Summary5 min read

CyberWire Daily: "From Cryptomixers to Recipe Mixers"

Date: December 1, 2025
Host: Dave Bittner, N2K Networks
Guest Segment: Ann Johnson (Microsoft) interviews Amy Hogan Burney (Corporate VP, Customer Security & Trust, Microsoft)

Episode Overview

This episode delivers a comprehensive update on the week’s major cybersecurity events, high-profile breaches, evolving threat actor tactics, and the intersection of AI with cyber risk. It includes in-depth industry news, regulatory updates, research findings, and a business/finance roundup. The highlight is an interview from Microsoft's Afternoon Cyber Tea with Amy Hogan Burney, focusing on international collaboration, the role of AI, and optimism for the future of cybersecurity.

Key Discussion Points & Insights

1. Major Cybercrime and Law Enforcement Operations

Take-down of Illegal CryptoMixer.io ([03:23])
- European authorities (Europol, Eurojust) shut down a major crypto-mixer platform, seizing servers in Zurich and collecting 12TB of data.
- The mixer laundered over 1.3 billion euros in Bitcoin since 2016, primarily serving ransomware operators for hiding illicit funds.
- Operation follows similar actions like the 2023 ChipMixer bust.

2. Arrest for Evil Twin Wi-Fi Attacks

Australian Man Sentenced ([04:30])
- 44-year-old sentenced to 7 years for operating fake airport Wi-Fi to steal data and private images, using Wi-Fi pineapple devices.
- After being caught, attempted to destroy evidence and access sensitive data on employer laptop.
- Authorities warn travelers about the danger of public Wi-Fi.

3. Threat Intelligence Updates

Scattered Lapsus Hunters Unmasked ([05:49])
- Investigative reporting identified "Ray," a 15-year-old from Amman, Jordan, as a leader in data breach/extortion group SLSH.
- Group linked to social engineering, insider recruitment, and new RaaS (Ransomware-As-A-Service) operations.

4. Vulnerabilities and Exploits

CISA Adds OpenPLC Cross-Site Scripting Flaw to its KEV Catalog ([07:11])
- Vulnerability actively exploited by Russian group Twonet, targeting industrial systems.
- Agencies must patch by December 19; broad warning for private orgs.

5. Major Data Breach in South Korea

Retail Giant Coupang Breached ([08:21])
- Over 33.7 million customer records exposed—names, contact details, purchase histories.
- Incident attributed to possible insider threat (former Chinese employee under investigation).
- Follows large breaches at other major Korean firms, sparking debate over national data protection gaps.

6. Emerging Attack Vectors

Abusing Calendar Subscriptions for Malicious Content ([10:02])
- BitSight research: Attackers are misusing digital calendar subscription features to push malicious events with links or attachments.
- Millions of devices potentially affected due to expired or hijacked domains used for calendar syncs.
- Highlights a security blind spot, as these features lack email-style protections.

7. Regulatory and Industry Shifts

New York Hospital Cybersecurity Mandates ([11:18])
- Mandates for hospitals: MFA, risk analysis, incident planning, appointed CISOs.
- Industry expects ripple effects nationwide; CISO talent shortage may worsen.

8. Consumer and Business Threats

Holiday Season Scam Sites ([12:42])
- Cloudsec reports over 2,000 fake online stores spoofing brands (Amazon, Apple, etc.) to steal payment info during peak shopping.
- Organized clusters, many hosted in China. Each scam can net thousands quickly.
Cybersecurity Investment and M&A Activity ([14:37])
- Guardio, 20, Clover, Method Security, Opti, Coverbase, Vigil, Run Layer all raised significant rounds.
- Notable M&A: Palo Alto’s $3.35 billion Chronosphere acquisition.

