A

You're listening to the Cyberwire Network, powered by N2K.

B

Most security conferences talk about Zero Trust Zero Trust World puts you inside this is a hands on cybersecurity event designed for practitioners who want real skills, not just theory. You'll take part in live hacking labs where you'll attack real environments, see how modern threats actually work and learn how to stop them before they turn into incidents. But Zero Trust World is more than labs. You'll also experience expert led sessions, practical case studies and technical deep dives focused on real world implementation. Whether you're Blue team, red team, or responsible for securing an entire organization, the content is built to be immediately useful. You'll earn CPE credits, connect with peers across the industry and leave with strategies you can put into action right away. Join us March 4th through the 6th in Orlando, Florida. Register now at ztw.com and take your zero trust strategy from Theory to execution. Doge staff face scrutiny over possible Hatch act violations violations GitLab fixes a serious 2fa bypass North Korean hackers target macOS developers through visual Studio code. Researchers say the Void Link malware may be largely AI built. MITRE rolls out a new embedded systems threat matrix. Oracle drops a massive patch update. Minnesota DHS reports a breach affecting 300,000 people. Germany looks to Israel for cyber defense lessons A major illicit marketplace goes dark. Our guest is Ashley Jess Sen, intelligence analyst from Intel 471 with a crash course on underground cyber markets and auditors emerge as an unlikely line of cyber defense. It's Wednesday, january 21st, 2026. I'm dave bittner and this is your cyberwire intel brief. Thanks for joining us here today. It's great as always to have you with us. Newly disclosed Justice Department court filings reveal that two members of Elon Musk's DOGE team at the Social Security Administration were in contact with an advocacy group seeking to overturn election results in certain states. One DOGE member signed an agreement that may have involved matching Social Security data with state voter rolls, according to a filing by Justice Department official Elizabeth Shapiro. SSA referred both employees for possible Hatch act violations, which prohibit political activity by federal workers. The disclosures contradict earlier testimony during litigation over Doge's access to Social Security data. Shapiro said DOGE members shared data using unapproved third party servers, including Cloudflare, and may have accessed restricted personal information despite court limits. Emails suggest DOGE members could have been asked to assist the advocacy group by using SSA data, though it remains unclear whether any data was actually shared. Shapiro also reported that a senior DOGE advisor received a password protected file containing private Data on about 1,000 individuals. SSA says it was unaware of these actions at the time and that details remain unclear. GitLab has released security updates to fix a high severity vulnerability that allows attackers to bypass two factor authentication in both its Community Edition and Enterprise Edition platforms. The flaw is caused by an unchecked return value in GitLab's authentication services. According to the company. An attacker who already knows a user's account ID could submit forged device responses and circumvent two factor protections. In the same update, GitLab patched two additional high severity vulnerabilities that could enable unauthenticated denial of service attacks through malformed authentication requests and improper API authorization checks to medium severity. Denial of service issues were also fixed. GitLab has released multiple patched versions urging self managed users to upgrade immediately. GitLab.com is already updated and dedicated customers are not affected. JAMF warns that North Korean threat actors are targeting macOS developers by abusing Visual Studio code task configuration files to deliver malware. The campaign is a new variation of long running fake job offer lures. Victims are tricked into cloning malicious GitHub or GitLab repositories posing as coding assignments. When opened and marked as trusted in VS code, obfuscated JavaScript executes, retrieves additional payloads, and installs a persistent backdoor, according to jamf. The malware collects system data, communicates with command and control servers, and enables remote code execution. Researchers say Voidlink, a recently discovered Linux malware targeting cloud servers, was likely built almost entirely with the help of artificial intelligence. Initially analyzed by Checkpoint Research, voidlink appeared to be the work of a sophisticated, well funded threat group due to its modular design and feature set. Further investigation, however, suggests the malware was developed by a single individual using AI tools to plan, plan, structure and generate code. Evidence includes exposed development documents outlining a 30 week plan even though the malware evolved in roughly four weeks, a mismatch researchers attribute to AI generated documentation check point says AI was used not just for coding but for project orchestration. Marking a turning point, voidlink demonstrates how AI can significantly accelerate and amplify advanced malware development when used by skilled actors. MITRE has announced the launch of its Embedded Systems Threat Matrix, or estm, a new cybersecurity framework focused on protecting embedded systems. Modeled on MITRE attck, the framework maps attack tactics and techniques specific to hardware and firmware environments. According to Mitre, ESTM supports threat modeling and attack path analysis across sectors such as energy, industrial control, robotics, transportation and healthcare. The framework aligns with existing security models, works with the Embed threat model, and is now available as the more mature ESTM 3.0. With community contributions encouraged, Oracle has released its first Critical patch update for 2026, delivering 337 security fixes across more than 30 products. According to Oracle, the update covers roughly 230 unique vulnerabilities, including more than two dozen rated critical and over 235 exploitable remotely without authentication. Several patches address a critical Apache Tika flaw with a maximum CVSS score. Oracle Communications and Fusion Middleware received the most fixes. Oracle also issued separate security updates for Solaris, including remotely exploitable vulnerabilities. The Minnesota Department of Human Services is notifying nearly 304,000 people about a data breach involving unauthorized access to its MnChoices eligibility system. The incident was traced to a user affiliated with a licensed healthcare provider who accessed more data than permitted while using systems managed by FEI systems. The access occurred between late August and September of last year and was detected after FEI identified unusual activity in November. State officials say there's no evidence of external hacking. The exposed information primarily involved demographic data with more detailed personal and benefits information accessed for a smaller subset of individuals. DHS has revoked the provider's access, launched fraud monitoring efforts and reported the incident as a HIPAA breach to federal and state oversight bodies. Germany is seeking to significantly strengthen its cyber defenses against threats from countries including Russia, China, Iran and North Korea, and is turning to Israel for expertise. Earlier this month, German Interior Minister Alexander Dobrinkt signed a Cyber Defense Cooperation Agreement in Tel Aviv with Israeli Prime Minister Benjamin Netanyahu, citing interest in Israel's cyberdome system. Developed under the Israel National Cyber Directorate, the cyberdome is a centralized, partly automated threat detection platform that uses AI to monitor attacks on critical infrastructure. German officials and analysts say Israel's experience shaped by frequent cyberattacks and a mature offensive and defensive ecosystem could inform Germany's own efforts. The partnership includes plans for joint development of next generation cyber defenses, an AI and cyber innovation center, and cooperation on protecting energy infrastructure, connected vehicles and countering drone threats. Toudeau Guarantee, a telegram based illicit marketplace that processed more than $12 billion in fraud related transactions, has shut down, according to Blockchain. Intelligence firm Elliptic Elliptic describes Tudeau as the third largest illicit marketplace ever facilitating money laundering, sales of stolen personal data and services supporting online scams. The shutdown followed the January 6th arrest and extradition to China of Chen Xi, chairman of Cambodia's Prince Group, after which activity in Tudeau's wallets sharply declined. Some functions, including gambling services, remain active, leaving uncertainty over whether the closure is complete. The disruption impacts Southeast Asia's fraud ecosystem, where scam operations have flourished. Tudo had risen rapidly after the shutdown of Huanguarante, its predecessor. Elliptic expects fraud activity to fragment across multiple smaller marketplaces, complicating but not preventing tracking efforts. Coming up after the break, Ashley Jess from Intel 471 has a crash course on underground cyber markets, and auditors emerge as an unlikely line of cyber defense. Stay with us. Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks, including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling, or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. What's your 2am Security worry? Is it do I have the right controls in place? Maybe? Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber. Ashley Jess is senior intelligence analyst at Intel 471. Today, she shares a crash course on underground cyber markets and emerging trends.

