A

You're listening to the Cyberwire Network powered by N2K. Cyber threats strike in minutes. Your analysis can't take weeks. That's where Velox Reverser from Booz Allen comes in. It's an autonomous malware reverse engineering and threat intelligence product that turns weeks of painstaking manual analysis into into minutes of AI powered insights. With Velox Reverser security teams can perform deep analysis to learn how malware works and how to stop it. It's an advanced product that works at machine speed if you need to outpace evolving adversaries and strengthen your defense at scale. Request a demo or start your 30 day free trial of Velox Reverser today at Boozallen.com Reverser. Starkiller represents a significant escalation in phishing infrastructure A blockchain lender breach affects nearly a million users the Kimwolf botnet disrupts a peer to peer privacy network. Researchers identify vulnerabilities in the widely used Visual Studio code extensions. DEFCON bans three men named in the Epstein files Texas sues TP link over supply chain Security experts question the impact of cyber versus Kinetic damage in Venezuela, African law enforcement arrest hundreds of suspected scammers Tim Starks from Cyberscoop explains CISA's upcoming town hall meetings over ICS reporting rules and Warsaw walls off WI Fi Wired Wheel. Foreign. February 19, 2026 I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great as always to have you with us. A new phishing toolkit called Starkiller represents what researchers describe as a significant escalation in phishing infrastructure discovered by security firm Abnormal. The platform operates as a proxy that serves genuine login pages through attacker controlled infrastructure rather than relying on static HTML clones. It launches a headless Chrome instance to mirror legitimate sites in real time, allowing victims to authenticate directly with the real service through the attacker's proxy. Because users interact with the live site, any multi factor authentication codes or session tokens are forwarded to the legitimate service instantly, enabling attackers to bypass mfa. Starkiller can impersonate major brands including Google, Microsoft and financial institutions, and provides real time session monitoring and key logging. Sold as a subscription service on the dark web, starkiller includes updates and support, increasing its potential longevity and impact. Nearly 1 million users were affected by a data breach at Figure Technology Solutions, a Nasdaq listed blockchain lender. The company confirmed an employee fell victim to a social engineering attack, allowing attackers to access a limited number of files. The Shiny Hunters group claimed responsibility and published 2.4 gigabytes of alleged stolen data on its Tor leak site. Have I Been Pwned? Identified about 967,000 exposed records, including names and contact details. Shiny Hunters linked the incident to a broader voice phishing campaign targeting Okta Single sign on accounts the Kim Wolf Internet of Things botnet has disrupted the Privacy Network i2p after attempting to use it to evade takedown efforts. Krebs on security reports around February 3rd, i2P users reported outages as tens of thousands of new routers flooded the network. Kim Wolf operators later acknowledged on Discord that they had tried to connect roughly 700,000 infected devices to i2P, overwhelming a network that typically supports between 15,000 and 55,000 nodes. The incident amounts to a Sybil attack where one actor controls large numbers of fake identities to destabilize a peer to peer system. Researchers say Kimwolf is experimenting with i2P and Tor as resilient command and control channels. I2P remains operational at reduced capacity, while reports suggest the botnet's size has recently declined. Significant Researchers at OX Security have identified four vulnerabilities in widely used Visual Studio code extensions warning they could enable serious cyber attacks. Three flaws, which have been assigned CVEs by MITRE, affect extensions including Live Server, Markdown, Preview Enhanced and Code Runner, with combined downloads exceeding 128 million. The most severe, rated 9.1, could allow remote attackers to exfiltrate files from a developer's machine. Another enables arbitrary JavaScript execution and local network scanning, while a third permits remote code execution through social engineering. A fourth issue in Microsoft Live Preview was silently patched in September 2025. Aux Security said the flaws expose a critical blind spot in developer environments and warned that a single Comprom extension could enable broader organizational breaches. DEFCON has banned three technology figures named in the Epstein files, despite no accusations of criminal wrongdoing. The individuals were cited by organizers for their documented contact with Jeffrey Epstein. Emails show past professional interactions, including introductions, funding, discussions and offers of conference tickets. DEFCON said the bans apply to all future events. The conference rarely publicizes bans, with only a handful disclosed since 2017. Texas has sued TP Link Systems, alleging the networking company misled consumers about security and supply chain origins while exposing devices to exploitation. Attorney General Ken Paxton claims TP Link marketed routers as secure and labeled them made in Vietnam despite sourcing most components from China. The lawsuit argues this creates national security risks, citing Chinese laws that could compel data sharing. The complaint references firmware vulnerabilities allegedly exploited by Chinese state backed hackers and a botnet tracked by Microsoft as Quad 7 or Covert Network 1658 built largely from compromised TP link routers. Federal agencies have also flagged actively exploited flaws in TP link devices. Texas seeks civil penalties and disclosure requirements. TP Link denies the allegations, calling them meritless and stating US User data is stored domestically. Public reporting has framed the January 3 Caracas power outage during the mission targeting Nicolas Maduro as a precision cyber attack. But videos, photos and expert analysis suggest visible physical damage to multiple substations could alone explain the disruption. Imagery showed destroyed equipment, bullet impacts, oil leaks and fires at facilities including Panamericana and Fuerte Tiuna. Experts told cyberscoop the kinetic damage appeared sufficient to cause localized outages, raising doubts about a cyber only narrative. Officials have not publicly confirmed a cyber cause, despite early statements referencing cyber layering effects. Analysts say cyber operations may have supported the mission by reducing situational awareness or identifying weak points, but likely did not act alone. How the incident is characterized matters a cyber only framing could distort policy decisions, overstating digital capabilities while underestimating physical grid vulnerabilities that experts say remain critical. African law enforcement agencies arrested 651 suspects and recovered more than $4.3 million during Interpol's Operation Red Card 2.0, targeting investment fraud, mobile money scams and fake loan schemes conducted across 16 countries between December 8 and January 30. The operation identified over 1,200 victims linked to over $45 million in losses. Authorities seized over 2,300 devices and dismantled over 1400 malicious websites and servers. Nigeria, Kenya and Cote d' Lvoie reported major arrests tied to fishing rings, fraudulent investment platforms and abusive loan apps. Interpol officials emphasize the importance of cross border cooperation against organized cybercrime networks. Separately, Nigerian national Matthew Akonde was sentenced in the United States to eight years in prison for hacking tax firms, stealing client data with warzone remote access malware and filing fraudulent returns seeking $8.1 million in refund. Coming up after the break, Tim Starks from Cyberscoop explains CISA's upcoming town hall meetings over ICS reporting rules and Warsaw walls off WI Fi wired wheels. Stick around. When it comes to mobile application security, good enough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year, and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance, time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. Most Security Conferences Talk about Zero Trust Zero Trust World puts you inside this is a hands on cybersecurity event designed for practitioners who want real skills, not just theory. You'll take part in live hacking labs where you'll attack real environments, see how modern threats actually work, and learn how to stop them before they turn into incidents. But Zero Trust World is more than labs. You'll also experience expert led sessions, practical case studies and technical deep dives focused on real world implementation. Whether your Blue team, Red team or responsible for securing an entire organization, the content is built to be immediately useful. You'll earn CPE credits, connect with peers across the industry and leave with strategies you can put into action right away. Join us March 4th through the 6th in Orlando, Florida. Register now at ztw.com and take your zero trust strategy from theory to execution. And joining me once again is Tim Starks. He is a senior reporter at cyberscoop. Tim, welcome back. Good to be back looking at this report that you recently published. This is about cisa. Looking to host some feedback sessions, some town halls if you will, about some cyber incident reporting regulations. Can we start with a little bit of the background here, the legislation that makes this something that Cisil wants to pursue?

