Podcast Summary: Cybersecurity Today

Host: David Shipley
Episode Title: North Korea's $285M Crypto Heist, China Breaches FBI System, Delve Faces New Allegations
Date: April 7, 2026

Episode Overview

This episode delivers breaking updates on a string of major cybersecurity incidents affecting global businesses and government organizations. Topics include North Korea's record-setting cryptocurrency theft, a critical Chinese hack into FBI systems, Iran-linked devastation at Stryker Medical, and escalating allegations against the compliance startup Delve. Host David Shipley analyzes trends, exposes the technical details, and discusses the wider implications for security professionals and organizations worldwide.

Key Discussion Points & Insights

1. North Korea’s $285M Crypto Heist on Drift Protocol

[00:19–06:06]

The Heist:
- On April Fool's Day, North Korean hackers executed a $285 million theft from crypto platform Drift Protocol in just 12 minutes.
- Attackers spent nearly three weeks preparing, establishing a fake cryptocurrency (“CarbonVote Token”), doing wash trading to inflate its perceived value.
How It Was Done:
- Wash Trading: 750 million fake tokens were repeatedly traded among hacker-controlled accounts to manipulate Drift’s price tracking algorithms.
- Social Engineering: Hackers tricked insiders with transaction authority to pre-approve routine-appearing but malicious transactions.
- Key Misstep: Drift had quietly disabled its “time lock” safety feature (which allows time-based review of major changes) days before the attack, leaving them exposed.
Attack Execution:
- On April 1, attackers listed their fake token as collateral, borrowed real assets, and withdrew them in 31 transactions over 12 minutes.
- Stolen assets were moved to another blockchain within hours, complicating asset tracing.
Aftermath:
- Drift’s token value dropped over 40%, platform withdrawals shut down.
- Blockchain investigators (TRM Labs) are tracking the flow across multiple chains.
- North Korea’s heisted crypto this year totals over $7 billion, after a $2.5B spree in 2025.
Quote:

“This is a classic wash trading scam applied to crypto. And it's worth noting North Korea is far from the only bad actor engaged in this kind of activity.”
— David Shipley [00:57]
Broader Context:
- The Drift attack follows North Korea’s supply chain compromise of the open-source Axios package, affecting major platforms (e.g., React, Cisco).
- Despite the global focus on Iranian cyber activities linked to ongoing conflicts, North Korea continues aggressively targeting crypto networks.

2. Iran’s Wiper Attack on Stryker — Recovery and Lessons

[06:07–08:57]

Incident Recap:
- In mid-March, Stryker Medical’s global manufacturing was crippled by a wiper attack traced to Iranian group Handala.
- Attackers stole 50TB of data and wiped 80,000 devices, disrupting hospital equipment production.
Attack Vector:
- Administrative account compromised, granting full access.
- Attackers used Microsoft Intune’s device management platform to execute the device wipe; only one admin approval was required.
Investigation & Remediation:
- Microsoft has published new guidance, recommending multi-admin approval for destructive actions.
- A malicious file left by hackers to hide their tracks was uncovered after initial cleanup.
Operational Impact:
- Stryker restored operations within three weeks. Most core product supply maintained, but some surgeries were delayed due to equipment shortages.
- Full financial costs to be revealed in Q1 results.
Quote:

"A key part of the damage that was done is that the attackers used Microsoft Intune... to wipe the devices and only needed a single administrator to approve that wipe. Microsoft has since published guidance on how organizations should set up multi admin approval for device wiping, as that is not the default setting."
— David Shipley [07:50]

3. China’s FBI Surveillance System Breach and Systemic Security Decline

[08:58–12:16]

Incident Overview:
- Chinese hackers penetrated a sensitive US Government surveillance system in February, stealing critical law enforcement data.
- The FBI classified this as a “major incident” – indicating real risk to national security and citizens’ rights.
Connections & Precedents:
- Attack resembles 2024’s “Salt Typhoon,” when Chinese hackers breached eight US telecoms and their wiretap systems.
- Suggests China’s offensive capability and willingness remains undeterred despite international scrutiny.
Political and Organizational Fallout:
- Senator Mark Warner highlighted this as a pattern of relentless adversary activity, grouping it with the Iranian and North Korean hits.
- Warner warns cuts to federal cybersecurity staff are hampering US defense at a dangerous moment.
- Additional headwinds: CISA is dealing with leadership turbulence, and recent regulatory relaxations are now under question.
Quotes:

