Summary5 min read

Risky Bulletin: Indonesia Emerges as a New Hub for Cyber Scams

Host: Claire Aird (Risky Business Media)
Date: May 18, 2026

Episode Overview

In this episode of Risky Bulletin, Claire Aird presents a fast-paced roundup of the past week’s most significant cybersecurity news. Headlining the bulletin is Indonesia’s emergence as a key center for cyber scam operations in Southeast Asia, triggered by law enforcement crackdowns in neighboring countries. The episode covers impactful breaches, malware discoveries, regulatory changes, and a glimpse at the latest hacking trends and exploits affecting organizations across the globe.

Key Discussion Points & Breakdowns

1. Indonesia’s Rise as a Cyber Scam Hub

[00:04]

Interpol reports Indonesia as a new hotspot for cyber scams in Southeast Asia.
Recent law enforcement actions:
- 550+ suspects detained in three raids within a month
- Most were foreign nationals, overstaying 30-day tourist visas
Potential policy response:
- Indonesia considering ending visa-free entry for Southeast Asian nationals
Quote:

“Authorities have detained more than 550 suspects across three raids this month alone. Most were foreigners who'd overstayed the 30 day limit of their tourist visa on arrival permits.” — Claire Aird [00:13]

2. High-Profile Cyber Attacks and Breaches

Grafana Breach and Ransom Demand

[00:35]

DevOps company Grafana hacked; GitHub repositories stolen
Coinbase Cartel group claims responsibility
Grafana refuses to pay, citing FBI guidance

Other Notable Incidents

Iranian hackers attacking US gas station tank readers by exploiting exposed systems — altered fuel readings but no accidents [01:00]
Thorchain suffers $10.7 million DeFi theft through slow leakage of private keys [01:10]
Tabiq platform leaks 1 million+ IDs due to misconfigured AWS S3 bucket [01:20]
Jaguar Land Rover’s profits plummet by 99% following cyberattack and US tariffs [01:30]

Memorable Quote:

“Jaguar. Land Rover's annual profit fell by 99% in the aftermath of US tariffs and a cyberattack that shut down its UK factories for more than a month.” — Claire Aird [01:32]

3. Malware and Espionage Incidents

Fast 16 Malware Targets Nuclear Simulation Software

[01:45]

Designed to disrupt LS-Dyna and Autodyn (simulation tools for explosions, including nuclear tests)
Delivered false data, targeting uranium-based nuclear test scenarios
Timeline coincides with Stuxnet’s activity, likely targeting Iran
Quote:

“The sabotage behaviour only activated at a threshold specifically specific to uranium based nuclear tests. ... The malware was live at around the same time as Stuxnet.” — Claire Aird [01:52]

4. Policy Shifts and Regulatory Drama

Tech Firms vs. Canadian Lawful Access Bill

[02:00]

Signal, NordVPN, Windscribe threaten to leave Canada if Bill C22 passes (would require metadata storage and law enforcement access)
Apple and Meta voice strong objections

Governments Shifting to National Messaging Platforms

Poland and others moving from Signal to Matrix-based solutions for government use
Russia suspected of phishing EU and US officials via Signal [02:22]

5. Disinformation and Geopolitics

UK Sanctions Russian Disinformation Actors

[02:30]

Sanctions imposed on two groups, Ano Dialogue & Social Design Agency, for destabilizing Armenia with propaganda
Tactics include threats of invasion and “Ukraine scenario” warnings

6. Ransomware and Financial Fraud

Shiny Hunters Target Schools

[02:42]

FBI warns against paying ransoms to Shiny Hunters after Instructure breach
Concern over ransom demands targeting school customers and families

Crypto ATM Scams Proliferate

[02:50]

$388M lost in US crypto ATM scams; states initiating bans (Minnesota, Tennessee)
Canada plans similar ban

7. Emerging Threat Groups and Exploits

Blackfile/UNC6671 Data Extortion Group

[03:05]

New threat group with tactics similar to Shiny Hunters, but independent
Recently closed its leak site but remains active

Microsoft and Open Source Zero-Days

Microsoft Exchange OWA zero day actively exploited; patch underway [03:25]
nginx Rift vulnerability exploited within days of patch release [03:35]
OpenDCIM servers under attack by Chinese IP; use of AI tools to hunt and compromise systems [03:45]

