Summary5 min read

Risky Bulletin: IcedID Malware Developer Fakes His Own Death to Escape the FBI

Podcast: Risky Bulletin (Risky.Biz)
Date: February 13, 2026
Host/Reader: Claire Aird
Prepared by: Catalyn Kim Panu

Episode Overview

In this fast-paced cybersecurity news roundup, Risky Bulletin delivers global updates on cybercrime, data breaches, government actions, and new vulnerabilities. The episode’s headline story centers on the Ukrainian IcedID malware developer’s dramatic attempt to evade justice by faking his own death. Other highlights include Apple’s urgent zero-day patch, major internet censorship in Russia, a hijacked Outlook add-in, and how generative AI is shaping state-sponsored hacking.

Key Discussion Points & Insights

1. IcedID Malware Developer Fakes Death to Evade FBI

[00:08]

A Ukrainian developer behind the IcedID banking trojan attempted to escape FBI prosecution in 2024 by bribing Ukrainian police and obtaining a fake death certificate.
- "He did, though, continue to live at his known address. Local authorities seized Iced ID a month later. He was arrested in the Ukraine in December. A local judge has set bail at $9.3 million, deeming him a flight risk." (Claire Aird, 00:32)
The elaborate ruse was short-lived; the suspect was found and arrested at his residence.
Bail is set high due to perceived risk of fleeing—underscoring the seriousness with which authorities treat cybercrime fugitives.

2. Apple Zero-Day Vulnerability Patched

[00:44]

Apple patched a significant zero-day (dynamic linker component) exploited in targeted attacks against users on iOS versions before 26.
- "The attacks were discovered by Google's security team... It's one of 37 vulnerabilities patched by Apple this week." (00:48)
The flaw was used in sophisticated attacks against specific individuals.
Highlights the growing prevalence of supply chain vulnerabilities and tech companies’ rapid response.

3. Russia Escalates Internet Censorship

[01:00]

Russia’s internet regulator, Roscomnadzor, has blocked:
- YouTube, Facebook, WhatsApp, Instagram (removed from DNS),
- Tor Project, BBC, and other media sites.
- "The agency has been throttling traffic... since July." (01:10)
Ongoing information war linked to government stances on Ukraine conflict and censorship of dissent.

4. European Governments & US Tech Providers

[01:24]

Dutch parliament wants its digital ID infrastructure (DigiID) hosted in Europe, not by recently US-acquired Solvinity.
Swiss government terminates analytics contract with Palantir, citing national security and risk of US data access.
- "A review... found a significant likelihood that the US government would be able to access confidential Swiss data." (01:36)
Points to growing anxiety about foreign surveillance over critical services.

5. Russian Disinformation Disrupted in France

[01:51]

French authorities dismantle 100+ websites operated by a Russian group pretending to run French news outlets, manipulating electoral opinion.
- "The sites were taken down before they achieved any significant visibility." (01:59)

6. Iranian APTs Target Israeli Officials’ Google Accounts

[02:08]

After the 12-day Israel-Iran war, a surge in attempted breaches of Israeli officials, academics, and journalists’ Google accounts.
- "Hundreds of attacks have been detected in recent months." (02:13)

7. Dutch Telco ‘Odido’ Data Breach

[02:19]

Odido breached, impacting 6.2 million customers.
- "Odido says sensitive information like invoice, passwords and location data was not stolen." (02:23)
Indicates continued targeting of European telecoms.

8. South Korean Security Breach Fallout

[02:28]

Coupang, Korea’s largest online retailer, accused of not preserving logs after a major breach affecting 33+ million people.
- "The company's American owners have sued the government in Seoul, accusing it of unfair treatment." (02:35)
Local branches of Christian Dior, Louis Vuitton, Tiffany fined $25M for breaches exposing 5.5M customers’ data.

9. Ukraine: Hospital Funds Stolen via Account Hack

[02:50]

Two suspects hacked a hospital’s accountant and funneled $115,000 to their own companies.

10. US Prosecutors Chase Zero-Day Seller

[02:55]

Peter Williams, Australian, faces nine years for selling exploits to Russian firm.
Prosecutors seek severe financial restitution and criminal penalties.

