CyberWire Daily – January 12, 2026

Episode Title: A picture worth a thousand breaches
Host: Dave Bittner, N2K Networks
Featured Guest: Sasha Ingber, Host of the International Spy Museum’s Spycast Podcast

Episode Overview

This episode of CyberWire Daily delivers a comprehensive cybersecurity news roundup with updates on recent global incidents, major vulnerabilities, and the evolving threat landscape. The centerpiece of the episode is an in-depth interview with Sasha Ingber, host of Spycast, highlighting the podcast’s return to the N2K CyberWire network, its unique focus on espionage, and what listeners can expect in its 20th year. The episode closes with a quirky story of a commuter who hacked his own electric scooter, providing a lesson about default cryptographic keys.

Key News Segments & Analysis

Kim Suki "Quishing" Campaign & QR Code Attacks

[02:48 – 04:24]

• The FBI warns that the North Korean-linked Advanced Persistent Threat group Kim Suki is conducting spear-phishing campaigns using malicious QR codes (“quishing”) to target governments, think tanks, and academic institutions.
  • Emails embed QR codes that, when scanned, bypass traditional security tools and redirect victims through attacker-controlled infrastructure.
  • Fake login pages mimic platforms like Microsoft 365 and Google to steal credentials and session tokens, allowing attackers to bypass MFA.
• Security Guidance: The FBI recommends layered defenses, including user training, stronger mobile security, and phishing-resistant authentication.

“The codes redirect victims through attacker controlled infrastructure that profiles devices and presents mobile optimized fake login pages impersonating services like Microsoft 365, Google or VPN portals.” (Dave Bittner, 03:09)

Critical Advantech IoT Vulnerabilities

[04:24 – 04:50]

• Singapore issues a warning about a critical SQL injection flaw in Advantech IoT management platforms.
  • The vulnerability allows unauthenticated attackers to execute database commands and achieve remote code execution.
  • Immediate patching is urged, as some fixes require direct coordination with customers.

Russia’s Fancy Bear Targets Energy & Defense

[04:50 – 05:49]

• Recorded Future highlights that Russian APT28 (Fancy Bear) is running credential harvesting campaigns targeting organizations in energy research, defense, and government.
  • Tactics include phishing sites mimicking email and VPN portals, PDF lures, and substantial use of free hosting/tunneling services to evade attribution.
  • The activity is expected to persist.

Malaysia & Indonesia Block X/Twitter Over Deepfake Concerns

[05:49 – 06:55]

• Both countries suspended access to X/Twitter, citing the platform’s alleged role in the distribution of non-consensual sexual imagery and deepfakes.
  • Authorities cite failure to implement proper safeguards.
  • Elon Musk argues the moves equate to censorship; similar issues are being raised in India.

AI-Driven Fraud: Opco Pro Scam

[06:56 – 08:10]

• Researchers at Checkpoint detail a massive fraud operation using AI-generated personas and communities (Opco Pro).
  • The scam starts with SMS lures masquerading as investment opportunities.
  • Victims are moved to WhatsApp groups run by bots, eventually directed to download a fake trading app.
  • The app requests identity documents and selfies, enabling financial theft and SIM swapping.
  • The fraud model is highly scalable and industrialized.

Breach Forums Breached

[08:11 – 08:47]

• The hacker site Breach Forums suffered a data breach, leaking its user database and admin PGP key.
  • 324,000 user records were exposed; 70,000 with public IPs.
  • The leak originated from a brief backup exposure; the PGP key password was also published, worsening exposure risk.

NSA Appoints New Deputy Director

[08:47 – 09:37]

• Tim Kosiba, a veteran intelligence official, is named NSA’s new Deputy Director, following a period of leadership uncertainty.
  • Kosiba’s experience includes roles at NSA and FBI, and deputy commander of NSA Georgia.
  • Attention now shifts to upcoming Senate confirmation hearings for NSA’s permanent leader.

Cybersecurity Business News

[09:37 – 10:54]

• The global cybersecurity sector continues to see investment and consolidation:
  • Israeli firm Vega secures $120M at a $700M valuation.
  • Saudi Arabia’s DS Shield raises $54M for OT security expansion.
  • U.S. startup Armadin, founded by Kevin Mandia, raises $24M.
  • Multiple MSSP acquisitions signal ongoing market consolidation.

Featured Interview: Sasha Ingber, Host of Spycast

[12:20 – 23:01]

Spycast Origins and Value Proposition

[13:08 – 14:30]

• Spycast is America’s first podcast focused on espionage, now in its 20th year.
• Its original host was Peter Earnest, the International Spy Museum’s founding director and a former spy.
• The show leverages the museum’s unique artifacts and narratives.

