Summary6 min read

CyberWire Daily – April 10, 2026

Episode Title: The AI Arms Race Hits Finance

Host: Dave Bittner (N2K Networks)
Special Guest: Henry Comfort, Co-founder and CEO, Jordi AI

Episode Overview

This episode delves into the mounting concerns around artificial intelligence in the financial sector, highlighting regulators' worries, potential cyber risks, and the need for robust oversight as AI's sophistication grows. Key stories include the US government's response to advanced AI in finance, a massive alleged data breach in China, developments in quantum cryptography, targeted cyber threats, and an exclusive interview with innovation award winner Henry Comfort.

Key Discussion Points & Insights

AI and Finance: Emerging Risks and Regulation

[02:40–08:00]

Regulatory Concerns: U.S. Treasury Secretary Scott Besant and Federal Reserve Chair Jay Powell called top Wall Street CEOs together to discuss the risks posed by advanced AI models like Anthropic’s “Claude Mythos Preview.”
- “Policymakers worry that increasingly capable AI could enable more sophisticated cyberattacks.” (B, 03:10)
- JPMorgan Chase CEO Jamie Dimon cautioned that AI may introduce new cybersecurity vulnerabilities.
- Former Microsoft exec Craig Mundy raised alarms on AI potentially democratizing advanced hacking capabilities.
Dual-Use Dilemma: AI tools can both defend and endanger critical financial infrastructure, prompting government focus on the double-edged sword nature of emerging tech.
Ongoing Legal Battles:
- Federal appeals court allows Pentagon to maintain restrictions on Anthropic’s models in defense systems amid national security concerns—even as courts weigh the policy's legality.

Alleged 10-Petabyte Data Breach in China

[08:01–10:00]

Incident Details: A hacker dubbed “Flaming China” claims to have stolen over 10 petabytes of data from China's National Supercomputing Center.
- Data allegedly includes missile schematics, state secrets, and research tied to top institutions.
- Attackers reportedly gained entry via a compromised VPN, extracting data quietly over months.
- Experts warn this could benefit foreign intelligence and underscores persistent infrastructure weaknesses.

Quantum Computing Threat Timelines & Crypto Concerns

[10:01–11:30]

Quantum Leap: New research from Caltech, Oratomic, and UC suggests quantum computers powerful enough to break current cryptography may arrive much sooner, requiring only around 10,000 qubits (previous estimates ran much higher).
- Accelerates pressure on organizations like Google, which is already fast-tracking quantum-resistant encryption.
- Divergent opinions: some experts warn of "harvest now, decrypt later" risks, while others think major quantum threats are decades away.

Apple Intelligence Prompt Injection Vulnerability

[11:31–12:31]

Demo at RSAC: Researchers at the RSAC Research Lab showed a prompt injection attack successfully manipulating Apple’s on-device LLM.
- Attack combined neural exec adversarial inputs and Unicode right-to-left override techniques.
- 76% success rate before being patched in iOS/macOS 26.4.
- Up to 1 million users potentially affected before mitigation; users urged to update devices.

Payroll Pirates Target Canadians

[12:31–13:30]

Storm 2755 Attacks: Threat actor leveraged adversary-in-the-middle phishing mimicking Microsoft 365 to hijack payroll accounts.
- Stole authentication tokens and session cookies, bypassing MFA.
- Manipulated HR systems, hid relevant emails, and directly altered payroll details.
- FBI reports business email compromise (BEC) losses topped $3 billion last year.
- Microsoft urges use of robust MFA, session controls, and removing malicious inbox rules.

Google’s End-to-End Encryption Expansion

[13:31–14:00]

Full E2EE now available in Gmail mobile apps for enterprise users.
Feature relies on client-side encryption for regulatory compliance, ensuring organizations retain control of encryption keys.

Chrome Critical Patches

[14:00–14:30]

Chrome version 147 released with 60 vulnerability fixes, including critical WebML flaws enabling sandbox escape and remote code execution.
Google notes no active exploits yet detected.

Pennsylvania State Police Deepfake Scandal

[14:30–14:44]

State police corporal Stephen Kamnik pled guilty to creating over 3,000 AI-generated deepfake pornographic images using governmental databases.
Some images involved judges and minors; case highlights dangers stemming from wide AI tool accessibility.