“[China’s hackers are] continuing their operations with what amounts to impunity and showing no signs of being deterred.”
— Former senior US cybersecurity official [10:41]

“Warner also warned that deep cuts to cybersecurity staff across the US Federal government are making the problem worse at exactly the wrong time.”
— David Shipley [11:21]

4. Delve Compliance Startup Faces Mounting Allegations

[12:17–14:53]

Background:
- Delve, a $300M San Francisco compliance tech startup, originally promised next-level privacy and cybersecurity certification automation.
- Anonymous whistleblower “Deep Delver” previously accused Delve of faking its compliance reports and certifications.
New Allegations:
- Deep Delver now claims Delve resold a software product (“Pathways”) that was in fact a lightly modified fork of “Sim Studio,” an open-source tool from Sim AI, without licensing or attribution.
- This would violate the Apache Open Source license; notably, Sim AI was both a Delve customer and fellow Y Combinator alum.
Company Responses:
- Delve’s leadership denies all fraud allegations, claims a hostile actor is behind a smear campaign, and says they've hired two forensic firms for independent investigation.
- CEO Karun Kaushik apologizes for growing too quickly but firmly denies intentional deception.
- Meanwhile, Y Combinator revoked Delve’s “seal of approval” and removed it from its alumni directory.
Quotes:

“He [Sim AI’s CEO] said he had no idea Delve intended to sell it as a standalone product of their own.”
— David Shipley [13:45]

“Delve built its entire business on selling compliance to other companies. It now faces allegations that it violated a software license, which itself is a compliance failure.”
— David Shipley [14:09]

“YC's president said simply that trust within the founder community is foundational and when that trust breaks down, there's only one pathway forward.”
— David Shipley [14:39]

Notable Quotes & Moments

On North Korea's Crypto Capabilities:

“It's a strong start for North Korea for 2026 after a banner year stealing $2.5 billion in crypto in 2025.”
— David Shipley [03:57]
On Vulnerabilities from Staffing Cuts:

“Cyber doesn’t exist in a policy vacuum and politics impacts both policy and resourcing for agencies such as CISA. And it's clear that nation states hostile to the United States are making the most of the chaotic current environment.”
— David Shipley [12:05]

Timestamps for Major Segments

North Korea’s $285M Crypto Heist: 00:19–06:06
Iran/Russia: Stryker Wiper Attack (Recovery Update): 06:07–08:57
China Breaches FBI Surveillance System: 08:58–12:16
Delve Faces New Allegations: 12:17–14:53

Conclusion

This episode delivers a sobering look at the dynamic and ever-more aggressive landscape of cyber threats, challenging both private enterprise and national infrastructure. From technical lapses enabling massive crypto thefts, to geopolitics shaping digital vulnerabilities, and the cautionary tale of startup failures in cyber ethics, the message is clear: vigilance and continual investment in security are non-negotiable.

Note: Routine intro, ads, and outro are not included in this summary for focus on content.

Transcript

A (0:00)

Cybersecurity Today we'd like to thank Meter for their support in bringing you this podcast. Meter delivers a complete networking stack, wired, wireless and cellular in one integrated solution that's built for performance and scale. You can find them at meter.com CST

B (0:19)