B

Absolutely. I mean, there's been a lot of attention lately on that 10 year old law that Congress has not been successfully reauthorizing. On the list of meaningful important pieces of cybersecurity legislation that Congress has ever passed. It's really kind of a two horse race. And the other one is a law that Congress got through in 2022 called the Cyber Incident Reporting for Critical Infrastructure Act. And the gist of it is it was right around the time of a lot of things like solar winds were fresh in people's minds. And some of the bigger incidents that were happening around that time were people concerned that there just wasn't enough government awareness into what was happening and they weren't able to essentially weaponize that information by giving it out to critical infrastructure owners and operators. So the law at its core says if you're a critical infrastructure owner operator, you have to notify CISA within 72 hours if they suffer a major cyber attack. And there's some definitional terms in the law what that means. And then if you make a ransomware payment as one of those owners and operators, you have to let CISA know within 24 hours. That's the gist of it.

A

Yeah.

B

And Congress had passed that back then, and they've been working on the regulation ever since.

A

So there are some points of contention here. What is at play in terms of people not having complete understanding of what this may or may not apply to.

B

Yeah. So, I mean, there's been a lot of drafting of the legislation. Sorry. Of the regulation. Under the Biden administration, they put out a proposed rule and it addressed things like, you know, we said the law talks about critical infrastructure owners and operators, but who specifically.

A

Right.

B

Who is considered a covered entity under this law has been the kind of definitional things that this law has to handle. So some of those definitions industry did not like. They thought they were too broad, they thought they were too burdensome.

A

And so now CISA is saying that something they're considering are virtual town halls.