8. Security, Privacy & Tech Policy Updates

Apple memory integrity exploit discovered using Anthropic’s Mythos AI; fix pending [03:55]
Windows 2020 privilege escalation patch missing in latest versions — vulnerability resurgent [04:08]
Microsoft Edge stops storing passwords in clear text [04:20]
New feature: cloud-initiated driver recovery in Windows [04:28]
Gmail tests stricter new account storage limits (5GB vs historic 15GB) [04:35]
KDE project wins major EU funding for infrastructure [04:42]
Arxiv bans authors for AI-generated papers with fake references [04:50]

9. Competitions and Closing Notes

PWN to Own Highlights

[05:00]

Taiwan’s Devcore wins $500,000 at PWN to Own, hacking Windows 11, Edge, Exchange, SharePoint, and debuting attacks on AI systems
Contest hosted at OffensiveCon, Berlin

Notable Quotes & Moments

On Indonesia’s crackdown:

“Authorities have detained more than 550 suspects across three raids this month alone.” — Claire Aird [00:13]
About high-profile malware:

“The sabotage behaviour only activated at a threshold specifically specific to uranium based nuclear tests.” — Claire Aird [01:52]
Financial sector’s struggle:

“Jaguar. Land Rover's annual profit fell by 99% in the aftermath of US tariffs and a cyberattack…” — Claire Aird [01:32]

Timestamps for Key Segments

| Time | Topic |---------------|------------------------------------ | 00:04 | Indonesia’s emergence as scam hub | 00:35 | Grafana ransomware incident | 01:00 | Iranian hackers hit US gas stations | 01:10 | Thorchain DeFi crypto heist | 01:20 | Tabiq passport data breach | 01:30 | Jaguar Land Rover cyberattack fallout | 01:45 | Fast 16 malware and nuclear sabotage | 02:00 | Canadian lawful access bill controversy | 02:22 | Poland, Russia, and secure messaging shifts | 02:30 | UK sanctions Russian disinformation groups | 02:42 | Shiny Hunters ransomware: FBI warning | 02:50 | US crypto ATM scam wave | 03:05 | Blackfile/UNC6671 threat actor emerged | 03:25 | Microsoft Exchange, nginx, openDCIM zero-days | 03:55 | Anthropic AI cracks Apple memory protections | 04:08 | Windows vulnerability fix missing | 04:20 | Microsoft Edge password memory fix | 04:28 | Windows driver rollback feature | 04:35 | Gmail new storage policy | 04:42 | KDE gets major European funding | 04:50 | Arxiv cracks down on AI-generated academic spam | 05:00 | Devcore’s PWN to Own win | ---------------------------------| | | | | | | | | | | | | | | | | | | | | | and AI-targeted hacks |

This episode delivers a comprehensive, rapid-fire update on cyber threats, policy shifts, and industry moves, arming listeners with the latest trends and urgent developments in global cybersecurity.

