CyberWire Daily – "Millions of Devices Still Up for Grabs"

Date: March 20, 2026
Host: Dave Bittner (N2K Networks)

Overview

This episode delivers a comprehensive rundown of recent cybersecurity events, including the federal disruption of major IoT botnets, high-profile data breaches, new malware tactics using fake Zoom calls, and the rapid exploitation of a key AI framework vulnerability. The episode also marks the 10th anniversary of the CyberWire podcast, featuring a celebratory retrospective with team members reflecting on their journey, standards, and impact. The show concludes with preparations for this year’s RSA Conference and a story illustrating how cyberattacks can disrupt everyday life.

Key News and Analysis

1. Federal Takedown of Major IoT Botnets

Time: 01:38 – 03:00
US, Germany, and Canada coordinated to disrupt four massive IoT botnets: Isuru, Kimwolf, Jackschid, and Mossad.
Over 3 million devices—including routers and security cameras—had been compromised.
These botnets orchestrated some of the largest DDoS attacks in history (>30 Tbps), targeting various organizations, including the Department of Defense.
While the command-and-control infrastructure was dismantled, millions of devices remain infected, posing persistent risks.
- Quote: "That persistent exposure continues to fuel the cybercrime economy and enables rapid rebuilding of similar attack networks." – Dave Bittner (02:60)

2. FBI Seizes Iranian-linked Hacktivist Infrastructure

Time: 03:00 – 04:10
FBI seized websites belonging to the Handela hacktivist group, following a destructive attack on Stryker that wiped 80,000 devices using Microsoft Intune.
The incident underlines how device management tools can be misused in large-scale attacks and highlights the risks from state-aligned threat actors.

3. Kaplan North America Data Breach

Time: 04:10 – 05:00
Nearly 195,000 individuals were affected in a breach, with exposure of names, SSNs, and driver’s license data.
Attackers had undetected access for three weeks; the breach was announced after a lengthy investigation.
- Quote: "The exposure of high value identity data increases the risk of fraud and long term identity theft. It also highlights the impact of prolonged unauthorized access before detection." – Dave Bittner (04:55)

4. Breach of Law Enforcement Tip Platform

Time: 05:01 – 06:06
A hacker claiming to be "Internet Yif Machine" says they accessed P3 Global Intel, stealing data from over 8 million tips.
The company is investigating; the breach exposes sensitive whistleblower and tipster information.

5. Fake Zoom Calls Delivering Malware

Time: 06:06 – 07:00
Attackers use AI-generated JavaScript to simulate Zoom meetings and trick users into installing malware disguised as updates.
The payload installs legitimate Screen Connect remote management tools, granting attackers device access.
- Insight: Realistic phishing lures, especially those mimicking trusted collaboration tools, significantly increase user compromise rates.

6. Malicious Crypto Extension "ShieldGuard"

Time: 07:01 – 07:50
The browser extension posed as a crypto security tool, promoted via social media and airdrops, but actually stole sensitive data from Binance, Coinbase, and Metamask users.
Used advanced obfuscation to evade Chrome protections, linked to a broader campaign (Radex).
- Comment: "Attackers are increasingly disguising malware as security tools, exploiting trust in the crypto ecosystem." – Dave Bittner (07:45)

7. Rapid Exploitation of AI Framework Vulnerability (Langflow)

Time: 07:50 – 08:46
A critical RCE flaw was exploited just 20 hours after disclosure, allowing arbitrary Python code execution with a single HTTP request.
Attackers immediately began scanning, deploying scripts, and harvesting credentials.
- Quote: "Exploitation timelines are shrinking faster than patch cycles. Organizations often take weeks to remediate, leaving a wide exposure window as attackers rapidly weaponize newly disclosed flaws." – Dave Bittner (08:36)

8. Insider Threat & Extortion at Brightly Software

Time: 08:47 – 09:35
A contractor, Cameron Curry, stole payroll and employee info and attempted extortion via more than 60 threatening emails.
The company paid a partial ransom in Bitcoin before contacting authorities.
- Takeaway: Insider access, especially post-employment, remains a serious organizational threat.

