CyberWire Daily – "Proxy wars and open doors"
Date: January 29, 2026
Host: Dave Bittner (N2K Networks)
Overview
In this episode, CyberWire Daily covers the latest in global cybersecurity: high-profile takedowns of cybercriminal infrastructure, evolving state-sponsored threats, election interference, targeted phishing, major vulnerability disclosures, and a deep-dive interview with Tom Pace (CEO, Netrise) about the risks lurking in open-source software. Notably, the episode underscores the mounting risk open-source components pose, particularly when nation-states exploit them, and the growing sophistication and boldness of both threat actors and defenders.
Main News Highlights
1. Google Takes Down iPidia Residential Proxy Network
“The service routes Internet traffic through millions of everyday consumer devices worldwide, allowing attackers to blend malicious activity into normal user traffic.” [02:12]
- What happened: Google and partners dismantled iPidia, a major residential proxy network used by over 550 tracked threat groups for cyberattacks, espionage, and data theft.
- How it worked: Malicious SDKs were embedded in innocuous apps, making consumer devices unwitting proxy exit nodes.
- Result: Core infrastructure taken down, millions of devices “cleaned,” but similar threats are proliferating.
2. Possible FBI Seizure of Ramp Cybercrime Forum
“DNS records reportedly showed Ramp redirecting to an FBI controlled domain, though the notice lacks the international partner logos typically seen in coordinated takedowns.” [04:34]
- Event: RAMP, a prolific cybercrime forum frequented by ransomware groups, was apparently seized by the FBI.
- Skepticism: No official announcement; seizure notice lacks typical details, leading to doubts among experts.
- Implications: Disrupting these forums is intended to fragment and destabilize the cybercrime market.
3. North Korean Operations Splinter and Evolve
“Pressure Colima carried out last year's record $1.46 billion crypto theft and is among North Korea's most technically advanced actors.” [06:04]
- CrowdStrike analysis: One long-running North Korean group (Labyrinth Kolyma) has split into three:
- Labyrinth Kolyma: Espionage (targeting manufacturing, defense, aerospace).
- Golden Colima & Pressure Colima: Focus on cryptocurrency theft to skirt sanctions.
- Significance: Shows Pyongyang’s increased bureaucratic sophistication and sustained cyber aggression.
4. US Military Acts Against Russian Election Interference
“Hackers interfered with servers and personnel linked to Russian firms, spreading fabricated news aimed at swing states...” [07:40]
- CNN scoop: Prior to the 2024 US election, US Cyber Command executed a covert operation to slow Russian troll networks—primarily targeting disinformation aimed at pro-Ukraine candidates.
- Aftermath: Many counter-influence programs have since been cut under the Trump administration, raising fears about the 2026 midterms.
5. Phishing Campaign Targets Journalists via Signal
“Security experts say the campaign appears highly targeted, focused on journalists, lawyers, politicians and activists, and may be spreading through stolen address book data.” [09:30]
- Tactics: Attackers impersonate Signal support, attempting account takeovers through social engineering.
- Risks: Potential loss of sensitive contacts and exposure of journalistic sources.
- Note: Signal’s Meredith Whittaker warns that AI agents embedded in OSes are creating a new class of risks for encrypted messaging ([10:41]).
6. SolarWinds Critical Vulnerabilities Patched
- Details: Six vulnerabilities patched in Web Help Desk, including:
- 4 critical (two deserialization, two auth bypass)
- 2 high severity (security control bypass, hardcoded credentials)
- Urgency: Organizations urged to update immediately due to remote code execution risks ([11:30]).
7. AI Training Data Contaminated with CSAM at Amazon
- Scope: Amazon found and removed “hundreds of thousands” of suspected child sexual abuse material from AI training datasets ([12:20]).
- Concerns: Lack of transparency hampers law enforcement’s ability to trace origins and help victims.
- Broader issue: Rapid AI dataset assembly poses significant risk.
8. Initial Access Broker TA584 Ramps Up
- Modus Operandi: Phishing, PowerShell abuse, new malware (Tsunderebot, Exworm), potential for ransomware deployment ([13:21]).
- Geography: Expanding attacks from North America/UK to Europe and Australia.
9. Crackdown on Chinese Scam Centers
- Incident: China executes 11 “core members” of a syndicate behind $1.4 billion in scams and intentional homicides ([14:00]).