North Korea pulls Off Quarter Billion Dollar Heist on April Fool's Day Iran's wiper attack on Stryker is finally cleaned up. Chinese hack of FBI surveill declared a major incident, and things continue to get worse for an embattled compliance startup. This is Cybersecurity Today and I'm your host David Shipley coming to you back from my hometown in Fredericton after my epic Pacific road trip over the last two weeks. Let's get started on the news. A major cryptocurrency heist pulled off on April Fool's Day turned out to be no joke, and investigators say North Korea is likely behind it. Hackers stole $285 million from a crypto trading platform called Drift protocol in just 12 minutes. That makes it the biggest crypto hack of 2026 so far. The attackers spent nearly three weeks setting up the crime before they stole a single dollar. They started by creating a completely fake cryptocurrency called CarbonVote Token. They manufactured 750 million of these tokens, then traded them back and forth between their own accounts to make it look like the coin had real value, about $1 each. The platform's automated price tracking systems were fooled into treating it as legitimate. This is a classic wash trading scam applied to crypto. And it's worth noting North Korea is far from the only bad actor engaged in this kind of activity. With the US Department of Justice announcing charges on March 30 for 10 individuals engaged allegedly in the same kinds of fraudulent activity at the same time as doing the WASH trading, the hackers used social engineering to trick people who had signing authority over Drift Security Systems. They got those insiders to pre approve transactions that looked routine but were actually hidden back doors. On top of that, Drift had quietly removed a key safety feature called a time lock just days before the attack. A time lock creates a waiting period before major systems changes takes effect, giving the team time to catch something suspicious. Without it, the door was wide open. When April 1 came, the attackers moved fast. They listed their token as collateral, borrowed hundreds of millions of dollars in real assets against it, and and executed 31 withdrawal transactions in 12 minutes. Then they moved the money to a different blockchain within hours to start covering their tracks. Drift's token lost more than 40% of its value. The platform shut down withdrawals and investigators at blockchain intelligence firms TRM Labs are now tracking the stolen funds across multiple blockchains. It's a strong start for North Korea for 2026 after a banner year stealing $2.5 billion in crypto in 2025. By the end of 2025, North Korea's total cryptocurrency theft grand total stood at 6.7 billion. This theft pushes them past $7 billion stolen news of the Drift attack followed North Korea's stunning and massive supply chain attack against open source package Axios, which is downloaded nearly 100 million times a week. Axios is heavily used around the web, including in the React framework, and was part of the breach of Cisco's code repository last week. North Korea's aim in that attack was also financial and highly targeted at cryptocurrency. While the cyber world was bracing for Iran war linked cyber activity, North Korea just kept doing its thing stealing crypto. Speaking of the Iran war and related cyber, here's a piece of good news. Last week, Stryker Medical announced it had fully recovered from a devastating March 11 Wiper attack. The company announced it had fully restored operations across its global manufacturing network about three weeks after a devastating attack nearly wiped out its entire digital infrastructure. Here's a quick reminder and recap of what happened. In mid March, a hacking group linked to Iran called Handala broke into Stryker Systems, claimed to have stolen 50 terabytes of data and then wiped nearly 80,000 devices in a single morning. Stryker makes everything from surgical equipment to neurotechnology and employs more than 53,000 people worldwide. The attackers got in by compromising an administrative account. Essentially, they stole the master key to Stryker's network and then created their own backdoor account to carry out the damage. A key part of the damage that was done is that the attackers used Microsoft Intune, a cloud based device management platform, to wipe the devices and only needed a single administrator to approve that wipe. Microsoft has since published guidance on how organizations should set up multi admin approval for device wiping, as that is not the default setting. Since the breach. Investigators also found a malicious file that hackers left behind to hide their tracks while they were inside the network. That piece wasn't discovered until after the initial cleanup was well underway. The good news here that Stryker says production is moving quickly towards full capacity and product supply for hospitals and patients remained largely intact through the recovery. The hack, however, wasn't without suffering. As we covered earlier in March, with some specialized equipment delayed and causing canceled or rescheduled surgeries for a number of patients. The full financial impact of the attack on Stryker, a $25 billion a year revenue company, will likely start to be revealed at the end of April when the company reports its Q1 results. Of course, with North Korea and Iran getting lots of attention, it appears China didn't want to be left out of the headlines either. The FBI is sounding the alarm over what it's calling a major cyber attack, and China is the suspected culprit. Federal investigators say hackers linked to China broke into a US Government surveillance system and stole sensitive law enforcement data. The FBI has now officially classified it as a major incident, a designation reserved for breaches serious enough to cause real harm to national security, foreign relations or the rights of American citizens. The FBI first detected the intrusion on February 17 and notified Congress in early March. The attack looks eerily similar to a previous Chinese hacking campaign called Salt Typhoon, which made headlines in 2024 when it penetrated eight major American telecom companies, including their systems for court ordered wiretaps. That campaign is considered one of the largest intelligence breaches in American history. This new attack suggests China hasn't slowed down despite the global attention Salt Typhoon generated and despite diplomatic