Loading summary

Transcript1 lines

[00:04]
A
Indonesia emerges as a new cyber scam hub Grafana got hacked and held for Ransom the Fast 16 malware Subverted software used to simulate nuclear explosions and a new Microsoft Exchange Zero day is under attack. This is the risky bulletin prepared by Catalyn Kimpanu and read by me, Claire aird. Today is the 18th of May and this podcast episode is brought to you by Push Security. In today's top story, Interpol says Indonesia is emerging as a cybersecam hub in Southeast Asia following crackdowns in neighbouring countries. Authorities have detained more than 550 suspects across three raids this month alone. Most were foreigners who'd overstayed the 30 day limit of their tourist visa on arrival permits. The Indonesian government is considering rescinding the visa free entry policy for Southeast Asian nationals to help combat the trend. Hackers have breached DevOps company Grafana and stolen its GitHub repos. The company received a ransom notice but says it won't pay the attackers. Grafana cited recent FBI industry advice against paying hackers. The Coinbase Cartel group took credit for the hack on Friday. Suspected Iranian hackers have breached gas station tank readers across the us. The attacks targeted automatic tank gauges that were left exposed online without a password. The hackers modified fuel level readings, but no accidents have been reported. The Thorchain Defi platform suspended crypto trading on Friday after hackers stole $10.7 million worth of assets from it. The hack involved a complex exploit that leaked private key material over time. The attackers eventually reconstructed the private key and drained one of Thorchain's wallets. A hotel check in platform exposed more than 1 million passports and government IDs to the Internet via an improperly configured AWS S3 bucket. The documents leaked from hotel reservation platform Tabiq, which was developed by Japanese tech startup Recrea. Jaguar. Land Rover's annual profit fell by 99% in the aftermath of US tariffs and a cyberattack that shut down its UK factories for more than a month. The company reported a profit of only £14 million this year, down from £2.5 billion the previous year. Jaguar says the worst fallout from the cyber attack has passed. The Fast 16 malware was designed to sabotage LSDyna and Autodyn, two software programs used to simulate explosions. According to new analysis, the malware fed false data to engineers from simulations. The sabotage behaviour only activated at a threshold specifically specific to uranium based nuclear tests. According to Symantec and journalist Kim Zeta, the malware was live at around the same time as Stuxnet. It was likely designed to sabotage Iran's nuclear program in the late 2010s, Signal, NordVPN and Windscribe have threatened to pull services from Canada if the government passes its proposed lawful access bill. Bill C22 would force tech companies to store user metadata and to redesign systems to allow law enforcement access. Apple and Meta have also criticised the government's plans. The Polish government has advised officials to replace Signal with its National Secure messenger platform. The platform launched in late March and is based on the Matrix Open Source Protocol. Russian hackers targeted EU and US officials with signal phishing campaigns this year. Germany and France have also told lawmakers and state employees to move to similar platforms. The UK government has sanctioned two Russian disinformation groups for attempting to destabilise Armenia's pro Western government. Sanctions were imposed on Ano Dialogue and the Social Design Agency. Both are well known distributors of Pro Kremlin disinformation. Both groups are responsible for a wave of propaganda threatening the country with a Russian invasion and the Ukraine scenario. The FBI has advised schools, parents and other victims against paying ransom demands to the Shiny Hunters hacking group. The group recently breached edtech company Instructure and successfully ransomed the company. The agency is concerned the group, or impersonators may now demand ransoms from instructed customers such as schools, students or families. Americans lost more than $388 million last year to scams that relied on cryptocurrency ATMs and kiosks. Almost a third of those total losses were recorded in Texas, Florida and California. Minnesota and Tennessee have already banned crypto ATMs due to the risk of scams. Canada is preparing a similar ban. A new hacking group is targeting large corporations for data theft and extortion campaigns. The group operates the Blackfile data extortion site. Google tracks the group as UNC6671 and says it uses the same tactics as Shiny Hunters but but is a separate operation. The group recently shut down its Dark Web leak site but appears to still be operating. Hackers are exploiting a zero day in Microsoft Exchange Outlook web access service. The zero day allows attackers to run malicious JavaScript code in Owa inboxes if certain conditions are met. On Tuesday, Microsoft deployed temporary mitigations to servers that have the Exchange Emergency Mitigation service enabled, and a more permanent patch is on its way. Hackers are exploiting a recent vulnerability in nginx web servers. The nginx Rift vulnerability allows attackers to execute malicious code on servers in specific configurations. Security firm Vulnchek detected active exploitation three days after a patch and proof of concept code were published. Online hackers are attempting to exploit vulnerabilities in an open source software used to manage data center infrastructure. The attacks are tied, targeting two recently patched vulnerabilities that allow threat actors to take over open DCIM servers via leftover installation artifacts. The bugs were fixed in February, but exploitation was spotted last week. Security firm Vulnchek says the attackers are using an AI tool to find vulnerable open DCIM servers and drop PHP web shells on them all. The exploit activity is coming from a single IP address in China. Security researchers have used Anthropic's Mythos model to develop a bypass of one of Apple's most powerful security features. Memory integrity enforcement was added to Apple devices last September to protect device memory against corruption attacks. Researchers at Calif. Notified Apple of the bug last week. They plan to publish further details once the company patches the issues. The exploit targets macOS devices running the company's latest M5 chip. A security fix for a Windows vulnerability from 2020 is missing from the operating system's latest versions. The original exploit is suddenly working again, allowing threat actors to elevate privileges on Windows systems. The missing fix was noticed by a security researcher using the name Nightmare Eclipse. It's unclear if the fix was rolled back on purpose. Microsoft's Edge browser will stop storing users passwords in clear text in Windows Active memory. The change is already live in Canary builds and is set to arrive with version 148. Microsoft is making the change after a security researcher released a tool to dump the passwords out of memory. Meantime, Microsoft has launched a new feature that rolls back problematic driver updates. The Cloud initiated driver recovery feature will allow system administrators to roll back drivers to previous versions. The feature only works with drivers obtained via the official Windows Update channel that are also registered in the Hardware Dev Centre. New Gmail accounts will be limited to a 5GB storage limit unless owners provide a valid phone number. Google is testing the new policy for all new accounts in selected regions. Gmail accounts have historically had a default free quota of 15 gigabytes. The KDE project has received 1.28 million euros from Germany's Sovereigntech fund. The money will be spent to strengthen the project's cost core infrastructure. Its main product is the KDE desktop environment for Linux. European countries have recently shown a lot of interest in open source software and alternatives to US Tech. Academic research portal Arxiv will ban authors for a year if they submit AI generated work with fake references. Once the ban expires, authors will have to publish papers on a reputable peer reviewed platform before being allowed back on Arxiv. The new policy comes after the portal has been flooded with AI slop. And finally, Taiwanese security firm Devcore has won this year's PWN to Own hacking contest. Devcore researchers pocketed half a million US dollars after hacking Windows 11, Microsoft Edge, Exchange and SharePoint. This year's contest was held at the OffensiveCon security conference in Berlin. It was the first time researchers were able to target AI systems such as AI databases, coding agents and local inference. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Push Security. Find them@PushSecurity.com thanks to your company.