11. Malicious Outlook Add-in Attack Hits 4,000+

[03:11]

Attackers hijack an expired Vercel domain of the abandoned “Agree To” Outlook add-in.
- "The attacker then deployed malicious code that prompted users to re-authenticate to a phishing site." (03:21)

12. Global Telnet Traffic Plummets After Vulnerability Disclosure

[03:29]

Telnet traffic fell 65% post-vulnerability disclosure; likely due to ISP blocks.
- "Traffic has remained at 35% of previous levels, suggesting a concerted effort...to block the outdated protocol." (03:36)

13. State-Sponsored Hacking Teams Adopt LLMs

[03:41]

Google Threat Intelligence sees state groups using Gemini (LLM) for:
- Inbox analysis, code writing, automating vulnerability research.
- "LLMs have become essential tools for state backed cyber operations." (03:44)
Groups from China, Russia, Iran, North Korea adapting AI to operational needs.

14. China’s Tianfu Cup Returns, AI-Driven Exploit Discovery

[03:54]

Tianfu Cup hacking contest included prominent AI use for discovering zero-days and exploit reproduction.
- "Exploits used at the Tianfu cup have been collected by the Chinese government and later exploited in the wild..." (04:05)

15. Age Verification Bypassed on Major Platforms

[04:13]

Security researchers bypassed Discord, Twitch, Snapchat age checks by exploiting a design bug in 3rd party provider Kid.
- "The technique uses the browser's developer console to trick the kid backend..." (04:19)

Notable Quotes & Memorable Moments

On the IcedID developer’s failed ruse:
"He did, though, continue to live at his known address. Local authorities seized Iced ID a month later. He was arrested in the Ukraine in December. A local judge has set bail at $9.3 million, deeming him a flight risk." (Claire Aird, 00:32)
On Apple’s security response:
"It's one of 37 vulnerabilities patched by Apple this week." (00:48)
On state-sponsored adoption of AI:
"Google says that LLMs have become essential tools for state backed cyber operations." (03:44)
On compromised Outlook add-ins:
"The attacker then deployed malicious code that prompted users to re-authenticate to a phishing site." (03:21)

Important Timestamps

IcedID Developer Fakes Death: 00:04–00:44
Apple Patches Zero-Day Attack: 00:44–01:00
Russia’s Internet Censorship: 01:00–01:24
Dutch/Swiss Gov Tech Decisions: 01:24–01:51
France Stops Russian Disinfo: 01:51–02:08
Iranian Attacks on Israel: 02:08–02:19
Odido Data Breach: 02:19–02:28
South Korea Data Breaches: 02:28–02:50
Hospital Funds Hack (Ukraine): 02:50–02:55
Zero-day Seller Prosecution: 02:55–03:11
Outlook Add-in Attack: 03:11–03:29
Telnet Traffic Drop: 03:29–03:41
State Hackers Use LLM/AI: 03:41–03:54
Tianfu Cup/China: 03:54–04:13
Age Verification Bypass: 04:13–04:25

Summary

This Risky Bulletin episode distills the global cyber threat landscape into a sharp, energetic 5-minute briefing. Standout stories include the arrest of a high-profile Ukrainian malware author, waves of data breaches and government responses across Europe and Asia, and the increasing sophistication of both state and criminal actors—now wielding artificial intelligence and exploiting overlooked tech infrastructure. The news underscores the velocity, high stakes, and international scope of contemporary cybersecurity challenges.

