Stroffolino [05:46]
7. UAE Thwarts State-Sponsored Attacks
[05:49 – 06:13]
- UAE Cybersecurity Council:
- Claims to have stopped coordinated attacks aimed at destabilizing the nation and disrupting critical services.
- Report: 70% of threat actors targeting UAE are state-sponsored, often linked to Iran.
- Post-2023 cyber cooperation agreement with US Treasury, attacks have surged.
- Notable Quote:
“70% of threat actors targeting the country were state sponsored.” – Rich Stroffolino [06:03]
8. Lazarus Group Deploys Ransomware in US Healthcare
[06:14 – 06:41]
- Medusa Ransomware Used by North Korean Subgroup:
- Attacks focused on Middle East entities and US healthcare since Nov. 2025.
- Average ransom: $260,000 per attack.
- Tactics linked to the group’s Stonefly subgroup, funding espionage operations via ransomware.
- Notable Quote:
“North Korea typically uses ransomware revenue to fund espionage operations.” – Rich Stroffolino [06:39]
9. CarGurus Data Breach Exposes 12M+ Records
[06:42 – 07:20]
- Shiny Hunters Extortion:
- Posted a 6.1GB database—emails, IPs, financing, and dealer details—from US auto site CarGurus.
- 3.7M records are new to Have I Been Pwned.
- Voice phishing suspected as initial vector.
- Notable Quote:
“No word on how it breached Cargurus, but of late Shiny Hunter's primary tactic is voice phishing.” – Rich Stroffolino [07:17]
Noteworthy Quotes & Moments
- On speed of attacks:
“The fastest time seen was 27 seconds. Of these incidents, 82% didn't involve malware.” [00:30] - On coordination in distillation attacks:
“These distillation attacks weren't coordinated. Each firm was pursuing a different goal…” [01:39] - On the future of AI incidents:
“That’s the new reality. The attack surface is trust itself.” – Sponsor message [03:54] (excluded from summary but contextually relevant) - On developer alert debacles:
“It reduces security by creating alert fatigue.” [05:46]
Timeline of Major Segments
- 00:07 – 01:08: Threat actor breakout speeds, report data
- 01:09 – 02:13: Claude AI model distillation attacks
- 02:13 – 02:54: DeFi theft and platform shutdown
- 02:55 – 03:41: Reddit fined for youth data privacy lapses
- 04:19 – 05:02: Pentagon access to xAI Grok
- 05:03 – 05:48: Go maintainer critiques GitHub’s Dependabot
- 05:49 – 06:13: UAE halts cyberattacks, state actor focus
- 06:14 – 06:41: Lazarus Group ransomware targeting US healthcare
- 06:42 – 07:20: CarGurus data breached; voice phishing angle
Takeaways
- Attack velocity is surging—defenders must adapt to “seconds not hours” threats.
- AI and model security are critical emergent concerns, with industrial-scale efforts at model cloning surfacing.
- Decentralized finance remains highly vulnerable to executive-level compromise and catastrophic losses.
- Regulatory bodies are tightening the screws on age verification and privacy compliance.
- Open source security tools risk overwhelming devs, leading to calls for more targeted tooling.
- State-sponsored and ransomware threats are blending, shaking up global geopolitics and the healthcare sector.
- Social engineering and credential attacks remain major pathways, even without malware.
This concise episode delivers fast-moving, actionable threat intelligence and commentary that reflects ongoing shifts in attacker strategies and the cyber risk landscape.