9. $10 Million AI-Driven Streaming Fraud

Time: 09:36 – 10:46
Michael Smith orchestrated a scheme to inflate music streaming figures using bots and AI-generated tracks, diverting royalties from legitimate artists.
Platforms affected: Spotify, Apple Music, Amazon Music, YouTube Music.
Smith agreed to forfeit over $8 million; the case highlights the role of AI in scaling digital fraud.

CyberWire’s 10th Anniversary Retrospective

1. Origins & Growth

Time: 12:34 – 22:00
Featuring Dave Bittner (host), Peter Kilpe (CEO), and Maria Vermazes (contributing host).
The CyberWire began as an internal newsletter:
- Peter Kilpe: "Number of people kept telling us how great our little internal intelligence newsletter was and we should share it with the world. So we did..." (12:48)
The podcast idea originated with Dave Bittner, initially as a daily audio readout of the newsletter:
- Dave Bittner: “I thought, why don't I just read it every day?” (15:38)
The format evolved from a five-minute briefing to a news show rich in interviews and analysis.

2. Signal and Audience Feedback

Time: 16:55 – 17:45
Early surprising traction, with rapid audience and sponsor uptake for a show initially viewed as a side project.
- Peter Kilpe: “Within six months, we had Fortune 10 companies, like, reaching out and saying, how do I get on this show?” (17:14)
Growth milestones (3,000 to 10,000 downloads per day).

3. Editorial Principles & Community Impact

Time: 19:45 – 24:39
High production values, news show format set the podcast apart:
- Maria Vermazes: “We just sounded like a real radio program.” (19:28)
The North Star: Reliability, integrity, and avoiding hype.
- Peter Kilpe: “Really what we were doing is making the world a safer place, you know, by help keeping people educated, informed about what was going on in security. And we did it diligently. We did it without fluff. We did it with...without creating FUD.” (20:07)
Milestone moments, including government audiences using CyberWire content for operational context, and personal notes of thanks:
- Maria Vermazes: “Another moment that was special for me was one day in the mail. I got a little padded envelope...full of challenge coins from NSA Fort Meade, and just a handwritten, unsigned note that said, thanks for all you do.” (22:23)
The team’s pride in audience outreach: helping listeners advance careers and organizations improve their security.

4. Looking Forward

Time: 24:39 – 24:58
Celebratory optimism for the next decade.
- Maria Vermazes: “Here's to the next 10.” (24:56)

RSA Conference Preview & Kevin the Intern

1. Intern Kevin (Kevin McGee) Returns

Time: 25:20 – 28:46
Kevin McGee, Microsoft Global Director of Cybersecurity Startups, returns for another year as Dave Bittner’s "intern" at RSA Conference.
Reflections on conference experiences, the importance of seeking out startup innovations, and the future direction of security in the AI era.
- Kevin McGee: “I kind of think we're at the end of a cycle...The Wiz acquisition is probably that high watermark for that phase and we're moving to a new phase where all these AI companies that have come up with something new and exciting…” (27:28)
Conference advice: Wear good shoes, stay hydrated, and plan for long walks. A goal: try a self-driving taxi on San Francisco’s steep hills.
- Kevin McGee: “Good shoes is number one. Stay hydrated, get your calendar ready and it will always take you longer to get to where you're going than you can possibly imagine at RSA.” (28:09)

Impact Story: Intoxalock Cyber Attack

1. Breathalyzer Service Outage

Time: 30:37 – 32:01
A cyberattack on Intoxalock disrupted ignition interlock (breathalyzer) devices across 46 states, immobilizing thousands of court-mandated vehicles.
Attackers targeted backend servers, leaving users locked out and unable to access accounts or schedule service.
Data remains secure; service restoration and customer accommodations are underway.
- Insight: “A single point of failure can sideline critical compliance systems at scale. It also shows how cyber incidents can ripple into everyday life, sometimes with inconvenient consequences.” – Dave Bittner (31:26)