Loading summary

Transcript1 lines

[00:04]
A
A malware developer faked his own death to evade the FBI Apple patches a zero day used in a targeted attack the Tianfu cup quietly returns and researchers spot the first malicious Outlook Add in. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 13th of February and this podcast episode is brought to you by Trail of Bits. In today's top story, the Ukrainian developer of the Iced ID malware tried to evade the FBI by faking his own death after learning he was being sought by US officials in 2024, the unnamed suspect bribed Ukrainian police to issue a fake death certificate. He did, though, continue to live at his known address. Local authorities seized Iced ID a month later. He was arrested in the Ukraine in December. A local judge has set bail at $9.3 million, deeming him a flight risk. In other news, Apple has patched a zero day that it says was used in a sophisticated attack. The attack targeted specific individuals that were using versions prior to iOS 26. The attacks were discovered by Google's security team. The zero day was in the dynamic linker component, which links executables to their libraries. It's one of 37 vulnerabilities patched by Apple this week. Russia's Internet watchdog has blocked access to YouTube, Facebook, WhatsApp and Instagram. The Roscom Nadzor has removed the platform's records from the country's domain name system. The agency has been throttling traffic to YouTube and WhatsApp since July. The Russian government designated Meta an extremist organisation after the company refused to censor content related to the Ukrainian war. The Roscom Nadzor has also blocked access to the Tor project, the BBC and several media sites. The Dutch government has been urged to keep its national ID service away from US providers. The DigiID service is hosted by cloud provider Solvinity, which was recently acquired by an American company. The lower house of the Dutch parliament wants the infrastructure located in Europe. Meantime, the Swiss government has ended its contract with American analytics company Palantir. Officials said the platform risked national security. A review carried out by the Swiss armed forces found a significant likelihood that the US government would be able to access confidential Swiss data. French authorities have taken down More than 100 websites operated by a Russian disinformation group. The websites posed as French news outlets to manipulate opinions about political candidates ahead of next month's municipal elections. The French National Security Directorate said the sites were taken down before they achieved any significant visibility. Iranian hackers are attempting to breach personal Google accounts of Israeli officials. The number of attacks increased after Israel's 12 day war with Iran last year. Hundreds of attacks have been detected in recent months. They targeted government officials, academics and journalists. Hackers have breached the customer contact system of Dutch telco Odido. According to the local media outlet NOS, more than 6.2 million customers are affected. Odido says sensitive information like invoice, passwords and location data was not stolen. South Korean authorities have accused Coupang of failing to preserve logs from last year's security breach. The incident at the country's largest online retailer exposed the personal details of more than 33 million South Koreans. The company's American owners have sued the government in Seoul, accusing it of unfair treatment. Three fashion and luxury brands have been fined $25 million in South Korea over recent data breaches. The fines were levied against the local brand branches of Christian Dior, Louis Vuitton and Tiffany's and company. All three companies suffered breaches last year, exposing the personal details of a combined 5.5 million customers. Ukraine's cyber police have detained two men accused of stealing funds from a local hospital. They allegedly hacked the hospital accountant's computer and transferred more than $115,000 to their own company's accounts. US prosecutors are seeking a nine year prison sentence for a trenchant executive who sold zero day exploits to foreign adversaries. Australian national Peter Williams sold eight of his employer's exploits to a Russian company for $1.3 million. Prosecutors are also seeking $35 million in restitution, a fine of $250,000 and three years of supervised release. The infrastructure of an abandoned Outlook add in has been hijacked to steal Microsoft credentials. More than 4,000 users of the agree to add in were compromised in the attack, according to Koi Security. The attackers took over an expired Vercel app domain after the developer failed to renew it. The attacker then deployed malicious code that prompted users to re authenticate to a phishing site. Global telnet traffic has fallen by two thirds in the last month, according to security firm Gray Noise. The sudden drop began on January 14th. A week later a major telnet vulnerability was disclosed. Traffic has remained at 35% of previous levels, suggesting a concerted effort by Internet service providers to block the outdated protocol. Google says that LLMs have become essential tools for state backed cyber operations. The company's Threat Intelligence Team has spotted groups from China, Russia, Iran and North Korea using AI in their operations. Google's LLM Gemini was used to analyse inboxes, write code and automate Vulnerability Research and reconnaissance the Chinese government has quietly held another round of its hacking contest, the Tianfu Cup. This year's competition included prominent use of AI to discover zero days. It also included a special competitive track for reproducing exploits for known vulnerabilities. Exploits used at the Tianfu cup have been collected by the Chinese government and and later exploited in the wild by the country's cyber contractors. And finally, two security researchers have bypassed the age verification process used by Discord, Twitch and Snapchat. The bypass abuses a bug in the design ofKid, a third party age verification technology provider. The technique uses the browser's developer console to trick the kid backend into thinking the user has already scanned their face and and is an adult. And that is all for this podcast edition. Today's show is brought to you by our sponsor, Trail of Bits. Find them@trailerbits.com thanks for your company.