Risky Bulletin: FBI extracted Signal chats from iPhone notifications logs

Summary5 min read

Podcast: Risky Bulletin
Host: Risky Business Media
Date: April 10, 2026

Episode Overview

This episode delivers a rapid-fire roundup of the week's top cybersecurity news, with headline stories including the FBI's extraction of deleted Signal messages via iPhone notification logs, major government and private sector data breaches, emerging cyber threats, and legal actions within the cybersecurity industry. The reporting is direct, concise, and focused on recent high-impact events affecting law enforcement, technology firms, and the general public.

Key Themes & Major Stories

1. FBI Extracted Signal Messages from Deleted App via iPhone Notifications

Timestamps: [00:04] – [01:02]
"The FBI has extracted signal messages from a suspect's device after the app had been deleted. The information was extracted from the iPhone's database of previous notifications."
Origin of Story: 404 Media reports, related to anti-ICE protests in Texas.
Insight: Even after deletion, notification logs can leave behind sensitive message fragments.
Implication: Raises concerns over digital residue on mobile devices and the possibilities for law enforcement data recovery.

2. High-Profile Data Breaches

Los Angeles Police and City Attorney’s Office Data Leak

Timestamps: [01:03] – [01:37]
Hackers released 7.7TB of sensitive data, including officer details, witness names, medical records, and internal affairs investigations.
"Hackers have published data from the Los Angeles City Attorney's Office. The stolen data includes sensitive case details and and the personal information of police officers."

China’s National Supercomputing Centre Breach

Timestamps: [01:38] – [02:04]
Petabytes of data, including apparent military and government documents, were stolen and leaked by hacking group “Flaming China.”
After weeks of investigation, the authenticity was confirmed.

3. Cryptocurrency-Related Attacks & Regulatory Movements

Bitcoin Depot Hack

Timestamps: [02:05] – [02:22]
$3.6 million stolen from wallet of major crypto ATM operator.

U.S. Treasury Shares Crypto Threat Intelligence

Timestamps: [04:06] – [04:25]
Launch of a threat intel sharing group for the digital asset industry due to frequent platform hacks.

4. Healthcare & Public Sector Disruptions

Dutch Health Sector Ransomware – ChipSoft

Timestamps: [02:23] – [02:42]
Vendor for Dutch hospitals targeted, but platform remained available. Hicks manages records for 70% of hospitals.

Minnesota County Cyberattack

Timestamps: [02:43] – [03:11]
National Guard cyber units deployed to Winona County; public services disrupted. Distinct from earlier ransomware attack in July.

Local Government Fleet Management Attack

Timestamps: [03:12] – [03:35]
FleetWave platform compromised, impacting vehicle assignments/maintenance for multiple local authorities.

5. Technology Industry and Marketplace Security

Microsoft Suspends Developer Accounts

Timestamps: [03:36] – [03:59]
VeraCrypt, WireGuard, and Windscribe unable to sign drivers or ship updates due to new verification process; issues being resolved.
"Veracrypt and Windscribe developers have since said the issue's being resolved with Microsoft."

Ransomware and Plugin Supply Chain Attacks

Timestamps: [05:03] – [05:35]
NextEnd (Smart Slider) update server breached; malware shipped to WordPress/Joomla sites for six hours.
Detected rapidly; plugin developer traced incident to compromise of update infrastructure.

6. Emerging Surveillance and Tracking Tools

Global Geotracking Tool Adoption

Timestamps: [04:00] – [04:05]
Hungary, U.S., and El Salvador deploy “Web block” – a geotracking tool developed by Israeli vendor Cobwebs, now sold by Penlink.
Law enforcement and intelligence use; can profile whole populations.

7. Zero-Day Threats and Botnets

Adobe Reader Zero-Day in the Wild

Timestamps: [04:51] – [05:02]
Exploits using LUA documents tied to Russia's oil/gas sector. No formal patch or attribution yet.
"An Adobe Reader Zero Day has been exploited in the wild since at least November."

