CyberWire Daily — November 17, 2025

Episode Title: The Rise of AI-Driven Cyber Offense
Host: Dave Bittner (N2K Networks)
Main Guest: Jared Atkinson, CTO at SpectreOps

Episode Overview

This episode examines the growing landscape of AI-powered cyber offense, detailing government investments in offensive technologies and reviewing high-profile cyber incidents and research. The episode features a deep-dive interview with Jared Atkinson (SpectreOps) on attack path management, identity-centric threats, and the future of security postures in light of new attack techniques.

Key Discussion Points and Insights

1.The U.S. Invests in AI-Driven Offensive Cyber Capabilities

Federal records reveal up to $12.6 million awarded to Arlington startup "20" for automating large-scale cyber operations (02:45).
- 20 is staffed by former Cyber Command/intelligence veterans, focusing on tools capable of autonomous attacks against hundreds of targets.
- Job listings: Work on autonomous agents, AI-powered attack tools, and social engineering personas.
Broader context: Other nations (e.g., China) also pursue AI-agent hacking, indicating an international shift toward automated, scalable cyber conflict.

2. Illicit Crypto Flows and Exchanges

NYT and ICIJ investigation: Over $28 billion in illicit funds channeled through major exchanges (03:40).
- Platforms like Binance and OKEx still handle funds tied to criminal/sanctioned entities, despite compliance pledges.
- "Victims of scams, from individual investors to bank executives, rarely recover lost funds." (04:15)
- Lightly regulated crypto-to-cash storefronts facilitate widespread money laundering.

3. Shadow MQ: Critical AI Inference Engine Vulnerabilities

Oligo Security research: Remote code execution flaws in engines from Meta, Nvidia, Microsoft, and open-source LLM projects (05:30).
- Issues stem from unsafe ZeroMQ and Python Pickle usage.
- Flaws threaten customers’ data, model weights, and prompt integrity.
- Call for immediate patching and reducing exposure to unsafe protocols.

4. Surveillance & Privacy: Indian CCTV Hacking

50,000+ CCTV systems in India breached; video footage sold on Telegram (06:33).
- Hospitals, schools, public/private spaces infiltrated using brute-force on weak passwords.
- Highlights urgent need for default password changes, manufacturer safeguards, and privacy awareness.

5. Payroll Pirates: Credential Theft and Payroll Redirection via Google Ads

Ongoing since 2023: Group uses malvertising to steal payroll credentials and reroute salaries (07:40).
- Highly adaptive, operates in clusters utilizing Google/Bing ads and aging domains.
- Group bypasses 2FA via real-time Telegram relay; operators likely based in Ukraine.

6. Brand Impersonation Campaign Targets Chinese Users

Palo Alto Networks Unit 42: Brand impersonations deliver Ghost RAT malware (08:50).
- Two interlinked campaigns, over 2,000 malicious domains, leveraging popular app clones with multi-stage infection chains.

7. High-Profile Bitcoin Fraud and Asset Seizure

SaaS Mining’s CEO scammed: $220,000 in BTC lost in a Monaco family office con (10:12).
- Funds instantly laundered via mixers, creating work for legal/crime recovery efforts.
- UK prosecutors seize £4.1 billion in crypto from Twitter hacker Joseph James O’Connor, underscoring growing asset recovery coordination.

8. Cybersecurity Industry Brief

New funding and M&A surge:
- Tenzai: $75M seed for AI-agent pen testing
- Suite Security: $75M for CNAPP expansion
- Multiple startups raising from $3M–25M to solve AI, application, and identity security challenges.
- Notable acquisitions: Coalition buys Wirespeed (MDR), Arctic Wolf buys Upsight for ransomware prevention, and others expanding across cloud, GRC, and adversarial testing for AI-integrated environments.

Interview Spotlight: Jared Atkinson, CTO of SpectreOps

Topic: Attack Path Management and the Central Role of Identity

What Is Attack Path Management?

Atkinson: “We can build essentially Google Maps for the environment...show me all of the attack paths, all the routes, from any arbitrary starting point to some destination that I define.” (16:30)
- Attackers seldom follow one path; there may be billions.
- Mapping and analyzing all possible attack routes is crucial for understanding organizational risk.

Why Is Identity Central?

