Risky Bulletin: Cybercrime losses passed $20 billion last year

Summary5 min read

Date: April 8, 2026
Host: Risky Business Media (Read by Claire Airdrop, prepared by Catalan Kim Panu)

Episode Overview

This episode of the Risky Bulletin delivers a comprehensive roundup of recent cybersecurity news, focusing on the sharp rise in global cybercrime losses, major attacks and takedowns, government cyber policy developments, and threat actor activities. The show presents rapid-fire updates on incidents, threat trends, and law enforcement responses from around the world.

Key Discussion Points & Insights

Record Cybercrime Losses & Evolving Threats

$21 billion in losses:
- Americans lost a record $21 billion to cybercrime in 2025—the largest figure since the FBI began tracking data 25 years ago.
- Investment scams continue to top the charts ($8.6 billion lost), comprising 85% of the total through cyber-enabled fraud.
- More than 1 million cybercrime reports in a single year for the first time, with the FBI now receiving over 3,000 daily reports.
  - Notable quote:
    
    "It's the highest amount since the FBI began tracking cybercrime data 25 years ago." (00:17)

US Cybersecurity Agency Budget Cuts

The CISA (Cybersecurity and Infrastructure Security Agency) faces major cuts in the proposed White House budget:
- $707 million funding cut for 2027, possibly eliminating 867 jobs—halving the agency compared to Trump’s term start.
- Programs supporting local government and 14-person election security program to be axed.

Russian Cyber Operations and VPN Outage

Russia’s crackdown on VPNs triggered a major banking outage:
- Points of sale and ATMs down for hours due to banks' VPN-integrated infrastructure.
- Russian internet authorities forced some media websites to pull stories on the incident.

Major Cybercriminal Identified

Daniil Shukin (alias 'Unknown'), key figure in Revil and Gand Crab ransomware:
- Recently identified by German authorities.
- Fled Russia to Turkey post-Ukraine war; previously US-indicted.

Russian Military Botnet Disrupted

US authorities dismantled a Russian botnet:
- Compromised thousands of global Mikrotik and TP-Link routers.
- Botnet inspected and redirected authentication logins to phishing sites, targeting Microsoft and email accounts.
- Victims spread across Africa, Southeast Asia, and Central America.
  - Notable quote:
    
    "Russian military hackers have compromised thousands of routers globally to redirect select authentication traffic to phishing pages." (01:44)

Iranian PLC Attacks

Iranian attackers compromise Programmable Logic Controllers (PLCs):
- Focused on internet-exposed Rockwell and Allen Bradley PLCs in the US.
- Widespread disruptions reported, highlighting risks from exposure of industrial controls.

Corporate & Infrastructure Breaches

OKTA Phishing Attacks:
- 'Raccoon' threat actor using social engineering and fake OKTA login pages for corporate extortion, targeting high-value companies (reported by Google security).
Jones Day Law Firm Breach:
- One of the largest US corporate law firms confirmed a phishing-induced breach with client data posted online.
Canadian Telecoms Breaches:
- Freedom Mobile and Rogers reported breaches related to outsourcer Telus Digital.

Device & Application Exploits

ComfyUI & Flowwise AI Exploited:
- Attackers abuse ComfyUI for cryptocurrency mining and proxy networks.
- Active exploitation of Flowwise AI servers due to a high-severity vulnerability rated 10/10, allowing for remote code execution.
  - Notable quote:
    
    "The vulnerability has a severity rating of 10." (03:59)
Blue Hammer Windows Zero Day:
- Exploit code published after a bug bounty dispute; enables privilege escalation on Windows.

Noteworthy Law Enforcement and Regulatory Updates

Brazilian SMS Blaster Arrest:
- Individual operated a fake mobile base station from his apartment, sending spam using SMS blaster hardware.
PC Tattletale Founder Sentenced:
- Spyware founder given time-served and a $5,000 fine after a guilty plea; business shut down after customer data leak.
Bat Mini Security Alarm Disrupted:
- US-wide disruption, no public root cause yet disclosed.

Notable Threat Groups & Attacks

North Korean Heist via Fake Trading Company:
- Used 'Truck Trust' front and Apple TestFlight/VS Code malware to steal $280 million from the Drift crypto platform; attributed to Citrine Sleet.
Chinese Group Storm 1175 Uses Ransomware Zero-Days:
- Leveraged multiple zero-days in widely-used file transfer and mail systems, swiftly shifting exploits.