A

So when you're talking about underground marketplaces, you're talking about the key platforms for the sale and distribution of typically things like stolen payment card information, personally identifiable information, or PII account credentials, and other sort of sensitive information like the logs from info stealer malware. So these shops represent sort of the professionalization and commodification of cybercrime because they are truly a centralized place where they offer this very similar to any sort of online marketplace where you might buy, you know, gifts or clothing or things like that. It just happens to be stolen information.

B

Can you give us an idea of the breadth of these marketplaces and how they're kind of tiered? Are there top marketplaces that sort of lead everything or how does it work?

A

Yeah, so they've gone on, like undergone a significant evolution under the last 10, 15 years. So you used to have these really prominent marketplaces that were these large sort of multipurpose platforms, and they've shifted more to, you know, a more specialized and fragmented ecosystem. And this was mostly driven actually from law enforcement action. So as long as you don't have a mix of some new technological advancements, but you used to have really large marketplaces. So some that might sound familiar to viewers are things like Silk Road, AlphaBay and Hydra Market, and those sold everything from drugs to hacking tools. And those were, you know, the top of their game at the time. But those law enforcement actions showed that these large centralized operations were very vulnerable once they were taken down. So as a result, we've seen actually more niche marketplaces with specialized offerings. So you might have a marketplace that just offers payment card information, or a marketplace that just offers information stealer logs. So you have some that are, you know, sort of that single offering type marketplace, something like a dump shop or something like that. And then there are still some that have multifunctional marketplaces, and there are still some that are kind of top of the game as well. So, yeah, for us, we do tier them. We tier them just kind of based off of the size of them, how long they've been around, how popular they are with cybercriminals. So there definitely are preferred marketplaces, but kind of two categories, the sort of multifunctional category and the single use category.

B

Am I correct in my understanding that these markets are largely reputational based?

A

Yeah. So in the cybercriminal underground, because you're dealing with people who aim to be anonymous, your reputation is kind of everything. So when you are a successful marketplace in the underground, you're typically operating similar to an e commerce store, but you are conducting marketing much like any other sort of brand would, except it typically is on underground forums, maybe instant messaging channels. Things like Telegram. And then as people use your store, they will leave reviews or talk about if they happened to purchase something and they felt they got scammed, they'll file a complaint. And all of that is viewable on the underground. So the more reviews you have with the fewer complaints partnered with. How long you've been around increases your reputation as an underground marketplace, which makes people more likely to continue to use you.

B

And where do we stand when it comes to law enforcement? How successful have they been at taking these things down?