“The attacker is always operating in an identity context…they context switch from identity to identity.” (18:42)
- Many systems: identities can be users, computers, service principals, or non-human accounts (19:22).
- Attackers leverage aggregated identity control, akin to a "snowball" effect, moving laterally and escalating privileges stepwise.

Tools Vs. Real-World Techniques

“Attackers don’t go through your tools—they go around them.” (20:33)
- Defenders often rely on tools misaligned to real-world attack flows.
- Token hijacking, context theft can bypass controls meant for password protection alone.

Attack Path Management vs. Identity Governance/Least Privilege

Identity Governance: One-hop assessments, focuses on proper access but misses downstream risk (21:59).
Least Privilege Reality: “We operate with enough privilege...most organizations don’t do the second part, which is validating you can’t do things that are unnecessary for your job.” (23:56)
- True least privilege is rarely enforced due to operational ambiguity and complexity.

Visualizing Risk

Adversarial Perspective: “Visualize risk the way adversaries do.” (24:52)
- Example: Active Directory syncing to Okta and then to GitHub—small overlooked dependencies add immense risk (25:35).

Prioritizing Remediation

“What are the individual permissions that...everything funnels into? …There are certain configurations that are choke points.” (27:18)
- Fixing a few key configs (e.g., open admin rights to all users on a single machine) can eliminate thousands of attack paths.

The Collaboration Imperative

Large-scale organizations need cross-team (AD admins, app owners, cloud ops) visibility and cooperation, especially as enterprise attack graphs span systems (29:06).
SpectreOps’ Bloodhound Open Graph expands attack path analysis across cloud and SaaS ecosystems.

What’s Next? Hybrid Attack Paths

Expectation: Attackers will increasingly traverse multiple systems (on-prem, cloud, SaaS, identity providers) seeking weakest security links (30:41).
- System-of-record (AD, Okta, JAMF, etc.) often becomes the "root" for attacker privilege escalation.

Notable Quotes & Memorable Moments

On Attack Path Visualization:
“It’s almost like MapQuest for the attacker.” — Jared Atkinson (16:55)
On Identity’s Role in Attacks:
“The attacker is always operating in an identity context...it’s an aggregation type of attack.” — Atkinson (18:42)
On Organizational Challenges:
“We operate with enough privilege...most organizations don’t do that second part.” — Atkinson (23:56)
On The Complexity of Real-World Permissions:
“Most organizations don’t do that second part, which is validating that you can’t do things that are unnecessary for you to do your job.” — Atkinson (23:56)
Adversarial Mindset:
"Visualize risk the way adversaries do." — Interviewer referencing Atkinson's work (24:54)
On the Multitude of Attack Paths:
"If you have a billion attack paths...what are the individual permissions that kind of, that everything funnels into?" — Atkinson (27:18)

Timestamps for Key Segments

Federal investment in AI-driven cyber offense: 02:45
Illicit crypto activity: 03:40–04:50
AI inference engine vulnerabilities: 05:30
Indian CCTV hacking: 06:33
Payroll Pirates campaign: 07:40
Brand impersonation and Ghost RAT: 08:50
Bitcoin scams and asset seizure: 10:12
Industry funding/acquisitions: 12:01
SpectreOps interview on attack path management: 16:25–32:18

Tone & Style

The episode combines succinct news reporting with expert technical conversation. Dave Bittner’s tone is authoritative yet approachable, while Jared Atkinson offers in-depth but accessible explanations, often using analogies (“Google Maps for attackers”) and relatable humor.

Final Word

The rise of AI-driven offense is redefining both the scale and speed of cyberattacks, fueling demand for smarter, more dynamic defense strategies. Attack path management—especially when centered on identity—emerges as an essential discipline, requiring collaboration across technology silos and an adversary-informed mindset.

CyberWire Daily — November 17, 2025

Episode Title: The Rise of AI-Driven Cyber Offense
Host: Dave Bittner (N2K Networks)
Main Guest: Jared Atkinson, CTO at SpectreOps

Episode Overview

Key Discussion Points and Insights

1.The U.S. Invests in AI-Driven Offensive Cyber Capabilities

Federal records reveal up to $12.6 million awarded to Arlington startup "20" for automating large-scale cyber operations (02:45).
- 20 is staffed by former Cyber Command/intelligence veterans, focusing on tools capable of autonomous attacks against hundreds of targets.
- Job listings: Work on autonomous agents, AI-powered attack tools, and social engineering personas.
Broader context: Other nations (e.g., China) also pursue AI-agent hacking, indicating an international shift toward automated, scalable cyber conflict.