Interview Highlight: Henry Comfort, CEO of Jordi AI

[14:44–18:09]

Winning at RSAC Innovation Sandbox

Henry Comfort:
- “It feels amazing. ... To now be here winning it is an incredibly proud moment ... already built a product that's helping companies understand their agentic operations and manage the risk.” (C, 14:44)
- Reflects on Jordi AI’s growth from idea to award-winning startup, emphasizing the team's dedication.

The Company Name & Mission

On "Jordi" Lamp Inspiration:
- “We drew a parallel ... the first industrial revolution ... There were invisible risks ... we developed mining lamps to manage that risk. ... We do the same for the agentic era.” (C, 15:32)
- The team sees their solution as a “lamp” for the AI age, helping companies see and manage invisible operational dangers.

What Does Jordi AI Do?

“We help you understand your agentic footprint ... how they're configured, their posture and their runtime observability ... Then we help you manage the risk and understand it. ... Finally we help you remediate it ... using context engineering to steer agents.” (C, 16:27)

On Entering Innovation Sandbox

“We see Sandbox as an amazing catalyst ... spotlights the most innovative solutions, the most game-changing future companies. ... It’s the Oscars for cybersecurity.” (C, 17:17)

What’s Next?

Jordi AI will keep expanding and focusing on helping clients unlock AI-driven innovation while managing new risks.
- “Continue helping more customers ... understand their agentic operations and ... unlock innovation.” (C, 17:54)

FCC Cracks Down on Robocalls

[19:35–20:55]

Proposed stricter “know your customer” rules for telecom providers.
Providers must collect more info on high-volume callers, justify mass calling, and retain records for four years.
Aims to make illegal robocalls riskier and easier to trace.
- “Originating carriers would need to collect more identifying details, verify them more carefully, and face penalties calculated per illegal call rather than per violation.” (B, 19:45)

Notable Quotes & Memorable Moments

On AI’s Dual Nature in Finance:
- “The meeting reflects growing government attention to AI’s dual use nature, as officials weigh both its defensive benefits and its potential to amplify cyber risk across critical financial infrastructure.” (B, 03:50)
On Agentic Risk:
- “Right now a lot of security teams are struggling to get their heads around agentic risk.” (C, 16:49)
On Innovation Culture:
- “It’s the Oscars for cybersecurity and we treat it like that.” (C, 17:19)
On Robocall Accountability:
- “Providers might even be required to keep identity records for four years after customers depart, presumably just in case the calls keep coming anyway.” (B, 20:05)

Timestamps for Important Segments

[02:40] – AI arms race and financial regulation
[08:01] – China’s National Supercomputing Center alleged breach
[10:01] – Advances and concerns in quantum computing
[11:31] – Apple LLM prompt injection vulnerability
[12:31] – Storm 2755 attacks Canadian payroll systems
[13:31] – Gmail expands E2EE; Chrome patches
[14:30] – Deepfake scandal involving state police
[14:44] – Interview: Henry Comfort on Jordi AI
[19:35] – FCC’s enhanced rules against robocalls

Summary

This episode underscores the rapidly evolving cybersecurity landscape amid an AI boom, raising urgent questions about risk, regulation, and resilience for critical infrastructure. The exclusive with Jordi AI’s Henry Comfort highlights efforts to equip organizations with tools to manage the dawn of the “agentic era.” Parallel topics range from existential quantum threats to criminal deepfakes and fortifying communications security, painting a picture of both hope and high stakes for the digital future.