Featured Interview: Amy Hogan Burney (Microsoft) on Afternoon Cyber Tea

Time Block: [16:30] – [22:44]

Career Path & State of Cybersecurity

On Accidentally Entering Cybersecurity

"I accidentally stumbled into cyber because it just became my calling..."
— Amy Hogan Burney ([16:48])
Changing Nature of Threats

"We call them advanced persistence disruptions. Now there's no way that we are disrupting these networks in totality. We have to think completely differently..."
— Amy Hogan Burney ([17:27])
What's Unchanged: Human Element

"Social engineering is still one of the biggest problems, one of the biggest ways that cyber criminals and nation state actors get into systems."
— Amy Hogan Burney ([18:04])

Microsoft Digital Defense Report (MDDR)

Importance of Basics Amid AI Advances

"As AI is advancing, it is more important than ever that people understand the basics for hardening your system and for being resilient are more important than they have ever been..."
— Amy Hogan Burney ([18:44])
- Hope is that a year from now, organizations will measurably improve their security posture due to the report.

International Collaboration & Cyber Diplomacy

Collaboration Success Story

"Microsoft's Digital Crimes Unit… partnered... to disrupt a widespread tech support scam... Generative AI was used to impersonate Microsoft and mass produce malicious pop ups."
— Amy Hogan Burney ([20:05])
On Cyber Diplomacy

"As nations operate in the digital space… we need to think about what kind of rules and norms that we should have... The private sector holds the vast amount of critical infrastructure."
— Amy Hogan Burney ([21:00])

Optimism for the Future

"I am so optimistic because of the people that I work with every single day… the combination of [talent and AI-driven innovation] just makes me incredibly optimistic."
— Amy Hogan Burney ([22:09])

Notable Quotes

On the persistent threat of social engineering:

"The same is the human element... social engineering is still one of the biggest problems..."
— Amy Hogan Burney ([18:04])
On the evolving cyber defense landscape:

"We have to think completely differently about how we are working."
— Amy Hogan Burney ([17:27])
On international cybercrime collaboration:

"...looking for creative ways to partner with law enforcement and to look for ways to protect the most vulnerable is incredibly important."
— Amy Hogan Burney ([20:24])

Memorable Moment

Google’s "Recipe Mixer" Blunder ([24:12])
- Google’s AI-generated recipe promo plagiarized content from the How Sweet Eats blog, raising questions about AI content origins and the future of sponsored answers.
  
  “…matched a How Sweet Eats Blog post almost ingredient for ingredient... Google deleted the post with the same enthusiasm one deletes burnt stuffing and moved on.”

Timestamps for Key Segments

| Segment | Timestamp | |----------------------------------------------------|:-------------:| | News Headlines Introduction | [01:01] | | Europol/Cryptomixer Takedown | [03:23] | | Evil Twin Wi-Fi Arrest and Sentencing | [04:30] | | Scattered Lapsus Hunters Unmasked | [05:49] | | CISA OpenPLC XSS Vulnerability | [07:11] | | Coupang Data Breach (South Korea) | [08:21] | | Calendar Subscription Abuse | [10:02] | | NY Hospital Cyber Mandates | [11:18] | | Holiday Season Scam Sites | [12:42] | | Business Brief and M&A Updates | [14:37] | | Interview: Amy Hogan Burney | [16:30] | | Google’s AI Recipe Plagiarism Incident | [24:12] |

Additional Highlights

Upcoming CyberWire NATO Cyber Coalition Coverage
- Podcast team invited for exclusive on-the-ground episode in Tallinn, Estonia.
Reminder: Full Afternoon Cyber Tea episode with Amy Hogan Burney available for deep dive ([22:44]).

This episode delivers a whirlwind tour of global cyber events, practical takeaways on social engineering and attack prevention, and an insider's view on Microsoft's evolving strategy for AI-driven defenses and international cooperation. It also offers a dose of levity regarding AI's limits in recipe creation—mixing industry gravitas with relatable tech blunders.

