Risky Bulletin: IcedID Malware Developer Fakes His Own Death to Escape the FBI

Podcast: Risky Bulletin (Risky.Biz)
Date: February 13, 2026
Host/Reader: Claire Aird
Prepared by: Catalyn Kim Panu

Episode Overview

In this fast-paced cybersecurity news roundup, Risky Bulletin delivers global updates on cybercrime, data breaches, government actions, and new vulnerabilities. The episode’s headline story centers on the Ukrainian IcedID malware developer’s dramatic attempt to evade justice by faking his own death. Other highlights include Apple’s urgent zero-day patch, major internet censorship in Russia, a hijacked Outlook add-in, and how generative AI is shaping state-sponsored hacking.

Key Discussion Points & Insights

1. IcedID Malware Developer Fakes Death to Evade FBI

[00:08]

• A Ukrainian developer behind the IcedID banking trojan attempted to escape FBI prosecution in 2024 by bribing Ukrainian police and obtaining a fake death certificate.
  • "He did, though, continue to live at his known address. Local authorities seized Iced ID a month later. He was arrested in the Ukraine in December. A local judge has set bail at $9.3 million, deeming him a flight risk." (Claire Aird, 00:32)
• The elaborate ruse was short-lived; the suspect was found and arrested at his residence.
• Bail is set high due to perceived risk of fleeing—underscoring the seriousness with which authorities treat cybercrime fugitives.

2. Apple Zero-Day Vulnerability Patched

[00:44]

• Apple patched a significant zero-day (dynamic linker component) exploited in targeted attacks against users on iOS versions before 26.
  • "The attacks were discovered by Google's security team... It's one of 37 vulnerabilities patched by Apple this week." (00:48)
• The flaw was used in sophisticated attacks against specific individuals.
• Highlights the growing prevalence of supply chain vulnerabilities and tech companies’ rapid response.

3. Russia Escalates Internet Censorship

[01:00]

• Russia’s internet regulator, Roscomnadzor, has blocked:
  • YouTube, Facebook, WhatsApp, Instagram (removed from DNS),
  • Tor Project, BBC, and other media sites.
  • "The agency has been throttling traffic... since July." (01:10)
• Ongoing information war linked to government stances on Ukraine conflict and censorship of dissent.

4. European Governments & US Tech Providers

[01:24]

• Dutch parliament wants its digital ID infrastructure (DigiID) hosted in Europe, not by recently US-acquired Solvinity.
• Swiss government terminates analytics contract with Palantir, citing national security and risk of US data access.
  • "A review... found a significant likelihood that the US government would be able to access confidential Swiss data." (01:36)
• Points to growing anxiety about foreign surveillance over critical services.

5. Russian Disinformation Disrupted in France

[01:51]

• French authorities dismantle 100+ websites operated by a Russian group pretending to run French news outlets, manipulating electoral opinion.
  • "The sites were taken down before they achieved any significant visibility." (01:59)

6. Iranian APTs Target Israeli Officials’ Google Accounts

[02:08]

• After the 12-day Israel-Iran war, a surge in attempted breaches of Israeli officials, academics, and journalists’ Google accounts.
  • "Hundreds of attacks have been detected in recent months." (02:13)

7. Dutch Telco ‘Odido’ Data Breach

[02:19]

• Odido breached, impacting 6.2 million customers.
  • "Odido says sensitive information like invoice, passwords and location data was not stolen." (02:23)
• Indicates continued targeting of European telecoms.

8. South Korean Security Breach Fallout

[02:28]

• Coupang, Korea’s largest online retailer, accused of not preserving logs after a major breach affecting 33+ million people.
  • "The company's American owners have sued the government in Seoul, accusing it of unfair treatment." (02:35)
• Local branches of Christian Dior, Louis Vuitton, Tiffany fined $25M for breaches exposing 5.5M customers’ data.

9. Ukraine: Hospital Funds Stolen via Account Hack

[02:50]

• Two suspects hacked a hospital’s accountant and funneled $115,000 to their own companies.

10. US Prosecutors Chase Zero-Day Seller

[02:55]

• Peter Williams, Australian, faces nine years for selling exploits to Russian firm.
• Prosecutors seek severe financial restitution and criminal penalties.

11. Malicious Outlook Add-in Attack Hits 4,000+

[03:11]

• Attackers hijack an expired Vercel domain of the abandoned “Agree To” Outlook add-in.
  • "The attacker then deployed malicious code that prompted users to re-authenticate to a phishing site." (03:21)

12. Global Telnet Traffic Plummets After Vulnerability Disclosure

[03:29]

• Telnet traffic fell 65% post-vulnerability disclosure; likely due to ISP blocks.
  • "Traffic has remained at 35% of previous levels, suggesting a concerted effort...to block the outdated protocol." (03:36)

13. State-Sponsored Hacking Teams Adopt LLMs

[03:41]

• Google Threat Intelligence sees state groups using Gemini (LLM) for:
  • Inbox analysis, code writing, automating vulnerability research.
  • "LLMs have become essential tools for state backed cyber operations." (03:44)
• Groups from China, Russia, Iran, North Korea adapting AI to operational needs.

14. China’s Tianfu Cup Returns, AI-Driven Exploit Discovery

[03:54]

• Tianfu Cup hacking contest included prominent AI use for discovering zero-days and exploit reproduction.
  • "Exploits used at the Tianfu cup have been collected by the Chinese government and later exploited in the wild..." (04:05)

15. Age Verification Bypassed on Major Platforms

[04:13]

• Security researchers bypassed Discord, Twitch, Snapchat age checks by exploiting a design bug in 3rd party provider Kid.
  • "The technique uses the browser's developer console to trick the kid backend..." (04:19)

Notable Quotes & Memorable Moments

• On the IcedID developer’s failed ruse:
  "He did, though, continue to live at his known address. Local authorities seized Iced ID a month later. He was arrested in the Ukraine in December. A local judge has set bail at $9.3 million, deeming him a flight risk." (Claire Aird, 00:32)

• On Apple’s security response:
  "It's one of 37 vulnerabilities patched by Apple this week." (00:48)

• On state-sponsored adoption of AI:
  "Google says that LLMs have become essential tools for state backed cyber operations." (03:44)

• On compromised Outlook add-ins:
  "The attacker then deployed malicious code that prompted users to re-authenticate to a phishing site." (03:21)

Important Timestamps

• IcedID Developer Fakes Death: 00:04–00:44
• Apple Patches Zero-Day Attack: 00:44–01:00
• Russia’s Internet Censorship: 01:00–01:24
• Dutch/Swiss Gov Tech Decisions: 01:24–01:51
• France Stops Russian Disinfo: 01:51–02:08
• Iranian Attacks on Israel: 02:08–02:19
• Odido Data Breach: 02:19–02:28
• South Korea Data Breaches: 02:28–02:50
• Hospital Funds Hack (Ukraine): 02:50–02:55
• Zero-day Seller Prosecution: 02:55–03:11
• Outlook Add-in Attack: 03:11–03:29
• Telnet Traffic Drop: 03:29–03:41
• State Hackers Use LLM/AI: 03:41–03:54
• Tianfu Cup/China: 03:54–04:13
• Age Verification Bypass: 04:13–04:25

Summary

This Risky Bulletin episode distills the global cyber threat landscape into a sharp, energetic 5-minute briefing. Standout stories include the arrest of a high-profile Ukrainian malware author, waves of data breaches and government responses across Europe and Asia, and the increasing sophistication of both state and criminal actors—now wielding artificial intelligence and exploiting overlooked tech infrastructure. The news underscores the velocity, high stakes, and international scope of contemporary cybersecurity challenges.