Loading summary

Transcript20 lines

[00:02]
A
You're listening to the Cyberwire Network powered by N2K.
[00:14]
B
No, it's not your imagination. Risk and regulation really are ramping up, and these days customers expect proof of security before they'll even do business. That's where Vanta comes in. Vanta automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. So whether you're getting ready for a SoC2 or managing an enterprise governance risk and compliance program, Vanta helps keep you secure and keeps your deals moving. Companies like Ramp and RYTR spend 82% less time on audits with Vanta. That means less time chasing paperwork and more time focused on growth. For me, it comes down to this. Over 10,000 companies, from startups to large enterprises, trust Vanta to help prove their security. Get started@vanta.com cyber. The Treasury Secretary and Fed Chair Summon bankers over AI concerns A hacker claims more than 10 petabytes stolen from China's National Supercomputing Center. Recalibrating the quantum timeline, researchers demo prompt injection against Apple Intelligence Payroll pirates target Canadians Gmail gets end to end encryption on mobile devices. A Chrome update fixes critical vulnerabilities. A Pennsylvania cop admits creating more than 3,000 AI generated pornographic deepfakes. Our guest is Henry Comfort, co founder and CEO of Jordi AI, winner of this year's RS Innovation Sandbox, and the FCC floats firmer filters for fraudulent phone calls. It's Friday, april 10, 2026. I'm dave bittner and this is your cyberwire intel brief.
[02:33]
C
Foreign.
[02:40]
B
Thanks for joining us here today and happy Friday. It's been a heck of a week, and it's great to have you here with us. U.S. financial regulators are increasingly concerned that advanced artificial intelligence could introduce new systemic cybersecurity risks to the banking sector. Treasury Secretary Scott Besant and Federal Reserve Chair Jay Powell recently convened top Wall Street CEOs to discuss Anthropic's latest model, Claude Mythos Preview, and the potential threat similar tools may pose if misused. While Anthropic says the model is intended to help identify and fix critical vulnerabilities, policymakers worry that increasingly capable AI could also enable more sophisticated cyber attacks. Industry leaders have echoed those concerns. JPMorgan Chase CEO Jamie Dimon warned that AI may create new security weaknesses, and former Microsoft executive Craig Mundy suggested powerful models could broaden access to advanced hacking capabilities. The meeting reflects growing government attention to AI's dual use nature, as officials weigh both its defensive benefits and its potential to amplify cyber risk across critical financial infrastructure. Meanwhile, a federal appeals court in Washington allowed the Pentagon to keep blacklisting Anthropic from defense contracts while legal challenges continue in other courts. The ruling lets the military remove clawed models from defense systems and restrict contractor use. Though a California court has limited parts of the policy, judges emphasize national security concerns over financial harm to Anthropic. The decision does not resolve whether the designation is lawful, leaving broader constitutional and procurement disputes ongoing as parallel cases proceed. A hacker using the alias Flaming China claims to have stolen more than 10 petabytes of sensitive data from China's National Supercomputing center in Tianjin, potentially one of the largest alleged data exfiltrations from the country. Samples reviewed by cybersecurity researchers appear to include documents marked secret, along with missile schematics, aerospace research and other defense related materials tied to major Chinese institutions. Experts say the attacker may have accessed the system through a compromised VPN and quietly extracted data over several months using distributed automated tools. However, the data set's origin remains unverified by independent authorities. If confirmed, analysts say the volume and sensitivity of the material could make it highly valuable to foreign intelligence services and highlight ongoing cybersecurity weaknesses in parts of China's critical infrastructure. Google's decision to accelerate its shift to quantum resistant encryption reflects growing concern that quantum computers capable of breaking today's cryptography may arrive sooner than expected. New research from the California Institute of Technology, Oratomic and the University of California suggest such systems could require as few as 10,000 qubits, far fewer than earlier estimates of millions. Google researchers also reported reduced hardware requirements for breaking widely used encryption. Officials and experts warn this raises the risk of harvest now decrypt later campaigns and highlights rapid advances, including Chinese investment in quantum technology. Some analysts say the timeline for quantum threats now overlaps with currently deployed systems, especially blockchain infrastructure. However, other cryptography experts remain skeptical that practical quantum attacks are imminent, arguing large scale fault tolerant quantum computers may still be decades away. Researchers at the RSAC Research Lab demonstrated a prompt injection attack that could hijack Apple Intelligence's on device large language model by combining a neural exec adversarial input with a Unicode right to left override technique to bypass Apple's input and output filters. The method allowed attackers to force the model to execute arbitrary tasks with a reported 76% success rate across test prompts before Apple patched the issue. In iOS 26.4 and macrosos 26.4, attackers could potentially access sensitive data available to apps using the local model, including health or personal media content. Researchers estimated between 100,000 and 1 million users may have been exposed through affected apps. Apple has since deployed mitigations, and researchers report no evidence of exploitation in the wild. Users running earlier operating system versions