Loading summary

Transcript26 lines

[00:02]
Amy Hogan Burney
You're listening to the Cyberwire network, powered by N2K.
[00:10]
Advertisement Voice
AI agents are now reading sensitive data, executing actions and making decisions across our environments. But are we managing their access safely? Join Dave Bittner and Barak Shalef from Oasis Security on on Wednesday, December 3rd at 1pm Eastern for a live discussion on agentic access management and how to secure non human identities without slowing. Innovation can't make it live. Register now to get on demand access after the event, visit events.thecyberwire.com that's events with an s.thecyberwire.com to save your spot.
[01:02]
Dave Bittner
Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling, or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire. European authorities take down an illegal crypto mixer An Australian man is sentenced for running an airport Evil Twin WI Fi campaign Researchers unmask a scattered lapsis hunters impresario CISA flags a cross site scripting flaw in open PLC scanning A major South Korean retailer suffers a data breach affecting over 33 million customers. Threat Actors Abuse digital calendar subscription features New York's new hospital cybersecurity mandates may raise the bar Nationwide scammers target Cyber Monday shoppers We got our Monday business brief. Ann Johnson speaks with Microsoft's Amy Hogan Burney on the afternoon Cyber Tea segment and Google gets caught reheating someone else's holiday recipe.
[03:16]
Ann Johnson
Foreign.
[03:23]
Dave Bittner
It's Monday, December 1st, 2025. I'm Dave Bittner and this is your Cyberwire intel briefing. Happy Monday and welcome back for our U.S. listeners. I hope you had a lovely Thanksgiving break. It's good to be back. Europol and Eurojust working under Operation Olympia seized three servers in Zurich and took control of the cryptomixer IO domain late last month. The site now displays a warning that data tied to the service has been obtained and users may face investigation. Authorities collected more than 12 terabytes of information that could include logs capable of identifying customers. Europol says cryptomixer operated on both the Clear Web and Dark Web and was widely used by ransomware operators and other criminals to hide the flow of illicit funds. Since 2016, it allegedly mixed more than 1.3 billion euros in Bitcoin. The takedown follows a similar 2023 operation against chip Mixer, which resulted in the seizure of servers, data and millions in cryptocurrency. A 44 year old Australian man received a 7 year prison sentence for running evil twin WI Fi networks to steal travelers data on domestic flights and in airports in Perth, Melbourne and Adelaide. Authorities say he used a WI Fi pineapple device to clone legitimate SSIDs, luring users to a phishing page that captured social media credentials. He then accessed women's accounts to monitor messages and steal private images and videos. Forensic analysis found thousands of intimate files, stolen credentials and fraudulent WI fi pages. After his equipment was seized in April 2024, he attempted to delete evidence and access confidential information from his employer's laptop. He later pleaded guilty to multiple cybercrime theft and evidence destruction charges. Australian authorities urged travelers to treat free WI fi with caution and use VPNs. Scattered lapsus hunters the group linked to Scattered Spider, Lapsus and Shiny hunters has spent 2025 extorting major global companies after stealing data, often through social engineering campaigns that tricked victims into connecting malicious apps to Salesforce environments. The group's public face, calling themselves Ray, surfaced this week after Krebs on Security identified him as a 15 year old from Amman, Jordan. Investigators connected multiple online identities through leaked passwords, infostealer data and posts across Telegram and BRE forums where he was an administrator. SLSH recently launched its own ransomware as a service, Shiny Spider, which he helped release. He told Krebs he has been attempting to leave the group and claims to be cooperating with European law enforcement, although those details remain unverified. The revelation follows SLSH's ongoing recruitment of insiders and continued extortion activity targeting dozens of major corporations. CISA has added a cross site scripting flaw in OpenPLC, SCADA, BR on Windows and Linux to its known exploited vulnerabilities. Catalog Forescout reports that pro Russian group twonet recently exploited the bug in an ICS OT honeypot they mistook for a water plant using default credentials, creating a Barlotti account and defacing the HMI login page. Twonet continues to expand from DDOS into industrial targeting and access services. Federal