Mass Gesu IoT Botnet

Timestamps: [05:36] – [05:53]
Long-running botnet avoids U.S. government IPs to dodge law enforcement detection; mainly DDoS-for-hire service.

8. Insider Threats and Employee Misconduct

Former Trenchant Executive Sells Exploits

Timestamps: [04:26] – [04:50]
Peter Williams pleads guilty to selling company iOS exploits to a Russian broker amid financial stress and burnout; sentenced to 87 months.
"He he described his actions as extraordinarily poor judgement." (Court letter, cited by Kim Zetter)

Ex-Meta Employee Downloads Private Facebook Photos

Timestamps: [04:51] – [05:02]
Created script to bypass Facebook defenses and downloaded over 30,000 photos before being caught and reported.

9. Standards, AI & Social Media Policy

Agent Name Service for AI Agents

Timestamps: [05:54] – [06:09]
Akamai/Cloudflare support for open registry assigning unique identities to AI crawlers, modelled after DNS and cryptographically signed.

Greece to Ban Social Media for Children Under 15

Timestamps: [06:10] – [06:20]
First European country to implement age restriction next year; France, Spain, Denmark considering similar measures.

Notable Quotes & Moments

On FBI Data Extraction:
"The FBI has extracted signal messages from a suspect's device after the app had been deleted. The information was extracted from the iPhone's database of previous notifications." ([00:10])
On Public Sector Data Breach:
"The stolen data includes sensitive case details and and the personal information of police officers. Witness names, medical records and internal affairs investigations are also included..." ([01:15])
On Trenchant Betrayal:
"He described his actions as extraordinarily poor judgement." (Peter Williams letter, cited by Kim Zetter) ([04:47])
On Zero-Day Exploitation:
"An Adobe Reader Zero Day has been exploited in the wild since at least November. The attacks used LUA documents related to Russia's oil and gas sector." ([04:51])

Timeline – Timestamps for Major Stories

FBI Signal extraction: [00:04] – [01:02]
LA police data leak: [01:03] – [01:37]
China supercomputer hack: [01:38] – [02:04]
Bitcoin Depot theft: [02:05] – [02:22]
Dutch health sector ransomware: [02:23] – [02:42]
Minnesota County cyberattack: [02:43] – [03:11]
FleetWave platform breach: [03:12] – [03:35]
Microsoft developer account suspensions: [03:36] – [03:59]
Geotracking tool deployed: [04:00] – [04:05]
US Treasury crypto threat-sharing: [04:06] – [04:25]
Trenchant iOS exploit sale: [04:26] – [04:50]
Meta employee data theft: [04:51] – [05:02]
Adobe Reader Zero Day: [05:03] – [05:14]
Mass Gesu botnet: [05:15] – [05:35]
NextEnd Smart Slider plugin breach: [05:36] – [05:53]
Agent Name Service for AI: [05:54] – [06:09]
Greek social media ban: [06:10] – [06:20]

Conclusion

This Risky Bulletin gives a succinct, news-driven overview of ongoing cyber threats, law enforcement actions, and policy shifts affecting the tech and digital security landscape globally. Each item is grounded in current reporting, with key concerns around data persistence, critical infrastructure security, insider threats, and the interplay between technical vulnerabilities and regulatory actions. The language is factual, urgent, and accessible for both IT professionals and the broader public.