are advised to update to the latest versions. A financially motivated threat actor tracked as Storm 2755 is conducting payroll pirate attacks that redirect Canadian employees salary payments after hijacking their accounts. The group uses adversary in the middle. Phishing pages Disguised as Microsoft 365 Sign in portals to capture authentication tokens and session cookies, allowing them to bypass multi factor authentication without needing passwords or codes. After gaining access, attackers hide HR related emails using inbox rules and contact payroll staff to request changes to direct deposit details. When social engineering fails, they log directly into HR platforms such as Workday to alter payment information. Microsoft advises organizations to deploy phishing resistant MFA block legacy authentication, revoke compromised sessions, and remove malicious inbox rules. Payroll diversion schemes are a form of business email compromise, which the FBI says caused more than $3 billion in losses last year. Google has expanded Gmail end to end encryption to Android and iOS, allowing enterprise users to send and read encrypted emails directly within the mobile app. Without extra tools, messages can be delivered to Gmail recipients normally, while others can access them through a browser. The feature relies on client side encryption, meaning organizations control encryption keys stored outside Google's servers. Available to Enterprise plus users with assured controls add ons, the update supports regulatory compliance and extends encrypted messaging across platforms and email providers. Google has released Chrome 147 with fixes for 60 vulnerabilities, including two critical flaws in the WebML component used to run machine learning models in the browser. The issues a heap buffer overflow and an integer overflow could enable sandbox escape or remote code execution. 14 additional high severity bugs affect components such as WebRTC, V8, Blink and Skia. Google says none are known to be exploited in the wild. The update also introduces stronger session cookie protections to reduce account compromise risks. A Pennsylvania State Police corporal has pleaded guilty to multiple crimes, including creating more than 3,000 AI generated pornographic deepfakes using images taken from state databases such as driver's license records. Authorities say Stephen Kamnik misused Commonwealth Systems for years, generating explicit material involving numerous women, including a district court judge, sometimes on state owned devices at police barracks. Investigators discovered the activity in 2024 after unusual Internet usage triggered a review of his workstation, leading to the seizure of devices containing illicit content, including child sexual abuse material. Kamnik also secretly filmed individuals accessed restricted databases in violation of policy, possessed a stolen firearm and broke into a women's locker room at the barracks. The case reflects broader concerns about the growing accessibility of AI deepfake tools, which have also been used in recent incidents involving students in eastern Pennsylvania high schools. Hamnick is scheduled for sentencing in July. Coming up after the my conversation with henry comfort, co founder and CEO of jordi AI, winner of this year's rsac innovation sandbox and the fcc floats firmer filters for fraudulent phone calls. Stay with us. Foreign maybe that's an urgent message from your CEO. Or maybe it's a deep fake trying to target your business. Doppel is the AI native social engineering defense platform fighting back against impersonation and manipulation. As attackers use AI to make their tactics more sophisticated, Doppel uses it to fight back from automatically dismantling cross channel attacks to building team resilience and more Doppel outpacing what's next in social engineering. Learn more@doppel.com that's D O P E L dot com. Your vehicle doesn't just get you from here to there. It's a bridge to the people and places that matter most. It's how you show up for your family, your community and everyone else that depends on you. That's why for 125 years Firestone has been building tires with one thing in to deliver products that are as reliable as you are. Firestone always dependable since 1900. One of the highlights of RSAC is always the Innovation Sandbox. And this year, after the announcement of the winner, I got to speak with Henry Comfort, co founder and CEO of Jordi AI, this year's winner. The winner of the RSAC Most Innovative Startup 2026. Drumroll please. So here we are at the Innovation Sandbox and congratulations on winning this year. You just came off the stage. How do you feel?
[14:45]
C
It feels amazing. It's really a bit of a dream. Last year we came to RSA and we just started our company and I remember speaking to some of our investors and they said are you going to go for Sandbox next year? And you took a second and you went yeah, we're going to go for it. So to now be here winning it is an incredibly proud moment, but more significantly a moment where we just one step to reflect upon the fact that we've already built a product that's helping companies understand their agentic operations and manage the risk. We've built an amazing team who have worked so hard over the past year to make it happen and we have such great aspirations and ambitions for the future. So this is a really powerful moment for us and we look forward to building upon it.
[15:25]
B
One of the things I found inspiring about your story was the name itself, the Geordi Lite. Give us the description of that.
[15:32]
C