agencies must patch the flaw by December 19, and experts urge private organizations to follow suit. South Korean retailer Coupang confirmed that personal details from 33.7 million customer accounts were compromised, prompting a formal apology and an emergency government meeting. Officials from the Ministry of Science and ICT warned of strict sanctions if safety measure violations are found. Coupang initially detected unauthorized access to 4,500 accounts in November, later revising the figure sharply upward. Exposed data includes names, contact details, addresses and order histories, though payment information and passwords were not affected. Investigators are examining the possibility of an insider threat, with reports pointing to a former Chinese employee, although police have not confirmed this. The breach follows major incidents at SK Telecom and LotteCard and has renewed concerns about structural weaknesses in South Korea's data protection regime. Researchers from BitSight warn that threat actors are abusing digital calendar subscription features to push harmful content directly onto users devices. Calendar subscriptions let third party servers add events and notifications, and attackers are exploiting expired or hijacked domains to deliver deceptive calendar files containing malicious links, attachments or phishing content. BitSite's sinkhole investigation began with a single suspicious German holiday calendar domain receiving 11,000 daily unique IP connections, then expanded to 347 related domains contacted by roughly 4 million unique IPs per day. Many of these requests appear to be background syncs from long established subscriptions, meaning anyone who takes over an expired domain could silently inject new events. BitSight says this highlights a major blind spot in personal and corporate security, as calendar subscriptions lack the protections applied to email and other communication channels. New York's new hospital cybersecurity mandates will likely influence security expectations well beyond the state, according to Chris Stucker, deputy CISO at FroderTheCare Health. The rules, effective October 1, require multi factor authentication, formal risk analysis, incident response planning and a designated qualified CISO. Stucker says the 72 hour incident reporting rule is straightforward, but the CISO requirement will have nationwide effects given the shortage of experienced leaders. He predicts insurers will soon ask hospitals whether they follow New York's model, pushing others to align. Stucker adds that New York facilities may begin recruiting CISOs from other states affecting the broader workforce. He also highlights emerging safe harbor protections elsewhere and says Frodert fedicare is focused on identity modernization and zero trust products. Cloudsec has uncovered a massive holiday season scam involving more than 2,000 fake online stores designed to steal shoppers money and personal information during peak events like Cyber Monday. The firm identified two major clusters one linking over 750 sites, including 170Amazon impersonators using identical banners and urgency timers and another group of more than 1,000 shop domains. Spoofing brands such as Apple, Samsung, Dell and Ray Ban all load resources from shared infrastructure, revealing a coordinated operation. Victims are funneled to shell checkout pages that harvest payment data, often routed through China based hosts. Cloudsec estimates each fake site could net thousands of dollars before takedown. Researchers warn these scams could significantly erode trust in e commerce and urge shoppers to avoid deals that seem unreal, suspicious domains, aggressive urgency tactics and stores with identical templates. Turning to our Monday business brief, cybersecurity investment and MA activity accelerated this past week across sectors spanning consumer protection, offensive security, product security, identity, AI risk and observability. Israeli consumer security firm Guardio raised $80 million, led by Aon Crossover Partners to expand its detection engine, AI era protection layers and global go to market efforts. Offensive security startup 20 emerged from stealth with $38 million and a Pentagon contract, while product security company Clover secured $36 million to double its workforce. Method Security raised $26 million to scale its autonomous cyber platform for government and critical enterprises, and identity startup opti emerged with $20 million for product expansion. AI procurement platform Coverbase collected $20 million, AI agent security firm Vigil raised 17 million and Run Layer secured $11 million. Ma included Palo Alto Network's $3.35 billion acquisition of Chronosphere to pair observability with autonomous AI remediation, plus deals by Red Squid, Zorient, Amplex and Kicard, which acquired Runebook to expand its AI agent ecosystem. Be sure to check out our Cyberwire business brief over on our website TheCyberWire.com, it's part of Cyberwire. Coming up after the break, Ann Johnson speaks with Microsoft's Amy Hogan Bernie on the afternoon Cyber tea segment and Google gets caught reheating someone else's holiday recipe. Stay with us. What's your 2am Security worry? Is it do I have the right controls in place? Maybe? Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questions questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection flag risks and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber. AI is transforming every industry, but it's also creating new risks that traditional frameworks can't keep up with. Assessments today are fragmented, overlapping, and often specific to industries, geographies or regulations. That's why Black kite created the BKGA3AI assessment framework to give cybersecurity and risk teams a unified, evolving standard for measuring AI risk across their own organizations and their vendors. AI use it's global, research driven, built to evolve with the threat landscape, and free to use because Black Kite is committed to strengthening the entire cybersecurity community. Learn more@blackkite.com. On today's excerpt from the afternoon CyberTea podcast, Microsoft's Ann Johnson speaks with Amy Hogan Bernie, Corporate Vice President of Customer Trust and Security at Microsoft. They're discussing how Microsoft is redefining global cyber defense.
[16:31]
Ann Johnson
Today I'm excited to be joined by a wonderful Microsoft colleague, Amy Hogan Burney. Amy is corporate Vice President of Customer Security and Trust at Microsoft, where she leads global efforts to protect customers and build digital trust. Amy, how did you get started in cybersecurity and what has kept you engaged?
[16:48]
Amy Hogan Burney
I'm in cybersecurity by accident. I went to law school because I was an engineer and I thought I wanted to be a patent attorney. I was so bored I just could not do it. But working on spent nuclear fuel cases led me to a job at the FBI. I rotated through lots of jobs, including a job at DOJ that involved cyber and that just started a journey across all cyber work. I accidentally stumbled into cyber because it just became my calling and that's how I ended up here at Microsoft. One of the things that's changed the most is just how fast we are moving. The scope and the scale of the networks is much bigger. The disruptions, we call them advanced persistence disruptions. Now there's no way that we are disrupting these networks in totality. We have to think completely differently about how we are working. What's the same? The same is the human element. And what I mean by that is social engineering is still one of the biggest problems, one of the biggest ways that cyber criminals and nation state actors get into systems.
[18:16]
Ann Johnson
I think that's exactly right. The global scale of attacks is something that we're certainly seeing increasing, but there always will be a human element in cybersecurity which brings me to your team generates and I want to give you full credit for this because folks don't always know where it comes from. But your team works very hard to publish the Microsoft Digital Defense Report. We just published the sixth annual edition and this is really a cornerstone for the industry.
[18:45]
Amy Hogan Burney
For this report we really felt like as AI is advancing, it is more important than ever that people understand that the basics for hardening your system and for being resilient are more important than they have ever been. Because of the advances that we are seeing, you must take all necessary steps. Right now my hope for this MDDR is that everyone will take the report, they will use it, and a year from now it'll be like a checklist. I'm hoping that a year from now we actually see differences in the data and that we see changes and that actually everyone does talk to people at the board level, that we do have people actively working to defend their perimeter, that we really have people prepare for the regulatory changes that are coming and that really we have the best basics done because of the advances that we are seeing in AI.
[19:51]
Ann Johnson
I want to talk about the landscape from the perspective of international collaboration. Cyber from a practical operational partnership standpoint. Can you give us your point of view on what international collaboration is and why it is so important?
[20:06]
Amy Hogan Burney