efforts to ease tension between Washington and Beijing ahead of a planned presidential visit to China next month. A former senior US Cybersecurity official put it bluntly, saying China's hackers are continuing their operations with what amounts to impunity and showing no signs of being deterred. Senator Mark Warner of Virginia, the vice chair of the Senate Intelligence Committee, connected this breach to a pattern he says is becoming impossible to ignore, pointing to the past activities of Salt Typhoon, the recent Striker attack by Iran, and now this new FBI incident as evidence that adversaries are actively hunting for weaknesses and and they are having success in finding them. Warner also warned that deep cuts to cybersecurity staff across the US Federal government are making the problem worse at exactly the wrong time. The Cybersecurity and Infrastructure Security Agency hasn't just been hit due to staffing cuts. It's also suffered a leadership crisis with the departure of its acting director amidst a series of controversies followed by the departure of a well respected CIO. The news also follows decisions by US telecommunications regulators to ease security requirements placed on US telecoms after the 2024 salt typhoon breaches. All of this matters. Cyber doesn't exist in a policy vacuum and politics impacts both policy and resourcing for agencies such as cisa. And it's clear that nation states hostile to the United States are making the most of the chaotic current environment, the bad headlines keep on rolling in for embattled compliance startup Delve. We've been following the collapse of this startup for several weeks now, and TechCrunch is reporting the story has taken another serious turn, this time involving allegations of stolen software. First, a quick recap. Delve is a San Francisco based startup valued at around $300 million that sold a service promising to help other companies prove they met cybersecurity and privacy regulations. An anonymous whistleblower calling themselves Deep Delver began publishing allegations last month, claiming Delve was essentially faking those compliance certifications, auto generating reports and using auditing firms that rubber stamp results without doing the real work. Delve has consistently denied those claims. Now there's a new allegation on top of that, and this one has a particular sting to it. Deep Delver claims that Delve was pitching a software tool it called Pathways to potential customers, presenting it as something the company built itself. The whistleblower who says they were one of those potential customers says they recognize Pathways as looking nearly identical to an open source tool called Sim Studio built by a company called Sim AI. When they asked Delve directly if Pathways was based on Sim Studio, Delve allegedly said no, that they had built it themselves. Deep Delver then published what they say is evidence that Pathways was actually a fork of Sim Studio, changed just enough to look like an original. If that's true, it would be a violation of the Apache Open Source license, which is free to use but requires the original developer to be properly credited. Now here's where things get genuinely awkward. Sim AI was actually a Delve customer. Both companies came out of the same startup accelerator, Y Combinator, where alumni routinely support each other's businesses. So Sim AI was paying Delve for its compliance service. Delve, according to Sim AI's founder, had no license agreement with Sim AI whatsoever. Sim AI's founder and CEO told TechCrunch his company new Delve, planned to use their tool for something, and that Delve had later tried to negotiate a deal but never reached one. He said he had no idea Delve intended to sell it as a standalone product of their own. He also told TechCrunch that after initially expressing sympathy for Delve when the first allegations dropped, he and the Delve founders haven't spoken since he learned about the Pathways claims. Delve built its entire business on selling compliance to other companies. It now faces allegations that it violated a software license, which itself is a compliance failure. Pages related to Pathways tool have since disappeared from Delve's website, along with a number of other pages. Delve did not respond to TechCrunch's request for comment, and the media contact address on its website is no longer functioning. As for Delve's major backer, the venture capital firm Insight Partners, which led a $32 million investment in the company, its blog post explaining that investment was briefly pulled from the web, and its LinkedIn post about deal has not been restored. Dell's founders are fighting back hard against all of these allegations. Inc.com is reporting that CEO Karun Kaushik and COO Celine Cochlear posted a video statement this week denying the fraud allegations outright. They say they hired two independent cybersecurity forensic firms to investigate, and that both concluded that a malicious actor, not a genuine whistleblower, purchased a Delve account, stole sensitive internal data, and launched what they're calling is a coordinated smear campaign against the company. Koshik acknowledged that the company grew too fast and fell short of its own standards. He apologized to customers for the disruption, but he has been firm Delve did not defraud anyone. The founders described the whistleblower's allegations as a mix of fabricated claims, selectively chosen screenshots and data, taking complet completely out of context. Despite that defense, it seems Y Combinator wasn't convinced. The prestigious startup accelerator officially cut ties with Delve over the weekend, removing the company from its directory and revoking what's known as the YC seal of approval. YC's president said simply that trust within the founder community is foundational and when that trust breaks down, there's only one pathway forward. That's cybersecurity. Today for Tuesday, April 7, 2026 we had a lot to cover after the Easter holiday break. Thanks for listening and thank you to everyone who has left a rating review or subscribed or shared the show with others. On Monday, we were in the top 10 for tech news on Apple Podcasts in Canada, the United States, the United Kingdom, Saudi Arabia, Poland, Indonesia, Africa, the United Arab Emirates and Norway, according to Refonik. Thanks so much for all your help achieving that. Have a great week. I'll be back on Thursday with the latest headlines.