“Spycast is actually the first podcast on espionage and spying in the United States. This is our 20th year and our first host was the founding director of the International Spy Museum, Peter Earnest, who himself was a spy.” (Sasha Ingber, 13:08)

Types of Stories & Key Episodes

[14:36 – 17:05]

• Each week features a different voice from the international spy community—former intelligence officials, journalists, and scholars.
• Highlighted guests:
  • Bill Evanina (Counterintelligence): Discussed how layoffs became recruitment opportunities for hostile intelligence on platforms like LinkedIn, inspiring new government policies.
  • Ralph Marani (CIA): Reflected on officer protection practices after the Athens station chief’s assassination.
  • Nick F. Timiotis: Details an ongoing global database of Chinese espionage cases.
  • Christine Kuhn: Explored family revelations about WWII espionage ties.
  • Fariba Nawa (Journalist): Unpacked Turkey’s spy intrigue between Israel and Iran.

Sasha Ingber’s Background & Approach

[17:05 – 19:24]

• Ingber started as a journalist focused on intelligence, worked at the State Department countering Russian disinformation post-Crimea annexation, and covered national security for NPR and Scripps News.
• She runs "humint" on Substack, providing human intelligence-focused reporting.
• Brings investigative rigor and passion for asking smart questions to Spycast.

“I ended up taking a job as a writer and an editor at the State Department... tasked with debunking Russian disinformation... That catapulted me into this fascinating world...” (Sasha Ingber, 17:18)

What’s New on Spycast

[19:51 – 21:36]

• For its 20th year:
  • First guest: Brian Carbaugh, head of the CIA Special Activities Center, offering unseen insider perspective on covert action during historic events (Afghanistan, Covid, China).
  • Month-long special: Operations in Latin America, with episodes marking the U.S. invasion of Panama, a former DEA agent’s work with Guatemalan gang databases, and more.
  • Rescue story: Brian Stern’s recent mission to extract Nobel Prize nominee Maria Karina Machado from Venezuela.

Spycast’s Evolution

[21:36 – 22:30]

• From free-flowing, hour-long chats to a tighter, 30-minute format for commutes.
• More focused while keeping intimacy and exclusivity—delivering voices not heard elsewhere.
• Retains its edge and candid revelations.

“By this time we have a format that specific to about 30 minutes... tighter, more focused, but still retains the intimacy as well as the expertise.” (Sasha Ingber, 21:44)

Quirky Close: Hacking a Scooter

[24:03 – 25:41]

A lighthearted story about Rasmith Moratz, an Estonian hacker who bought a local electric scooter brand that later went bankrupt. When the company’s cloud app started failing, Moratz reverse engineered the system and found all scooters had the same default Bluetooth key—meaning anyone nearby could unlock any scooter. Moratz wrote his own control app, gaining independence from the now-defunct company servers and leaving a lesson in the danger of cryptographic defaults.

“Local pride is great, but cryptographic defaults are forever.” (Dave Bittner, 25:38)

Notable Quotes & Moments

• “This makes quishing a highly effective MFA resilient identity attack vector.” (Dave Bittner, 03:51)
• “Anyone who has had the chance to visit your facilities in Washington, D.C. ... you’re in for a treat. It really is one of the premier museums in Washington.” (Dave Bittner, 13:48)
• “It's weird to kind of consider yourself a professional conversationalist. But I definitely like the side of asking questions more than what you're making me do right now.” (Sasha Ingber, 19:36)
• “You have just gotten some really, really exclusive voices from the spy world that you will not hear anywhere else.” (Sasha Ingber, 22:23)
• “The crossover of interests of the folks who are listening to us here on the CyberWire and Spycast is huge.” (Dave Bittner, 22:36)

Segment Timestamps

• [02:48] Kim Suki "Quishing" Campaign
• [04:24] Advantech IoT Vulnerabilities
• [04:50] Fancy Bear Targeting Energy & Defense
• [05:49] X/Twitter Blocked in Malaysia & Indonesia
• [06:56] AI Fraud Operation (Opco Pro)
• [08:11] Breach Forums Breach
• [08:47] NSA Leadership Announcement
• [09:37] Cybersecurity Business Brief
• [12:20] Start of Spycast Interview (Sasha Ingber)
• [13:08] Spycast Origins
• [14:36] Sample Spycast Stories
• [17:05] Sasha’s Background
• [19:51] Preview of Upcoming Spycast Content
• [21:36] Format & Evolution of Spycast
• [24:03] Commuter Hacked His Scooter

Summary

This episode is a rich blend of cyber threat intelligence, industry trends, and the human stories behind espionage and cybersecurity. The Spycast segment offers a compelling look at the real-life drama of spycraft and promises must-hear interviews for those fascinated by the intelligence world. Throughout, the show balances urgency—around breaches and vulnerabilities—with curiosity and wit, as seen in the episode’s closing anecdote about scooter hacking.

For more information, check out the CyberWire Daily Briefing and the International Spy Museum's Spycast podcast wherever you get your podcasts.