2. Illicit Crypto Flows and Exchanges

NYT and ICIJ investigation: Over $28 billion in illicit funds channeled through major exchanges (03:40).
- Platforms like Binance and OKEx still handle funds tied to criminal/sanctioned entities, despite compliance pledges.
- "Victims of scams, from individual investors to bank executives, rarely recover lost funds." (04:15)
- Lightly regulated crypto-to-cash storefronts facilitate widespread money laundering.

3. Shadow MQ: Critical AI Inference Engine Vulnerabilities

Oligo Security research: Remote code execution flaws in engines from Meta, Nvidia, Microsoft, and open-source LLM projects (05:30).
- Issues stem from unsafe ZeroMQ and Python Pickle usage.
- Flaws threaten customers’ data, model weights, and prompt integrity.
- Call for immediate patching and reducing exposure to unsafe protocols.

4. Surveillance & Privacy: Indian CCTV Hacking

50,000+ CCTV systems in India breached; video footage sold on Telegram (06:33).
- Hospitals, schools, public/private spaces infiltrated using brute-force on weak passwords.
- Highlights urgent need for default password changes, manufacturer safeguards, and privacy awareness.

5. Payroll Pirates: Credential Theft and Payroll Redirection via Google Ads

Ongoing since 2023: Group uses malvertising to steal payroll credentials and reroute salaries (07:40).
- Highly adaptive, operates in clusters utilizing Google/Bing ads and aging domains.
- Group bypasses 2FA via real-time Telegram relay; operators likely based in Ukraine.

6. Brand Impersonation Campaign Targets Chinese Users

Palo Alto Networks Unit 42: Brand impersonations deliver Ghost RAT malware (08:50).
- Two interlinked campaigns, over 2,000 malicious domains, leveraging popular app clones with multi-stage infection chains.

7. High-Profile Bitcoin Fraud and Asset Seizure

SaaS Mining’s CEO scammed: $220,000 in BTC lost in a Monaco family office con (10:12).
- Funds instantly laundered via mixers, creating work for legal/crime recovery efforts.
- UK prosecutors seize £4.1 billion in crypto from Twitter hacker Joseph James O’Connor, underscoring growing asset recovery coordination.

8. Cybersecurity Industry Brief

New funding and M&A surge:
- Tenzai: $75M seed for AI-agent pen testing
- Suite Security: $75M for CNAPP expansion
- Multiple startups raising from $3M–25M to solve AI, application, and identity security challenges.
- Notable acquisitions: Coalition buys Wirespeed (MDR), Arctic Wolf buys Upsight for ransomware prevention, and others expanding across cloud, GRC, and adversarial testing for AI-integrated environments.

Interview Spotlight: Jared Atkinson, CTO of SpectreOps

Topic: Attack Path Management and the Central Role of Identity

What Is Attack Path Management?

Atkinson: “We can build essentially Google Maps for the environment...show me all of the attack paths, all the routes, from any arbitrary starting point to some destination that I define.” (16:30)
- Attackers seldom follow one path; there may be billions.
- Mapping and analyzing all possible attack routes is crucial for understanding organizational risk.

Why Is Identity Central?

“The attacker is always operating in an identity context…they context switch from identity to identity.” (18:42)
- Many systems: identities can be users, computers, service principals, or non-human accounts (19:22).
- Attackers leverage aggregated identity control, akin to a "snowball" effect, moving laterally and escalating privileges stepwise.

Tools Vs. Real-World Techniques

“Attackers don’t go through your tools—they go around them.” (20:33)
- Defenders often rely on tools misaligned to real-world attack flows.
- Token hijacking, context theft can bypass controls meant for password protection alone.

Attack Path Management vs. Identity Governance/Least Privilege

Identity Governance: One-hop assessments, focuses on proper access but misses downstream risk (21:59).
Least Privilege Reality: “We operate with enough privilege...most organizations don’t do the second part, which is validating you can’t do things that are unnecessary for your job.” (23:56)
- True least privilege is rarely enforced due to operational ambiguity and complexity.

Visualizing Risk

Adversarial Perspective: “Visualize risk the way adversaries do.” (24:52)
- Example: Active Directory syncing to Okta and then to GitHub—small overlooked dependencies add immense risk (25:35).