Yeah, I mean, we drew a parallel back when we were starting the company between what was possible with agents and the first industrial revolution. All of a sudden we have access to all this operational leverage we didn't have before as a result of technology, but just as we have right now. During the Industrial revolution, there were invisible risks that teams had to deal with. And at the time, the teams were mining coals in the coal mines and the invisible gases were released in the process and it was very, very dangerous. But we developed mining lamps to help us manage that risk. An example of this was the Geordie lamp had a small candle inside and at the moment the gas is built up, the candle went out. It gave the workers at the time line of sight to this new risk. And we do the same for the agentic era. And we took a real, real thought went into the name and the story because we really do feel that we're as significant a moment in technological development and we want to play as significant a role in helping companies unlock the benefits by managing the risks.
[16:24]
B
Well, give us the elevator speech. What does the product do?
[16:28]
C
Yeah, so we help you understand your agentic footprint across the various different service areas that agents operate in. We give you a deep understanding of how they're configured, their posture and their runtime observability of their actual operations. Then we help you manage the risk and understand it. Right now a lot of security teams are struggling to get their heads around agentic risk. And then finally we help you remediate it. But we don't take a legacy approach. We use context engineering to steer agents towards better pathways and then block the ones you least want. And from that it's quite a holistic approach to agentic risk management and governance that's benefiting our customers today.
[17:06]
B
Why choose to do the Sandbox startups? You don't have a lot of free time. This takes a lot of time. For you, it paid off. But what was the equation that made you decide this was something you wanted to pursue?
[17:17]
C
We see Sandbox as an amazing catalyst for companies really spotlighting the most innovative solutions, the most game changing future companies. And we wanted to be part of that. So every moment spent on this was a moment well spent. And I think everyone who was a finalist or even who tried to become a finalist would say the same thing. This is. One of my investors described it to us as the I think it was the Oscars for cybersecurity and we treat it like that. You know, this means an incredible amount to us as a company, as it did to all the other finalists. So it's a privilege to be part of it and an absolute honor to
[17:52]
B
win what's next for you and your team.
[17:54]
C
Continue helping more customers ultimately understand their agentic operations and help them manage the risks so that they can unlock innovation. That's what we're here to do. So we'll continue to grow our team and continue to work with customers to make sure that they're equipped in this new era.
[18:08]
B
Well, congratulations and best of luck to you.
[18:10]
C
Thanks so much.
[18:12]
B
That's Henry Comfort, co founder and CEO of Jordi AI, winner of this year's RSAC Innovations Sandbox.
[18:31]
D
Spring Black Friday is on at the Home Depot. Save on grills and patio sets that will be sure to bring your hosting game up a notch. Fire up your feast with help from the Home Depot and save on grills like the next grill four burner propane gas grill was $249 now in special buy for $1.99 or give everyone the best seat in the yard with the Hampton bay Mayfield park four piece conversation set for only $399. Save on grills and patio sets with low prices guaranteed during Spring Black Friday only at the Home Depot now through April 22nd while supplies last exclusion supplies to homedevot.com Pricematch for details.
[19:02]
A
This episode is brought to you by Indeed. Stop waiting around for the perfect candidate. Instead, use Indeed sponsored jobs to find the right people with the right skills fast. It's a simple way to make sure your listing is the first candidate. C According to Indeed data, sponsored jobs have four times more applicants than non sponsored jobs. So go build your dream team today with Indeed. Get a $75 sponsored job credit at Indeed.com podcast. Terms and conditions apply.
[19:36]
B
And finally, the Federal Communications Commission is once again sharpening its tools against robocalls, this time by proposing stricter know your customer rules for phone service providers who appear in the agency's view to have been asking far too few questions of suspicious callers. Under the proposal, originating carriers would need to collect more identifying details, verify them more carefully, and face penalties calculated per illegal call rather than per violation, which could make nuisance dialing a more expensive hobby. High volume callers would also have to explain why they're calling so many people in the first place, a question consumers have been quietly asking for years. Providers might even be required to keep identity records for four years after customers depart, presumably just in case the calls keep coming anyway. The FCC argues stronger rules would help law enforcement trace crimes tied to illegal calling. Meanwhile, robocalls, stubborn as ever, continue ringing through. And that's the CyberWire. For links to all of today's stories, check out our daily briefing@thecyberwire.com be sure to check out this weekend's Research Saturday and my conversation with Selena Larson, threat researcher from proofpoint's research team. The research is titled Don't Trust Connect. It's a rat in an RMM hat. That's Research Saturday. Check it out. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's lead producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Ethan Cook is our lead analyst. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher. I'm Dave Pittner. Thanks for listening. We'll see you back here next week.
[22:22]
A
Your next chapter in healthcare starts at Carrington College's School of Nursing in Portland. Join us for our open house on Tuesday, January 13th from 4 to 7pm you'll tour our campus, see live demos, meet instructors and learn about our Associate Degree in Nursing program that prepares you to become a registered nurse. Take the first step toward your nursing career. Save your spot now at Caryer Carrington Edu Events. For information on program outcomes, visit carrington. Edu Sci Fi.