Notable Quotes & Moments

On the ongoing botnet threat:
“That persistent exposure continues to fuel the cybercrime economy and enables rapid rebuilding of similar attack networks.” (02:60; Dave Bittner)
On evolving the podcast:
“The idea was just that every day I would just read the newsletter as it existed, just read it verbatim, and we'd put that out in audio form.” (15:49; Dave Bittner)
On editorial standards:
“We did it diligently. We did it without fluff. We did it without creating FUD, you know, in the community. We just told it like it was.” (20:07; Peter Kilpe)
On reaching 10,000 daily listeners:
“I think we’ll really have something when we cross 10,000. And I thought to myself, oh, come on, that’s impossible. Of course it wasn’t impossible.” (22:21; Maria Vermazes)
On community impact:
“We touch a lot of lives...We have their trust. And the idea that we can actually help people move forward in their careers, help them grow in their knowledge, help their organizations stay safe, it just, it means a lot to us.” (24:15; Peter Kilpe)

Episode Timeline

| Segment | Start Time | |------------------------------------------------|:----------:| | News Headlines & Botnet Takedown | 00:46 | | FBI vs. Handela Hacktivists | 03:00 | | Kaplan Breach | 04:10 | | Law Enforcement Tip Platform Breach | 05:01 | | Fake Zoom Call Malware | 06:06 | | Malicious Crypto Extensions | 07:01 | | Langflow AI Framework Exploit | 07:50 | | Insider Threat & Extortion | 08:47 | | AI-generated Streaming Fraud | 09:36 | | CyberWire 10th Anniversary Retrospective | 12:34 | | Kevin McGee & RSA Conference | 25:20 | | Intoxalock Breathalyzer Outage | 30:37 |

Final Thoughts

This special episode blends a deep dive into critical recent cyber events with a rich narrative marking 10 years of CyberWire Daily. It balances technical analysis, industry context, and human stories—ideal for listeners wanting both the latest in cybersecurity news and an appreciation for the people and principles behind one of the field’s most respected voices.

CyberWire Daily – "Millions of Devices Still Up for Grabs"

Date: March 20, 2026
Host: Dave Bittner (N2K Networks)

Overview

Key News and Analysis

1. Federal Takedown of Major IoT Botnets

Time: 01:38 – 03:00
US, Germany, and Canada coordinated to disrupt four massive IoT botnets: Isuru, Kimwolf, Jackschid, and Mossad.
Over 3 million devices—including routers and security cameras—had been compromised.
These botnets orchestrated some of the largest DDoS attacks in history (>30 Tbps), targeting various organizations, including the Department of Defense.
While the command-and-control infrastructure was dismantled, millions of devices remain infected, posing persistent risks.
- Quote: "That persistent exposure continues to fuel the cybercrime economy and enables rapid rebuilding of similar attack networks." – Dave Bittner (02:60)

2. FBI Seizes Iranian-linked Hacktivist Infrastructure

Time: 03:00 – 04:10
FBI seized websites belonging to the Handela hacktivist group, following a destructive attack on Stryker that wiped 80,000 devices using Microsoft Intune.
The incident underlines how device management tools can be misused in large-scale attacks and highlights the risks from state-aligned threat actors.

3. Kaplan North America Data Breach

Time: 04:10 – 05:00
Nearly 195,000 individuals were affected in a breach, with exposure of names, SSNs, and driver’s license data.
Attackers had undetected access for three weeks; the breach was announced after a lengthy investigation.
- Quote: "The exposure of high value identity data increases the risk of fraud and long term identity theft. It also highlights the impact of prolonged unauthorized access before detection." – Dave Bittner (04:55)

4. Breach of Law Enforcement Tip Platform

Time: 05:01 – 06:06
A hacker claiming to be "Internet Yif Machine" says they accessed P3 Global Intel, stealing data from over 8 million tips.
The company is investigating; the breach exposes sensitive whistleblower and tipster information.

5. Fake Zoom Calls Delivering Malware

Time: 06:06 – 07:00
Attackers use AI-generated JavaScript to simulate Zoom meetings and trick users into installing malware disguised as updates.
The payload installs legitimate Screen Connect remote management tools, granting attackers device access.
- Insight: Realistic phishing lures, especially those mimicking trusted collaboration tools, significantly increase user compromise rates.