- Regional trend: Wider crackdown in Southeast Asia, but scam operations and human trafficking still rampant.
Interview Highlights – Tom Pace (CEO, Netrise): Open Source as a Nation-State Attack Surface
The Dilemma
“The issue here is understanding provenance of open source components is equally as critical in 2025 and 2026, as…more critical than the traditional supply chain.” – Tom Pace [16:57]
- Visibility Gap: Open source components’ origins and maintainers often unknown; a developer in a hostile state could be a single point of ample risk.
- Case studies:
- Russia-based developer as sole maintainer of critical software (raised by Senator Tom Cotton).
- Recent XZ Utils backdoor attempt—caught only at the “last minute.”
The State of Assessment
“Capabilities exist and are not being used would I think be the most fair way.” – Tom Pace [18:26]
- Current practice: Government, especially DoD, wants compliance-based, measurable frameworks. Existing processes don’t fit open source risk.
- Efforts:
- SWIFT (Software Fast Track Initiative) intends to speed up procurement without sacrificing thorough risk analysis (via SBOMs, provenance checks).
- CISA’s Open Source Security Roadmap lays groundwork for better visibility.
Practical Steps and Recommendations
“You have to do is get visibility so you can actually ascertain the data that you have so you can analyze it.” – Tom Pace [21:13]
Key Steps:
- Collect comprehensive data on software supply chain contributors.
- Identify contributors’ locations, breach history, and associations with threat/malware groups.
- Build and utilize data-driven frameworks, not just guidance-by-intuition.
On Lessons Learned
“That horse left the barn 30 years ago. Okay, that's, that's the whole point. Yeah, like, this isn't a new problem. This is an ancient problem.” – Tom Pace [23:46]
- **Open source is essential infrastructure but never truly “new risk.”
- Notable: Huawei is a prominent, open contributor to the Linux kernel.
“There's this assumption that Open Source is always a more secure thing...I think that's generally true...that’s why the XZ Utils thing was caught.” – Tom Pace [24:44]
Looking Forward
“I'm super optimistic about what's going on, especially from the federal government's perspective…they're going to be doing things that the commercial sector is barely almost considering in a lot of ways, which is just fascinating.” – Tom Pace [25:30]
- The shift: Federal government increasingly leads on supply chain security, bucking historical trends.
- Rationale: As the world’s biggest software buyer, government vigilance is vital for societal function.
Memorable Quotes
-
Tom Pace on open source risk:
“That horse left the barn 30 years ago.” [23:46] -
Dave Bittner, on government taking the lead:
“It feels almost upside down.” [25:55] -
Tom Pace, on visibility:
“You have to do is get visibility so you can actually ascertain the data that you have so you can analyze it.” [21:13]
Final Segment – “Turnabout is Fair Play Desk”: North Korean Hackers Exposed
- Incident: A YouTuber, tracking scammers, inadvertently accessed a North Korean military computer and webcam, witnessing soldiers’ daily lives ([27:03]).
- Activities revealed: Soldiers working as remote freelance developers—using LinkedIn, ChatGPT—to earn funds for the regime, sometimes engaging in major hacks and ransomware.
- Takeaway: Cybercrime is a significant part of North Korea's economy, and AI tools are supercharging their operations: “AI is making the whole operation faster, cheaper, and harder to spot.”
Key Timestamps
- 0:40 – Main world news headlines
- 2:12 – Dismantling the iPidia proxy network
- 4:34 – Ramp cybercrime forum seizure
- 6:04 – North Korean cyber operations splinter
- 7:40 – US cyber ops against Russian election interference
- 9:30 – Signal phishing campaign targeting journalists
- 11:30 – SolarWinds Web Help Desk vulnerabilities
- 12:20 – Amazon AI data CSAM exposure
- 13:21 – TA584 initial access broker expansion
- 14:00 – Chinese scam center executions
- 16:03-27:03 – Interview: Tom Pace on open source vulnerabilities and nation-state threats
- 27:03 – North Korean hackers themselves hacked (webcam story)
Tone & Takeaways
- The episode is urgent yet analytical, balancing breaking news with expert insight.
- The open source supply chain is positioned as today’s—and tomorrow’s—battleground for both defenders and adversaries, with government finally waking up to the challenge.
- Traditional assumptions about security, governance, and leadership are being upended as nation-state and criminal threat actors grow bolder and more sophisticated, and as defenders finally begin to adapt.