Risky Bulletin: Indonesia Emerges as a New Hub for Cyber Scams

Host: Claire Aird (Risky Business Media)
Date: May 18, 2026

Episode Overview

Key Discussion Points & Breakdowns

1. Indonesia’s Rise as a Cyber Scam Hub

[00:04]

Interpol reports Indonesia as a new hotspot for cyber scams in Southeast Asia.
Recent law enforcement actions:
- 550+ suspects detained in three raids within a month
- Most were foreign nationals, overstaying 30-day tourist visas
Potential policy response:
- Indonesia considering ending visa-free entry for Southeast Asian nationals
Quote:

“Authorities have detained more than 550 suspects across three raids this month alone. Most were foreigners who'd overstayed the 30 day limit of their tourist visa on arrival permits.” — Claire Aird [00:13]

2. High-Profile Cyber Attacks and Breaches

Grafana Breach and Ransom Demand

[00:35]

DevOps company Grafana hacked; GitHub repositories stolen
Coinbase Cartel group claims responsibility
Grafana refuses to pay, citing FBI guidance

Other Notable Incidents

Iranian hackers attacking US gas station tank readers by exploiting exposed systems — altered fuel readings but no accidents [01:00]
Thorchain suffers $10.7 million DeFi theft through slow leakage of private keys [01:10]
Tabiq platform leaks 1 million+ IDs due to misconfigured AWS S3 bucket [01:20]
Jaguar Land Rover’s profits plummet by 99% following cyberattack and US tariffs [01:30]

Memorable Quote:

“Jaguar. Land Rover's annual profit fell by 99% in the aftermath of US tariffs and a cyberattack that shut down its UK factories for more than a month.” — Claire Aird [01:32]

3. Malware and Espionage Incidents

Fast 16 Malware Targets Nuclear Simulation Software

[01:45]

Designed to disrupt LS-Dyna and Autodyn (simulation tools for explosions, including nuclear tests)
Delivered false data, targeting uranium-based nuclear test scenarios
Timeline coincides with Stuxnet’s activity, likely targeting Iran
Quote:

“The sabotage behaviour only activated at a threshold specifically specific to uranium based nuclear tests. ... The malware was live at around the same time as Stuxnet.” — Claire Aird [01:52]

4. Policy Shifts and Regulatory Drama

Tech Firms vs. Canadian Lawful Access Bill

[02:00]

Signal, NordVPN, Windscribe threaten to leave Canada if Bill C22 passes (would require metadata storage and law enforcement access)
Apple and Meta voice strong objections