6. Malicious Crypto Extension "ShieldGuard"

Time: 07:01 – 07:50
The browser extension posed as a crypto security tool, promoted via social media and airdrops, but actually stole sensitive data from Binance, Coinbase, and Metamask users.
Used advanced obfuscation to evade Chrome protections, linked to a broader campaign (Radex).
- Comment: "Attackers are increasingly disguising malware as security tools, exploiting trust in the crypto ecosystem." – Dave Bittner (07:45)

7. Rapid Exploitation of AI Framework Vulnerability (Langflow)

Time: 07:50 – 08:46
A critical RCE flaw was exploited just 20 hours after disclosure, allowing arbitrary Python code execution with a single HTTP request.
Attackers immediately began scanning, deploying scripts, and harvesting credentials.
- Quote: "Exploitation timelines are shrinking faster than patch cycles. Organizations often take weeks to remediate, leaving a wide exposure window as attackers rapidly weaponize newly disclosed flaws." – Dave Bittner (08:36)

8. Insider Threat & Extortion at Brightly Software

Time: 08:47 – 09:35
A contractor, Cameron Curry, stole payroll and employee info and attempted extortion via more than 60 threatening emails.
The company paid a partial ransom in Bitcoin before contacting authorities.
- Takeaway: Insider access, especially post-employment, remains a serious organizational threat.

9. $10 Million AI-Driven Streaming Fraud

Time: 09:36 – 10:46
Michael Smith orchestrated a scheme to inflate music streaming figures using bots and AI-generated tracks, diverting royalties from legitimate artists.
Platforms affected: Spotify, Apple Music, Amazon Music, YouTube Music.
Smith agreed to forfeit over $8 million; the case highlights the role of AI in scaling digital fraud.

CyberWire’s 10th Anniversary Retrospective

1. Origins & Growth

Time: 12:34 – 22:00
Featuring Dave Bittner (host), Peter Kilpe (CEO), and Maria Vermazes (contributing host).
The CyberWire began as an internal newsletter:
- Peter Kilpe: "Number of people kept telling us how great our little internal intelligence newsletter was and we should share it with the world. So we did..." (12:48)
The podcast idea originated with Dave Bittner, initially as a daily audio readout of the newsletter:
- Dave Bittner: “I thought, why don't I just read it every day?” (15:38)
The format evolved from a five-minute briefing to a news show rich in interviews and analysis.

2. Signal and Audience Feedback

Time: 16:55 – 17:45
Early surprising traction, with rapid audience and sponsor uptake for a show initially viewed as a side project.
- Peter Kilpe: “Within six months, we had Fortune 10 companies, like, reaching out and saying, how do I get on this show?” (17:14)
Growth milestones (3,000 to 10,000 downloads per day).

3. Editorial Principles & Community Impact

Time: 19:45 – 24:39
High production values, news show format set the podcast apart:
- Maria Vermazes: “We just sounded like a real radio program.” (19:28)
The North Star: Reliability, integrity, and avoiding hype.
- Peter Kilpe: “Really what we were doing is making the world a safer place, you know, by help keeping people educated, informed about what was going on in security. And we did it diligently. We did it without fluff. We did it with...without creating FUD.” (20:07)
Milestone moments, including government audiences using CyberWire content for operational context, and personal notes of thanks:
- Maria Vermazes: “Another moment that was special for me was one day in the mail. I got a little padded envelope...full of challenge coins from NSA Fort Meade, and just a handwritten, unsigned note that said, thanks for all you do.” (22:23)
The team’s pride in audience outreach: helping listeners advance careers and organizations improve their security.

4. Looking Forward

Time: 24:39 – 24:58
Celebratory optimism for the next decade.
- Maria Vermazes: “Here's to the next 10.” (24:56)

RSA Conference Preview & Kevin the Intern

1. Intern Kevin (Kevin McGee) Returns

Time: 25:20 – 28:46
Kevin McGee, Microsoft Global Director of Cybersecurity Startups, returns for another year as Dave Bittner’s "intern" at RSA Conference.
Reflections on conference experiences, the importance of seeking out startup innovations, and the future direction of security in the AI era.
- Kevin McGee: “I kind of think we're at the end of a cycle...The Wiz acquisition is probably that high watermark for that phase and we're moving to a new phase where all these AI companies that have come up with something new and exciting…” (27:28)
Conference advice: Wear good shoes, stay hydrated, and plan for long walks. A goal: try a self-driving taxi on San Francisco’s steep hills.
- Kevin McGee: “Good shoes is number one. Stay hydrated, get your calendar ready and it will always take you longer to get to where you're going than you can possibly imagine at RSA.” (28:09)

