Risky Bulletin: AI-driven Hacking Campaign Breaches 600+ Fortinet Devices
Podcast: Risky Bulletin (Risky Business Media)
Episode Date: February 23, 2026
Host/Reader: Claire Aird
Prepared by: Catalin Cimpanu
Episode Overview
This episode provides a rapid-fire update on major cybersecurity incidents and trends globally. The spotlight is on a sophisticated AI-driven hacking campaign that breached over 600 Fortinet firewalls, with other stories covering breaches, legal actions, vulnerabilities, and notable cybercriminal arrests worldwide.
Key Discussion Points & Insights
1. AI-Driven Attack on Fortinet Devices
- Segment: [00:08–01:10]
- A Russian-speaking threat actor leveraged commercial AI toolkits to bypass security and breach more than 600 Fortinet firewalls.
- Methodology:
- Exploited management services left exposed with weak credentials.
- Used Deepseek for reconnaissance and Claud for vulnerability assessments and offensive tooling.
- The attackers strategically avoided well-defended networks.
- Notable Quote:
“The attacker breached the devices by exploiting exposed management services with weak credentials. From there they used Deepseek for reconnaissance and Claud to generate vulnerability assessments and run offensive tools.” — Claire Aird [00:16]
2. Ivanti Hack via Bug in Ivanti’s Own Product
- Segment: [01:12–01:45]
- Chinese state-sponsored hackers compromised Ivanti’s internal network in 2021 using a flaw in Ivanti’s own SecureConnect VPN, targeting US and European military contractors.
- Reports differ on how far the attackers penetrated the network.
- Notable Quote:
“Ivanti said the hackers did not reach its internal network. The hacks were part of a campaign that also targeted U.S. and European military contractors.” — Claire Aird [01:26]
3. Chinese Hackers Breach Italy’s Police Division
- Segment: [01:46–02:12]
- Attackers accessed the Special Investigations and Operations Division, stealing a list of 5,000 officers.
- Investigations data was reportedly unaffected.
- Believed intent: search for information on Chinese dissidents residing in Italy.
4. Wikipedia Bans Archive Today After DDoS
- Segment: [02:13–02:32]
- Wikipedia blacklisted the Archive Today archiving site after the service responded to a blog exposé with a DDoS attack via repeated page requests.
- Wikipedia is now replacing nearly 700,000 external links to Archive Today.
5. PayPal Data Leak via Loan Service Bug
- Segment: [02:33–02:54]
- Bug in PayPal’s Working Capital loan service exposed names, contact details, and Social Security numbers of customers for almost six months.
- PayPal claims only 100 customers affected.
6. Laptop Farms for North Korean IT Workers
- Segment: [02:55–03:23]
- Ukrainian national Oleksandr Dydenko sentenced to 5 years in the US for running “laptop farms” enabling North Korean IT workers to pose as Americans.
- Hosted as many as 871 identities via three US-based laptop farms.
7. Nigerian Cyberscam Hub Busted
- Segment: [03:24–03:41]
- Seven suspects arrested for running a cyberscam center in Nigeria, luring victims into fake crypto investments through social media ads.
- Operation succeeded with help from UK police and Facebook.
8. Romanian Hacker Pleads Guilty to US Network Intrusions
- Segment: [03:42–04:02]
- Katalin Dragomir confessed to hacking and brokering network access to US companies, including the Oregon State government.
- Earned at least $250,000 as an initial access broker; faces up to seven years in prison.
9. Trade Secret Theft from Silicon Valley Firms
- Segment: [04:03–04:26]
- Three arrested (sisters Samane and Saror Gandali, plus Mohammad Javid Khosravi) for stealing and using processor and cryptography trade secrets from Google and other firms—later accessing this data from Iran.
10. Critical Firefox Typo Bug
- Segment: [04:27–04:42]
- Remote code execution vulnerability discovered due to a single character typo (ampersand instead of pipe) in Firefox’s source code.
- Discovered by Alessio Gindini; promptly fixed.
11. Roundcube Webmail Vulnerabilities
- Segment: [04:43–05:03]
- New exploits target two bugs: an unsecure deserialization issue and a cross-site scripting flaw—both previously patched.
- Russian state-sponsored actors implicated in past Roundcube attacks.
12. Predator Spyware’s Advanced iPhone Evasion
- Segment: [05:04–05:20]
- Predator spyware (by Intellexa/Citrox) can now hide iPhone camera/mic indicators, enabling silent surveillance without user knowledge.
13. NPM ‘Sandworm Mode’ Spreading
- Segment: [05:21–05:42]
- A new worm, Sandworm Mode, is propagating via 19 NPM libraries, exfiltrating credentials and spreading to packages owned by compromised maintainers.
- Named for similarities with last year’s Shy Hulud worm; discovered and named by Socket Security.
14. Arizona’s Mobile App Age Verification Bill
- Segment: [05:43–06:04]
- Legislation proposed: mandatory age verification for all mobile apps, regardless of install source.
- If adopted, minors’ devices would require parental consent.
15. Microsoft Warns on OpenClaw AI Agents
- Segment: [06:05–06:32]
- Microsoft security team: "OpenClaw AI agents should be run only on dedicated virtual machines and credentials."
- Released hunt queries for Defender telemetry; underscoring growing focus on AI security risks.
Memorable Quotes
- “The attacker breached the devices by exploiting exposed management services with weak credentials. From there they used Deepseek for reconnaissance and Claud to generate vulnerability assessments and run offensive tools.” — Claire Aird [00:16]
- “Wikipedia will be replacing almost 700,000 links to the site.” — Claire Aird [02:29]
- “Once installed, these packages exfiltrate a victim's credentials and then spread to other packages they maintain.” — Claire Aird, describing NPM ‘Sandworm Mode’ worm [05:31]
- “Microsoft has warned against running OpenClaw AI agents...should be deployed only on dedicated virtual machines and with dedicated credentials.” — Claire Aird [06:06]
Timestamps for Major Stories
- Fortinet Breach: [00:08–01:10]
- Ivanti VPN Hack: [01:12–01:45]
- Italy Police Breach: [01:46–02:12]
- Wikipedia & Archive Today: [02:13–02:32]
- PayPal Data Leak: [02:33–02:54]
- North Korean Laptop Farms: [02:55–03:23]
- Nigeria Cyberscam Center: [03:24–03:41]
- Romanian Hacker Guilty Plea: [03:42–04:02]
- Silicon Valley Trade Secret Theft: [04:03–04:26]
- Firefox Typo Bug: [04:27–04:42]
- Roundcube Exploits: [04:43–05:03]
- Predator Spyware Warning: [05:04–05:20]
- NPM Worm: [05:21–05:42]
- ** Arizona App Age Verification Bill:** [05:43–06:04]
- Microsoft OpenClaw Warning: [06:05–06:32]
Tone & Style
- The reporting remains straightforward, clear, and urgent, with a focus on actionable facts and significant incidents.
- The language is typical of cybersecurity briefings: concise, technical, and designed to quickly convey critical information to practitioners and stakeholders.
This episode is a must-listen for any cybersecurity professional seeking a rapid yet thorough scan of the latest threats and policy movements shaping the digital security landscape as of February 2026.