Governments Shifting to National Messaging Platforms

Poland and others moving from Signal to Matrix-based solutions for government use
Russia suspected of phishing EU and US officials via Signal [02:22]

5. Disinformation and Geopolitics

UK Sanctions Russian Disinformation Actors

[02:30]

Sanctions imposed on two groups, Ano Dialogue & Social Design Agency, for destabilizing Armenia with propaganda
Tactics include threats of invasion and “Ukraine scenario” warnings

6. Ransomware and Financial Fraud

Shiny Hunters Target Schools

[02:42]

FBI warns against paying ransoms to Shiny Hunters after Instructure breach
Concern over ransom demands targeting school customers and families

Crypto ATM Scams Proliferate

[02:50]

$388M lost in US crypto ATM scams; states initiating bans (Minnesota, Tennessee)
Canada plans similar ban

7. Emerging Threat Groups and Exploits

Blackfile/UNC6671 Data Extortion Group

[03:05]

New threat group with tactics similar to Shiny Hunters, but independent
Recently closed its leak site but remains active

Microsoft and Open Source Zero-Days

Microsoft Exchange OWA zero day actively exploited; patch underway [03:25]
nginx Rift vulnerability exploited within days of patch release [03:35]
OpenDCIM servers under attack by Chinese IP; use of AI tools to hunt and compromise systems [03:45]

8. Security, Privacy & Tech Policy Updates

Apple memory integrity exploit discovered using Anthropic’s Mythos AI; fix pending [03:55]
Windows 2020 privilege escalation patch missing in latest versions — vulnerability resurgent [04:08]
Microsoft Edge stops storing passwords in clear text [04:20]
New feature: cloud-initiated driver recovery in Windows [04:28]
Gmail tests stricter new account storage limits (5GB vs historic 15GB) [04:35]
KDE project wins major EU funding for infrastructure [04:42]
Arxiv bans authors for AI-generated papers with fake references [04:50]

9. Competitions and Closing Notes

PWN to Own Highlights

[05:00]

Taiwan’s Devcore wins $500,000 at PWN to Own, hacking Windows 11, Edge, Exchange, SharePoint, and debuting attacks on AI systems
Contest hosted at OffensiveCon, Berlin

Notable Quotes & Moments

On Indonesia’s crackdown:

“Authorities have detained more than 550 suspects across three raids this month alone.” — Claire Aird [00:13]
About high-profile malware:

“The sabotage behaviour only activated at a threshold specifically specific to uranium based nuclear tests.” — Claire Aird [01:52]
Financial sector’s struggle:

“Jaguar. Land Rover's annual profit fell by 99% in the aftermath of US tariffs and a cyberattack…” — Claire Aird [01:32]

Timestamps for Key Segments

| Time | Topic | |---------------|---------------------------------------------------------------------| | 00:04 | Indonesia’s emergence as scam hub | | 00:35 | Grafana ransomware incident | | 01:00 | Iranian hackers hit US gas stations | | 01:10 | Thorchain DeFi crypto heist | | 01:20 | Tabiq passport data breach | | 01:30 | Jaguar Land Rover cyberattack fallout | | 01:45 | Fast 16 malware and nuclear sabotage | | 02:00 | Canadian lawful access bill controversy | | 02:22 | Poland, Russia, and secure messaging shifts | | 02:30 | UK sanctions Russian disinformation groups | | 02:42 | Shiny Hunters ransomware: FBI warning | | 02:50 | US crypto ATM scam wave | | 03:05 | Blackfile/UNC6671 threat actor emerged | | 03:25 | Microsoft Exchange, nginx, openDCIM zero-days | | 03:55 | Anthropic AI cracks Apple memory protections | | 04:08 | Windows vulnerability fix missing | | 04:20 | Microsoft Edge password memory fix | | 04:28 | Windows driver rollback feature | | 04:35 | Gmail new storage policy | | 04:42 | KDE gets major European funding | | 04:50 | Arxiv cracks down on AI-generated academic spam | | 05:00 | Devcore’s PWN to Own win and AI-targeted hacks |

This episode delivers a comprehensive, rapid-fire update on cyber threats, policy shifts, and industry moves, arming listeners with the latest trends and urgent developments in global cybersecurity.