Quantum Security Developments

Cloudflare and Google Accelerate Quantum-Resistant Encryption:
- Both push for a quantum-secure cloud environment by 2029, citing rapid quantum computing advances.

Collaborative Cybersecurity AI

Anthropic’s 'Mythos' AI Agent Released:
- 40+ tech firms get early access for cybersecurity defense.
- $4 million donated to open source security organizations for patching vulnerabilities.
  - Notable quote:
    
    "The Mythos agent has been designed to help companies find vulnerabilities in their code." (04:19)

Memorable Moments & Quotes

"Americans lost a record $21 billion to cybercrime last year. It's the highest amount since the FBI began tracking cybercrime data 25 years ago." (00:17)
"CISA will likely have to cut staff as part of next year's proposed White House budget." (00:47)
"A key member of the Revil and Gand Crab ransomware groups has been identified by German authorities." (01:29)
"Russian military hackers have compromised thousands of routers globally to redirect select authentication traffic to phishing pages." (01:44)
"Iranian threat actors are hacking internet exposed programmable logic controllers. CISA and the FBI say disruptions have been reported across the US." (02:10)
"The vulnerability has a severity rating of 10." (03:59)
"Anthropic has given more than 40 tech companies access to a new AI agent for cybersecurity defence work." (04:19)

Important Timestamps

$21bn Cybercrime Report: 00:17
CISA Budget Cuts: 00:47
Russia VPN Banking Outage: 01:03
REvil/Gand Crab Figure Identified: 01:29
Russian Email-Intercepting Botnet: 01:44
Iranian PLC Attacks: 02:10
'Raccoon' OKTA Phishing Campaign: 02:30
Jones Day Law Firm Breach: 02:42
Canadian Telco Breaches: 02:54
Bat Mini Security Alarm Incident: 03:03
North Korean Crypto Heist: 03:10
ComfyUI/Flowwise Exploits: 03:24
Storm 1175 Chinese Ransomware: 03:54
Blue Hammer Windows Zero Day: 04:10
Cloudflare Quantum Security Plans: 04:13
Anthropic's AI Agent 'Mythos': 04:19

Tone and Style Notes

Fast-paced, fact-driven, and neutral: The bulletin quickly covers a range of significant cyber events and threats with minimal editorializing.
Focus on incident scope and actor attribution: Emphasizes the global impact of incidents and names key threat groups and individuals when possible.
Accessible yet authoritative: Designed to inform both technical listeners and decision-makers in the cyber sector.

Summary

This Risky Bulletin encapsulates a year of record-breaking cybercrime—highlighting American losses, high-profile threat actor disruptions, shifts in national cyber budgets, and new vulnerabilities affecting both corporate and critical infrastructure. The bulletin underscores the evolving tactics of threat groups from Russia, Iran, North Korea, and China, and notes critical leaps in defensive technology and cross-industry collaboration—especially in adapting to emerging challenges like quantum computing and AI-augmented security.

Anyone wanting a clear, concise view of the cybersecurity landscape as of April 2026 would find this episode essential listening.