Microsoft's Digital Crimes Unit has been around for more than a decade. They partnered with a Japan cybercrime control center and with the Indian Federal law enforcement and they were able to disrupt a widespread tech support scam that originated from Indian call centers. The generative AI was used to impersonate Microsoft and mass produce malicious pop ups. And I think the Digital Crimes unit looking for creative ways to partner with law enforcement and to look for ways to protect the most vulnerable is incredibly important.
[20:44]
Ann Johnson
So can you talk about cyber diplomacy? I don't think that a lot of our listeners are that familiar with that term. I know your team is heavily engaged. What role does the private sector play in the term cyber diplomacy and what does cyber diplomacy actually mean?
[21:00]
Amy Hogan Burney
I don't think we spend enough time talking about cyber diplomacy and I think it's incredibly important in this digital age. As nations operate in the digital space and as we see see nation state actors increasingly using the digital space both for I think espionage and potentially for pre positioning in the event of a kinetic war, as we saw in Ukraine, we need to think about what kind of rules and norms that we should have because we have to make sure that we have a stable and secure operating system. The private sector holds the vast amount of critical infrastructure. And so we need to make sure that we are preventing conflict online in the same way that you would use traditional diplomacy to prevent conflict on land.
[22:05]
Ann Johnson
I'd love to hear what you are optimistic about when it comes to the future of cybersecurity.
[22:09]
Amy Hogan Burney
I am so optimistic because of the people that I work with every single day that the talent that we have here and that I see in my travels around the world. It just makes me incredibly optimistic. And I am so optimistic because I see that talent being used with the innovation, with the age of AI. It is just incredible. The combination of those two things I just think makes me incredibly optimistic.
[22:45]
Dave Bittner
Be sure to check out the complete afternoon CyberTea podcast right here on the N2K CyberWire Network and wherever you get your favorite podcasts.
[23:08]
Advertisement Voice
Ford BlueCruise Hands Free highway driving takes the work out of being behind the wheel, allowing you to relax and reconnect while also staying in control. Enjoy the drive in BlueCruise enabled vehicles like the F150 Explorer and Mustang Mach E. Available feature on equipped vehicles Terms apply does not replace safe driving. See Ford.com BlueCruise for more details.
[23:36]
Amy Hogan Burney
Close your eyes, exhale, feel your body relax and let go of whatever you're carrying today. Well, I'm letting go of the worry that I wouldn't get my new contacts.
[23:46]
Advertisement Voice
In time for this class.
[23:47]
Amy Hogan Burney
I got them delivered free from 1-800-contacts. Oh my gosh, they're so fast.
[23:51]
Advertisement Voice
And breathe.
[23:53]
Amy Hogan Burney
Oh, sorry.
[23:53]
Advertisement Voice
I almost couldn't breathe when I saw.
[23:55]
Amy Hogan Burney
The discount they gave me on my first order. Oh, sorry. Namaste.
[24:00]
Advertisement Voice
Visit 1-800-contacts.com today to save on your first order. 1-800-contacts.
[24:12]
Dave Bittner
And finally, Google spent the week discovering that family recipes generated by AI sometimes look suspiciously like someone else's family recipes. A NotebookLM promo on X Twitter showcased a cozy infographic for classic Buttery Herb stuffing, only for users to notice it matched a How Sweet Eats? Blog post almost ingredient for ingredient. Be sure to check out the complete afternoon CyberTea podcast right here on the N2K CyberWire Network and wherever you get your favorite podcasts deleted the post with the same enthusiasm. One deletes burnt stuffing and moved on. Microsoft recently suffered a similar embarrassment. All this arrives as Google tests ads inside AI generated answers, blurring the line between citations and sponsored links. OpenAI is experimenting with ads too, suggesting the future of helpful AI answers may look a lot like the Internet's old business model, only with more cheerful recipe cards. A quick programming note Our team was invited by the NATO Cyber Coalition to cover their 2025 cyber range exercise. Stay tuned for our coverage from the event later this week, where we were one of three podcasts invited and the only one based in the US our T minus Space Daily host Maria Vermazes and N2K producer Liz Stokes are on the ground in Tallinn, Estonia. Stay tuned. And that's the CyberWire. For links to all of today's stories, check out our daily briefing@thecyberwire.com don't forget to check out the Grumpy Old Geeks podcast, where I contribute to a regular segment on Jason and Brian's show. Every week you can find Grumpy Old Geeks, where all the fine podcasts are listed. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.