Prioritizing Remediation

“What are the individual permissions that...everything funnels into? …There are certain configurations that are choke points.” (27:18)
- Fixing a few key configs (e.g., open admin rights to all users on a single machine) can eliminate thousands of attack paths.

The Collaboration Imperative

Large-scale organizations need cross-team (AD admins, app owners, cloud ops) visibility and cooperation, especially as enterprise attack graphs span systems (29:06).
SpectreOps’ Bloodhound Open Graph expands attack path analysis across cloud and SaaS ecosystems.

What’s Next? Hybrid Attack Paths

Expectation: Attackers will increasingly traverse multiple systems (on-prem, cloud, SaaS, identity providers) seeking weakest security links (30:41).
- System-of-record (AD, Okta, JAMF, etc.) often becomes the "root" for attacker privilege escalation.

Notable Quotes & Memorable Moments

On Attack Path Visualization:
“It’s almost like MapQuest for the attacker.” — Jared Atkinson (16:55)
On Identity’s Role in Attacks:
“The attacker is always operating in an identity context...it’s an aggregation type of attack.” — Atkinson (18:42)
On Organizational Challenges:
“We operate with enough privilege...most organizations don’t do that second part.” — Atkinson (23:56)
On The Complexity of Real-World Permissions:
“Most organizations don’t do that second part, which is validating that you can’t do things that are unnecessary for you to do your job.” — Atkinson (23:56)
Adversarial Mindset:
"Visualize risk the way adversaries do." — Interviewer referencing Atkinson's work (24:54)
On the Multitude of Attack Paths:
"If you have a billion attack paths...what are the individual permissions that kind of, that everything funnels into?" — Atkinson (27:18)

Timestamps for Key Segments

Federal investment in AI-driven cyber offense: 02:45
Illicit crypto activity: 03:40–04:50
AI inference engine vulnerabilities: 05:30
Indian CCTV hacking: 06:33
Payroll Pirates campaign: 07:40
Brand impersonation and Ghost RAT: 08:50
Bitcoin scams and asset seizure: 10:12
Industry funding/acquisitions: 12:01
SpectreOps interview on attack path management: 16:25–32:18

The rise of AI-driven cyber offense.

Powered by Wave AI

Summary

CyberWire Daily — November 17, 2025

Episode Overview

Key Discussion Points and Insights

1.The U.S. Invests in AI-Driven Offensive Cyber Capabilities

2. Illicit Crypto Flows and Exchanges

3. Shadow MQ: Critical AI Inference Engine Vulnerabilities

4. Surveillance & Privacy: Indian CCTV Hacking

5. Payroll Pirates: Credential Theft and Payroll Redirection via Google Ads

6. Brand Impersonation Campaign Targets Chinese Users

7. High-Profile Bitcoin Fraud and Asset Seizure

8. Cybersecurity Industry Brief

Interview Spotlight: Jared Atkinson, CTO of SpectreOps

What Is Attack Path Management?

Why Is Identity Central?

Tools Vs. Real-World Techniques

Attack Path Management vs. Identity Governance/Least Privilege

Visualizing Risk

Prioritizing Remediation

The Collaboration Imperative

What’s Next? Hybrid Attack Paths

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Tone & Style

Final Word

Summary

CyberWire Daily — November 17, 2025

Episode Overview

Key Discussion Points and Insights

1.The U.S. Invests in AI-Driven Offensive Cyber Capabilities

2. Illicit Crypto Flows and Exchanges

3. Shadow MQ: Critical AI Inference Engine Vulnerabilities

4. Surveillance & Privacy: Indian CCTV Hacking

5. Payroll Pirates: Credential Theft and Payroll Redirection via Google Ads

6. Brand Impersonation Campaign Targets Chinese Users

7. High-Profile Bitcoin Fraud and Asset Seizure

8. Cybersecurity Industry Brief

Interview Spotlight: Jared Atkinson, CTO of SpectreOps

What Is Attack Path Management?

Why Is Identity Central?

Tools Vs. Real-World Techniques

Attack Path Management vs. Identity Governance/Least Privilege

Visualizing Risk

Prioritizing Remediation

The Collaboration Imperative

What’s Next? Hybrid Attack Paths

Notable Quotes & Memorable Moments

Timestamps for Key Segments

Tone & Style

Final Word