Loading summary

Transcript1 lines

[00:04]
A
Cybercrime losses surpassed $20 billion last year. Authorities disrupt a Russian router botnet that intercepted email logins. Iran hacks PLCs across the US and exploitation hits ComfyUI and Flowwise AI servers. This is the risky bulletin prepared by Catalan Kim Panu and read by me, Claire Airdrop Today is the 8th of April and this podcast episode is brought to you by Airlock Digital. In today's top story, Americans lost a record $21 billion to cybercrime last year. It's the highest amount since the FBI began tracking cybercrime data 25 years ago. Cyber enabled fraud accounted for $17.7 billion, or 85% of last year's losses. $8.6 billion was lost to investment scams, making it the top franchise fraud category for the fourth year in a row. The FBI also received more than 1 million cybercrime reports for the first time and says it's now receiving more than 3,000 a day. In other news CISA will likely have to cut staff as part of next year's proposed White House budget. The proposal released last week would cut $707 million from CISA's 2027 budget. This would translate to cutting 867 jobs, bringing its workforce to almost half the size it was when Donald Trump took office. The budget also cuts a program that supports local governments and eliminates CISA's 14 person election security program. Russia's attempt to block VPNs last week caused a major banking outage. Point of sale and ATM transactions were down for a number of hours on Friday morning, according to local tech experts. The issue was caused by Russian banks using VPN tunnels within their infrastructure once operations were restored. Russia's Internet agency ordered some news sites to take down articles about the incident. A key member of the Revil and Gand Crab ransomware groups has been identified by German authorities. The 31 year old Russian national, Daniil Shukin, used the online handle Unknown. He was an administrator and public representative of both groups. He'd previously been indicted in the US but his role within the groups was unclear. According to a CCC talk from 2023, his last known location was Turkey. He'd fled Russia with his wife after the start of the Ukrainian war. Russian military hackers have compromised thousands of routers globally to redirect select authentication traffic to phishing pages. Most of the compromised devices are Mikrotik and TP link routers. The phishing pages target Microsoft accounts and email server login pages. Victims have been confirmed in Africa, Southeast Asia and Central America. The botnet's been linked to a collection of cyber units from Russia's military intelligence service, the gru. The botnet was disrupted this week by US authorities. Microsoft and Lumen Technologies, Iranian threat actors are hacking Internet exposed programmable logic controllers. CISA and the FBI say Disruptions have been reported across the US the attacks have targeted Rockwell and Allen Bradley PLCs. A threat actor using the moniker Raccoon is extorting high value corporations. The attacker is using social engineering to trick employees into accessing fake Okta login pages. Google's security team has spotted attacks against dozens of major companies. Brazilian authorities have arrested a man accused of running a fake mobile base station from his apartment window. It was used as an SMS blaster to send spam. The device was detected by Brazil's communications watchdog Anatel. The agency held workshops for local telcos last year and about how to spot fake base stations. The founder of spyware company PC Tattletale has avoided further jail time. Brian Fleming was sentenced last week to times served and received a fine of $5,000. He was charged with creating and selling the spyware last year and pleaded guilty in January. Fleming shut down PC Tattletale in 2024 after the company leaked customer data. A major US law firm has confirmed a security breach after hackers posted client information online. The breach on Jones Day was the result of a successful phishing attack. The company is one of the biggest corporate law firms in the U.S. employing more than 2,400 lawyers. The firm represented U.S. president Donald Trump during both of his election campaigns. Two Canadian telecommunications companies have reported recent data breaches. Freedom Mobile and Rogers have notified customers of the incidents. The intrusions appear to be related to a breach at the business outsourcing company Telus Digital. A cybersecurity incident has disrupted the Bat Mini security alarm monitoring system. The system was down for two days across the U.S. last week. Its vendor, Uplink, has not provided details about the root cause. North Korean hackers built a fake trading company to steal $280 million from the Drift platform. The attackers spent months building Truck Trust with their targets. They then used malicious Apple test flight apps and VS code extensions to compromise devices. Hackers used the compromised systems to sign the transactions that emptied Drift's treasury. Last month. Investigators linked the attack to a group known as Citrine Sleet. A threat actor is abusing ComfyUI to deploy cryptocurrency miners on high capacity cloud servers. Compromised systems are also enrolled in a proxy network. Census says the same attacker is also also exploiting Redis databases. Threat actors are launching attacks on Flowwise, a web based tool for building and deploying AI agents. The attackers are leveraging a major vulnerability that was patched in September. The bug allows remote unauthenticated attackers to inject and run commands on the Flowwise server. The vulnerability has a severity rating of 10. VulnCheck first spotted attacks this week. A Chinese cybercrime group has used zero Days to deploy the Meduza ransomware. Microsoft has linked the group, known as Storm 1175-0 Days, in GoAnywhere, MFT and Smarter Mail. The group also used 14 additional vulnerabilities shortly after public disclosure. Microsoft says the group moves rapidly from initial compromise to ransomware deployment and rotates exploits on a regular basis. A security researcher has published proof of concept code for a Windows zero day. The Blue Hammer Zero Day can be used to elevate privileges on Windows. The researcher appears to have released the exploit code after a disagreement with Microsoft's team that handles its bug bounty program. Cloudflare plans to secure its cloud systems against post quantum encryption attacks by 2029. The company has accelerated its roadmap following a similar announcement from Google last week. Cloudflare and Goog both cited recent advances in quantum computers. And finally, Anthropic has given more than 40 tech companies access to a new AI agent for cybersecurity defence work. The Mythos agent has been designed to help companies find vulnerabilities in their code. Anthropic has also donated $4 million to open source security organizations to help fund the patching of identified issues. And that is all for this podcast edition. Today's show was brought to you by Airlock Digital. Find them@airlockdigital.com thanks for your company.