Loading summary

Transcript1 lines

[00:04]
A
The FBI extracted signal chats from iPhone notification logs, Los Angeles police data was leaked online, A former Meta employee is under investigation for downloading private photos, and an Adobe Reader Zero Day is being exploited in the wild. This is the risky bulletin prepared by Katalin Kim Panu and read by me, Claire aird. Today is the 10th of April and this podcast episode is brought to you by Airlock. In today's top story, the FBI has extracted signal messages from a suspect's device after the app had been deleted. The information was extracted from the iPhone's database of previous notifications. According to 404 Media, the case was related to anti ICE protests in Texas. In other news, hackers have published data from the Los Angeles City Attorney's Office. The stolen data includes sensitive case details and and the personal information of police officers. Witness names, medical records and internal affairs investigations are also included in the 7.7 terabytes of data published online this week. A hacker has stolen petabytes of sensitive data from China's National Supercomputing Centre. The data was published online last month, but it took weeks for investigators to confirm its authenticity. Some leaked files appear to contain military and government data. A new group calling itself Flaming China has taken credit for the hack. Hackers have stolen $3.6 million from Bitcoin Depot, a crypto ATM operator. The attack took place last month and targeted the company's crypto wallets. Bitcoin Depot operates more than 25,000 crypto ATMs globally. A ransomware attack has hit a software provider for the Dutch healthcare sector. The incident targeted ChipSoft, which makes an electronic patient record management platform called Hicks. The incident did not impact the platform's availability. According to reports, Hicks is used by about 70% of Dutch hospitals. The National Guard cyber units have been deployed to Minnesota's Winona county following a cyber attack. The attack this week disrupted IT networks and public services. The same county was hit by ransomware in late July. This is a separate incident. According to the record, a cyber attack has taken down vehicle fleet management platform fleetwave. The incident impacted several local governments in the US that use the platform to manage shared cars. The software is used to assign vehicles to workers, schedule maintenance and manage fuel and repair logs. Microsoft has suspended developer accounts of three software VeraCrypt, WireGuard and Windscribe have not been able to sign drivers or or ship updates for at least a week. The issue is believed to be related to Microsoft's Driver Developer account verification process, which was introduced last year. Veracrypt and Windscribe developers have since said the issue's being resolved with Microsoft. A new Geo tracking tool that uses advertising data is being deployed by Hungary, the US and El Salvador. The Web block tool was developed by Israeli surveillance vendor Cobwebs. It it's now sold by its successor, Penlink. The platform can reportedly build profiles to track entire populations. Its customers include law enforcement and intelligence agencies. The U.S. treasury Department has established a threat intel sharing group for the cryptocurrency and digital assets industries. Market participants will receive alerts about ongoing cybersecurity threats. The initiative is a response to the frequency of cryptocurrency platform hacks and the losses they cause. The former Trenchant executive who sold the company's iOS exploits said he had financial difficulties at the time. Peter Williams pleaded guilty this year to selling company secrets to a Russian broker. He was sentenced in February. Before sentencing, Williams wrote to a D.C. court judge. That letter has recently been cited by Kim Zeta. In it, Williams also said he was suffering from stress and burnout at the time of his crime. He he described his actions as extraordinarily poor judgement. Williams was sentenced to 87 months in prison. UK police are investigating a former Meta employee over downloading photos of Facebook users. The suspect is accused of creating a script bypassing Facebook's defences, which was used to download more than 30,000 private photos. He was fired last year when Meta discovered the hack and reported the case to authorities. An Adobe Reader Zero Day has been exploited in the wild since at least November. The attacks used LUA documents related to Russia's oil and gas sector. No formal attributions or patch are available. A newly discovered IoT botnet avoids infecting US government and military networks. Security firm Trellix believes the Mass Gesu botnet's use of IP blocklists is to avoid triggering a US law enforcement response. The botnet has been active for almost three years and is primarily used as a DDoS for hire service. Hackers have compromised the service of a plugin developer and shipped malware to WordPress and Joomla sites. Malicious updates containing a remote access tool were delivered to sites running the Smart Slider plugin. The incident occurred on Tuesday and the update was live for six hours. The plugin's developer, NextEnd, has traced the incident to a hack of its update servers. Akamai and cloudflare have voiced their support for an open registry for AI agents known as the Agent Name Service. The standard assigns unique identifiers to AI crawlers that can be used to authorise them to access resources. The system's modelled after DNS and every identity is cryptographically signed. And finally, the Greek government will enforce a social media ban for children under the age of 15. When the law takes effect next year, Greece will be the first European country to implement a social media age restriction. France, Spain and Denmark are considering similar bans. And that is all for this podcast edition. Today's show was brought to you by Airlock Digital. Find them@airlockdigital.com thanks for your company.