B

Exactly. So this was supposed to have been all wrapped up by, I believe, last fall and three years to write a regulation. But I guess it's a complex regulation. Not even. I guess it is, but it's still a little surprising to me that they couldn't get it done in that timeframe. Even knowing that government doesn't operate at the speed of light, three years is an awful lot of time to write a regulation, and they did devote a lot of manpower to doing it. Now, with the Trump administration coming in and saying, we're not going to meet that deadline, we're going to look at May, they said we need to have more discussions with industry about this regulation. They do seem to be inclined to make some changes to it and seem to be friendlier to the industry point of view on this. But we won't know until we see anything final, which we won't see for a while, because these town halls are presumably going to be done before there's a final, final, final regulation. So that these, these will run through March and April, beginning of April, and then. And then maybe we can start thinking about what kind of, what the final regulations might look like.

A

Well, in your reporting, you talked to some insiders who were skeptical that this is what's really needed.

B

Yeah, there's been a lot of. There's been a lot of calls from industry for engagement. And that doesn't mean listening sessions. Right. They think that they've made their points pretty clear on this, that these, these definitional things are problems, that. That the things they don't like, they've repeatedly said them. So another session where they just give feedback isn't what some in industry are looking for. They want More details on what this regulation, what are the difficulties in implementing it? They want to know things that are more of a, like a two way dialogue about how we're going to get this done and what it's going to look like in the end. And there hasn't been, according to the people I spoke to, there hasn't been a lot of that with cisa. Obviously they're shorter staffed these days than they were. You can question whether they consider the Circea law much of a priority. Maybe they don't. Maybe it's not a huge deal for them to hear administration officials say it. It's still a very big deal to them. But I think those are the kinds of questions people have is, are they really prioritizing this?

A

What is your sense for how things are going at CISA just in terms of morale and just in general within that organization?

B

Not great. Yeah, yeah, it's something I'm reporting on. It's, it's something I hope to have some more stuff on soon. But, but the general, you know, while there might be some, some spots of potential optimism, there's a lot of dismay about how what CISA has become.

A

Well, and concern that if the next round of government shutdowns come, it means what, half of their staff being furloughed?

B

I mean, yeah, I actually was just on the phone with the chairman of the House Online Security Committee and we were talking about sort of the future of cisa. And it's a point that's been made before that government service becomes a lot less appealing if you're working without paying or if you're furloughed and you just, and if it just happens every year, it's not a real appealing thing for people who want any kind of stability in their life. You might believe in the mission of government service and you might have the training and you might have the education, you might have the drive to do that. But it does become a huge impediment to wanting to keep doing it or to want to start doing it. If you just don't know with this administration whether they're going to cut your job that week, that day at cisa, you know, we, we see stories all the time about reorganization plans and things that are shifting and moving around. It's a, it's a tough environment to work for the federal government these days. And CISA is one of those agencies that might have it a little rougher, frankly.

A

Yeah, it's a great point. I mean, I think about, you know, folks in government positions who would say well, you know, we may not get paid as much as our colleagues in the private sector, but we have stability and you know, the thing, we have good benefits and all those sorts of things. And this is kind of taking a shot at, at that deal, at that arrangement.

B

It really is. I mean, I'm reminded of Russell Vaught saying that their goal was to traumatize federal employees. It's not, it's not a real recruitment ad for working in the government, is it?

A

Right, right.

B

And you know, they want to, they want to shrink the size of government. You know, that's one of their goals. But maybe there are ways to do it that don't involve deliberately harming people.

A

Yeah, that would be great. It's really hard to not be cynical these days. But we will do our best, Tim,

B

you and I. I've given up. I'm going to stay simple.

A

Well then, just me.

B

Just me. All right.

A

Tim Starks is senior reporter at cyberscoop. Tim, thanks so much for joining.

B

Thanks, Dave.

A

What's your 2am Security worry? Is it do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection, flag risks and keep your program audit ready all the time. With Vanta you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's V A N-T A.com cyber. Maybe that's an urgent message from your CEO. Or maybe it's a deep feedback fake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back from automatically dismantling cross channel attacks to building team resilience and more. Doppel outpacing what's next in social engineering? Learn more@doppel.com that's D O P E L dot com. And finally, Poland's Ministry of Defense has decided that if a car can record you, it probably should not park next to anything classified. The ministry this week banned Chinese made vehicles and any others equipped with technology capable of recording location images or sound from entering protected military facilities. Officials are also barred from plugging work phones into infotainment systems in China built cars, citing the risk of uncontrolled acquisition and use of data. The ban is not absolute. Warsaw plans to introduce a security vetting process so manufacturers can earn clearance with carve outs for inspections and rescue missions. Poland says the move aligns with NATO practices, though enforcement could get tricky given that some European brands manufacture models in China. The decision fits a broader pattern of restricting Chinese tech over espionage concerns. In short, if your car might be listening, it can wait at the gate. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Kaltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Foreign. If you only attend one cyber security conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco. Foreign. Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E R.com cyberwire.