Impact Story: Intoxalock Cyber Attack

1. Breathalyzer Service Outage

Time: 30:37 – 32:01
A cyberattack on Intoxalock disrupted ignition interlock (breathalyzer) devices across 46 states, immobilizing thousands of court-mandated vehicles.
Attackers targeted backend servers, leaving users locked out and unable to access accounts or schedule service.
Data remains secure; service restoration and customer accommodations are underway.
- Insight: “A single point of failure can sideline critical compliance systems at scale. It also shows how cyber incidents can ripple into everyday life, sometimes with inconvenient consequences.” – Dave Bittner (31:26)

Notable Quotes & Moments

On the ongoing botnet threat:
“That persistent exposure continues to fuel the cybercrime economy and enables rapid rebuilding of similar attack networks.” (02:60; Dave Bittner)
On evolving the podcast:
“The idea was just that every day I would just read the newsletter as it existed, just read it verbatim, and we'd put that out in audio form.” (15:49; Dave Bittner)
On editorial standards:
“We did it diligently. We did it without fluff. We did it without creating FUD, you know, in the community. We just told it like it was.” (20:07; Peter Kilpe)
On reaching 10,000 daily listeners:
“I think we’ll really have something when we cross 10,000. And I thought to myself, oh, come on, that’s impossible. Of course it wasn’t impossible.” (22:21; Maria Vermazes)
On community impact:
“We touch a lot of lives...We have their trust. And the idea that we can actually help people move forward in their careers, help them grow in their knowledge, help their organizations stay safe, it just, it means a lot to us.” (24:15; Peter Kilpe)

Millions of devices still up for grabs.

Summary

CyberWire Daily – "Millions of Devices Still Up for Grabs"

Overview

Key News and Analysis

1. Federal Takedown of Major IoT Botnets

2. FBI Seizes Iranian-linked Hacktivist Infrastructure

3. Kaplan North America Data Breach

4. Breach of Law Enforcement Tip Platform

5. Fake Zoom Calls Delivering Malware

6. Malicious Crypto Extension "ShieldGuard"

7. Rapid Exploitation of AI Framework Vulnerability (Langflow)

8. Insider Threat & Extortion at Brightly Software

9. $10 Million AI-Driven Streaming Fraud

CyberWire’s 10th Anniversary Retrospective

1. Origins & Growth

2. Signal and Audience Feedback

3. Editorial Principles & Community Impact

4. Looking Forward

RSA Conference Preview & Kevin the Intern

1. Intern Kevin (Kevin McGee) Returns

Impact Story: Intoxalock Cyber Attack

1. Breathalyzer Service Outage

Notable Quotes & Moments

Episode Timeline

Final Thoughts

Summary

CyberWire Daily – "Millions of Devices Still Up for Grabs"

Overview

Key News and Analysis

1. Federal Takedown of Major IoT Botnets

2. FBI Seizes Iranian-linked Hacktivist Infrastructure

3. Kaplan North America Data Breach

4. Breach of Law Enforcement Tip Platform

5. Fake Zoom Calls Delivering Malware

6. Malicious Crypto Extension "ShieldGuard"

7. Rapid Exploitation of AI Framework Vulnerability (Langflow)

8. Insider Threat & Extortion at Brightly Software

9. $10 Million AI-Driven Streaming Fraud

CyberWire’s 10th Anniversary Retrospective

1. Origins & Growth

2. Signal and Audience Feedback

3. Editorial Principles & Community Impact

4. Looking Forward

RSA Conference Preview & Kevin the Intern

1. Intern Kevin (Kevin McGee) Returns

Impact Story: Intoxalock Cyber Attack

1. Breathalyzer Service Outage

Notable Quotes & Moments

Episode Timeline

Final Thoughts