A

They have been successful. So there's been a couple notable law enforcement takedowns in recent years. So they are a compelling target for law enforcement agencies because they are some of the foundational. These marketplaces offer some foundational products that cybercriminals will use to then commit larger cyber crimes. So it impacts a large number of cybercriminal operations if you can take it down at that sort of early source. So in recent years, we've seen several actually significantly popular marketplaces, you know, fall to a well implemented law enforcement disruption over the years. So typically what law enforcement will do is seize the domain. But we have seen administrators get arrested and, you know, with any of these sort of disruptions, just like any of the other ones you might see for ransomware organizations or something similar, some weather the disruption, some might have spawned a successor, and some never recovered. So some of the ones we've seen recently and earlier in 2025, for example, is the Biden Cash Marketplace, which is one that sold payment cards and PII. In June, they seized about 145 related Biden cash domains and cryptocurrency funds, which, According to the DOJ's announcement, at the time, this one store had more than 117,000 customers and facilitated tracking more than 15 million payment card numbers. So even just that one disruption, you can see the size of the impact of that, which is why law enforcement, I think rightfully continues try to disrupt those operations in particular.

B

And what are the trends that you're tracking here? Where do we see this heading in the new year?

A

Yeah, so, you know, underground marketplaces rapidly facilitate the exchange of stolen data, but they also foster this sort of competitive environment where operators are continually trying to enhance their offerings to beat out the next person. So, you know, when it comes to 2026, what we're most likely going to see is how automation starts becoming embedded in these marketplaces so that they can start offering more products than their competitors. We're already seeing that being used across cybercriminals for things like phishing lures and things. But the other thing that we're going to see probably is the continued growth of credential based crime. So you know, info stealers, session hijacking, account takeovers, these are all really becoming foundational for many downstream attacks by cybercriminals. Anything from gift card fraud, business email compromise, everything in between. So you know, these markets are going to continue and already are optimizing around speed so that these stolen credentials can get monetized faster and faster before they can be detected by defenders. So that's something that we're definitely going to see. I think going into the next year. We're also seeing more emphasis on fraud infrastructure than a single attack. So services like card checkers, bot frameworks and access brokers are also becoming more refined. So we'll likely see maybe specialized marketplaces start to grow in these offerings as well because these allow criminals to scale their operations without necessarily needing to be technically skilled in and of themselves. And then the other thing we'll see because as I was just talking about, there is a lot of law enforcement focus on these marketplaces is resilience. I think we're going to see resilience kind of be a major theme of these cybercriminals trying to grow some roots for their marketplace and kind of try to evade what they've been seeing law enforcement do. So they're already becoming more decentralized, they're becoming more cautious, they're spreading their activity across multiple platforms, multiple domains, private channels, in an attempt to make takedowns less effective and allow their infrastructure to persist even if part of it gets disrupted. So I think they're going to continue to look more like a business optimized for these things, efficiency scale, return on investment. And defenders are going to need to adapt to that reality as well.

B

For the defenders in our audience, what sorts of things should be on their radar? What should they be looking out for in their day to day?

A

Yeah, I mean, depends obviously on what they're defending against. But things like credential monitoring, things like multi factor authentication on your accounts to keep them secure, even if the password gets like, you know, stolen, all of that is still very, very effective. You know, being able to quickly having, you know, password change policies and things like that, things when it comes to, you know, credit cards in general, recognizing the pattern of card testing, that looks like a lot of small rapid fire transactions that mostly fail. So looking for things like that, rate limiting by ip, adding step up verification and then, yeah, just hardening your accounts so that they can't be used. Don't leak overly specific decline reasons. Don't say it was a CVV mismatch. Add friction to your ad card or save card actions and the main thing is having some sort of response playbook for when you detect this type of activity.

B

That's Ashley Jess, Senior intelligence analyst from Intel 471. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year, and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. The world moves fast. Your workday even faster. Pitching products, drafting reports, analyzing data. Microsoft 365 Copilot is your AI assistant for work built into Word, Excel, PowerPoint and other Microsoft 365 apps you use, helping you quickly write, analyze, create and summarize so you can cut through clutter and clear a path to your best work. Learn more@Microsoft.com M365 copilot. And finally, Australia's recent mega breaches at Optus, Metabank and Latitude Financial left millions wondering how cyber disasters keep slipping through. The usual answer is technical inevitability, complex systems, clever attackers and bad luck. But research suggests another, quieter defense has been hiding in plain sight the auditors. Auditors do not write code or chase hackers. They ask awkward questions about controls, oversight and whether anyone is actually paying attention. The study found that auditors who have lived through a client's cyber breach become noticeably tougher everywhere else, flagging more weaknesses and issuing more meaningful, clean bills of health. Those clean reports, it turns out, correlate with fewer future breaches. For Australia, where regulators like Australian securities and Investments Commission and the Australian Prudential Regulation Authority are pressing boards on cyber governance, the message is firewalls matter. So does skepticism, preferably from someone who has already seen a glowing red screen ruin their week. And that's the cyberwire. For links to all of tomorrow today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Foreign. If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco.