Summary6 min read

Risky Bulletin: LLMs Can Deanonymize Internet Users Based on Their Comments

Date: March 2, 2026
Host: Risky Business Media, read by Claire Aird
Prepared by: Catalin Kim Panu

Episode Overview

This episode of Risky Bulletin delivers a rapid-fire summary of recent and significant cybersecurity incidents around the world. The main highlight is groundbreaking research showing that large language models (LLMs) can deanonymize internet users by analyzing their comments with near-perfect precision. Additional updates span major data breaches, governmental changes, threats to cryptographic systems, and evolving policy stances on AI and national security.

Key Discussion Points & Insights

1. LLMs and Deanonymization of Internet Users

New Research: Academics have demonstrated that LLMs can deanonymize users based on their online comments.
- Impact: Achieved 99% precision in linking Hacker News accounts to LinkedIn profiles.
- Breadth: The technique also works even when users operate under multiple pseudonyms across different platforms.
Quote:
- "Academics have developed large language models that can de anonymize users based on their comments. Tests achieved 99% precision when linking Hacker News accounts to LinkedIn profiles." — Claire Aird [00:10]

2. Leadership Shakeups & Policy Moves in US Cyber Agencies

CISA Leadership Change:
- Nick Anderson named acting CISA Director, replacing Madhu Ghotamukkala after criticism from Congress.
- CISA recently criticized for "reducing staff numbers and weakening CISA's ability to defend federal agencies."
NSA & Cyber Command Leadership Blocked:
- Senator Ron Wyden pledges to block Lt. Gen. Joshua Rudd's appointment due to a lack of relevant cyber background.
- Both agencies have been leaderless for 10 months since President Trump fired Gen. Timothy Hawke.
Quote:
- "Senator Ron Wyden has pledged to block the appointment of Lt. Gen. Joshua Rudd as the next lead of US Cyber Command and the National Security Agency. Wyden said Rudd lacks background in cyber operations and signals intelligence." — Claire Aird [00:38]

3. Major Government and Organizational Breaches

US DHS Contract Leak:
- Hackers leaked details about contracts with ICE.
- Data was hacked from the Office of Industry Partnership by the group "Department of Peace." [01:13]
French Ministry of Health Breach:
- Hackers accessed 15M citizens' data, including patient records and personal details.
- Breach confirmed a year after its occurrence. [01:30]
Dutch Government Attacks:
- Multiple Dutch agencies compromised via a recent Avanti EPMM zero-day.
- Breach included Dutch Justice Department and Data Protection Authority; remained undetected for five months.

4. Global Hacktivism and Cryptocurrency Thefts

Iranian Prayer App Compromised:
- Hackers exploited the Bod Subah calendar app to encourage resistance against the regime and plead with the military to "lay down their arms."
- Occurred following a US-Israeli attack, leading to an internet shutdown in Iran. [02:03]
South Korean Crypto Wallet Leak:
- $4.8M in crypto stolen after tax authority leaks wallet recovery phrase in online photos.
- Part of a tax crime investigation into over 100 individuals.
- "The South Korean Tax authority posted photos of the wallet online with the recovery phrase in full view." [02:25]

5. Business Impact: Large-Scale Data Breaches

Coupang (South Korea):
- Operating income dropped 97%—from $312M to $8M—after a breach.
- Reported a net loss versus sizeable prior profit. [02:38]

6. AI Ethics and Tech Company Stances

OpenAI Sides with Rival Anthropic on Pentagon Dispute:
- Both companies refuse to allow AI tools for mass surveillance or lethal autonomy.
- Over 700 employees from both firms signed a supporting letter.
- "OpenAI has sided with its rival Anthropic in the company's dispute with the Pentagon. CEO Sam Altman said OpenAI has the same red lines as Anthropic..." [02:53]
Apple iOS Devices Approved for NATO Use:
- iPhones and iPads pass German audit to handle classified NATO data.
- First consumer-grade devices approved without extra software/configuration. [03:16]

7. Underground Markets, Scams, and Darknet Crime

.com Community Crackdown:
- 30+ detained, 179 identified in multinational law enforcement operations.
- Community linked to harassment, extortion, and cybercrime.
Milton Group Call Center Scam:
- Operator Mikhail Binyashvili sentenced to 7.5 years; scammed millions from victims and sold scamming software. [03:44]

8. Botnets, Malicious Automation, and Exposed Secrets

Kim Wolf DDoS Botnet Admin Identified:
- Brian Krebs names 23-year-old Jacob Butler as admin; Butler claims the persona was retired in 2021.
Bot Scraping GitHub Tokens:
- Automated bots exploited misconfigured CI/CD pipelines, compromising at least four major projects, including Microsoft's. [04:24]

9. New Waves in Digital Certificate Security & Quantum Resistance

IETF’s Quantum Certificate Initiative:
- New working group partnered with Google to create "Merkle Tree Certificates," updating X509 with integrated public logging.
- Reflects increasing urgency for quantum-resistant infrastructure. [05:02]
Android 17 Security Update:
- Certificate transparency will be enforced by default for all apps. [05:22]

10. Ongoing Cyber Threats and Social Media Developments

Google Removes Fraudulent Android Apps:
- 115 apps booted due to hidden browser ad fraud; hundreds of AI-generated webpages used for click fraud. [04:52]
API Key Exposure:
- Nearly 3,000 Google API keys found exposed, now also authorizing access to Gemini AI.
TikTok Returns to Albania:
- Ban expired after a year, originally imposed over severe cyberbullying consequences.
- TikTok claims to have enhanced security and anti-bullying measures. [05:34]
Meta’s Teen Safety Enhancement:
- Instagram now notifies parent accounts when teens search for self-harm terms, with planned expansion to Meta’s AI assistants.

Notable Quotes & Memorable Moments

LLM Deanonymization:
"Academics have developed large language models that can de anonymize users based on their comments. Tests achieved 99% precision when linking Hacker News accounts to LinkedIn profiles." — Claire Aird [00:10]
Leadership Concerns:
"Senator Ron Wyden has pledged to block the appointment of Lt. Gen. Joshua Rudd as the next lead...Wyden said Rudd lacks background in cyber operations and signals intelligence." — Claire Aird [00:38]
Cryptocurrency Mishap:
"The South Korean Tax authority posted photos of the wallet online with the recovery phrase in full view." — Claire Aird [02:25]
AI Ethics Stand-Off:
"OpenAI has sided with its rival Anthropic in the company's dispute with the Pentagon. CEO Sam Altman said OpenAI has the same red lines as Anthropic..." — Claire Aird [02:53]

Timeline of Important Segments

| Timestamp | Topic | |:---:|---| | 00:10 | LLMs deanonymize users via online comments | | 00:38 | CISA/NSA leadership shakeup and Congressional tensions | | 01:13 | US DHS ICE contract data breach | | 01:30 | 15M French Ministry of Health records stolen | | 02:03 | Iranian prayer app hack and government internet shutdown | | 02:25 | South Korean crypto wallet compromised via recovery phrase leak | | 02:38 | Major financial losses at Coupang post-breach | | 02:53 | OpenAI & Anthropic AI ethics, Pentagon dispute | | 03:16 | Apple iOS approved for classified NATO communications | | 03:44 | International crackdown on ".com" doxing/harassment community | | 04:24 | GitHub token scraping and supply chain attacks | | 04:52 | Removal of 115 ad fraud Android apps; Google API key exposures | | 05:02 | IETF quantum-ready certificate push with Google | | 05:22 | Android 17 to require certificate transparency | | 05:34 | TikTok returns to Albania; Meta boosts teen safety |

Tone and Character

The episode delivers concise, fact-packed updates with a neutral, professional, and slightly urgent news tone. It balances the technical depth needed for cybersecurity professionals with plain explanations for broader accessibility. The rapid pace and focus ensure key events are covered without embellishment or editorializing, matching the Risky Bulletin's style.

Summary

This Risky Bulletin episode highlights how the lines between anonymity and identity on the internet are rapidly blurring, thanks to advances in AI and large language models. The news cycle paints a turbulent global cybersecurity landscape, with government data breaches, organizational turmoil, evolving ethical battles over AI, quantum-readiness in digital infrastructure, and new social media safety protocols. The episode is an essential catch-up for anyone interested in cybersecurity trends, major incidents, and the pressing issues shaping digital privacy and policy in 2026.

Loading summary

Transcript1 lines

[00:04]
A
LLMs can de anonymize Internet users based on their comments. CISA gets a new acting Director, hackers steal 15 million records from the French Ministry of Health, and Google takes down an ad fraud botnet. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire aird. Today is the 27th of February and this podcast episode is brought to you by OCTA. In today's top story, Academics have developed large language models that can de anonymize users based on their comments. Tests achieved 99% precision when linking Hacker News accounts to LinkedIn profiles. Researchers say the method also works when users adopt multiple pseudonyms across platforms. The U.S. department of Homeland Security has announced Nick Anderson as acting director of cisa. He replaces Madhu Ghotamukkala, who's been transferred to a new role within the agenc. Congress recently criticised Gautamakala for reducing staff numbers and weakening CISA's ability to defend federal agencies. U.S. senator Ron Wyden has pledged to block the appointment of Lt. Gen. Joshua Rudd as the next lead of U.S. cyber Command and the National Security Agency. Wyden said Rudd lacks background in cyber operations and signals intelligence. Cyber Command and the NSA have been without a leader for 10 months. President Trump fired the former head, Air Force General Timothy Hawke, last April. Hackers have breached the U.S. department of Homeland Security and leaked details about contracts with Immigration and Customs Enforcement. The data was hacked from the agency's Office of Industry Partnership. It contains details about ICE contracts with more than 6,000 companies. The files were leaked by a group calling themselves the Department of Peace. Meantime, hackers have stolen the Personal data of 15 million French citizens from the country's Ministry of Health. The incident occurred last year but was confirmed by the ministry last week. The stolen data includes patient records, doctor's notes, home addresses and phone numbers. Hackers have breached the Dutch Justice Department using a recent zero day in Avanti's EPMM platform. According to local media, the breach went undetected for five months. The same zero day was also used to hack the Dutch Data Protection Protection Agency and the European Commission. Several other Dutch agencies are also investigating hacks. According to a memo by senior officials, hackers breached an Iranian prayer app to send messages urging the Iranian military to lay down their arms. The messages on the Bod Subah calendar app also encouraged people to join the resistance against the regime shortly after the U.S. israeli attack began. At the weekend, the Iranian government shut down the country's Internet access. A hacker has stolen $4.8 million worth of cryptocurrency from a wallet seized by South Korean authorities. The South Korean Tax authority posted photos of the wallet online with the recovery phrase in full view. The seized wallet was part of an investigation of more than 100 individuals accused of tax crimes. South Korean retailer Coupang has reported a 97% drop in operating income following a recent security breach. Fourth quarter operating income fell to $8 million, down from $312 million a year earlier. The company has also reported a net loss of $26 million, compared to $156 million in profit the same time last year. OpenAI has sided with its rival Anthropic in the company's dispute with the Pentagon. CEO Sam Altman said OpenAI has the same red lines as Anthropic that its tools cannot be used for mass surveillance and lethal auton. Anthropic told the Pentagon on Friday it will not disable those protections for military use. More than 700 Google and OpenAI employees have signed an open letter in support of anthropic's stance. Apple iOS devices have been approved to handle classified information in NATO networks. IPhones and iPads were approved following an audit by the German government. They're the first consumer grade devices to be approved for NATO use without additional software or configuration. More than 30 individuals connected to the. Com have been detained during a coordinated multinational law enforcement operation. An additional 179 members of the underground community were also identified. The com has been linked to online doxxing, harassment, threats of violence, extortion, sexual exploitation and cybercrime. The operator of a call centre scam network has been sentenced in Germany to seven and a half years in prison. Mikhail Binyashvil ran the Milton Group from Albania for two years from 2017. The call centres tricked victims into investing on platforms controlled by Binyashvili and his accomplices. The operation made tens of millions of euros. He also sold the call centre's scamming software to other threat actors. A Ukrainian national has pleaded guilty in the US to selling fake identification documents. Yuriy Nazarenko made more than $1.2 million while operating the identity marketplace, only fake he face up to 15 years in prison. Cyber security reporter Brian Krebs says he's identified the admin of the Kim Wolf DDOS botnet. Krebs has named him as 23 year old Jacob Butler from Ottawa, Canada. Kim Wolf was created by a hacker named Dort, a handle also used by Butler. Butler told Krebs he's not used the Persona since 2021 and that someone is impersonating him. An automated bot has extracted GitHub tokens from major open source projects. It scanned GitHub for projects with misconfigured CI CD pipelines, cloned their repos, and submitted pull requests with malicious payloads. According to Step Security, the bot successfully compromised at least four major projects, including one from Microsoft. And Datadog Security firm Greynoise has detected a spike in scans for SonicWall devices originating from a known proxy provider. The campaign began began on February 22nd and is hunting for exposed SonicWall SSL. VPNs. Gray Noise said the threat actor was likely mapping out the attack Surface Google has removed 115 Android apps from the Play Store that were engaged in ad fraud. The apps opened websites inside hidden browser windows to generate ad revenue. The IAS Threat Lab identified more than 500 websites that were generated using AI tools and used to serve the ads. Almost 3,000 Google API keys are exposed on the Internet, according to Truffle Security. The keys were initially intended to allow apps to connect to Google Maps and Firebase databases, but now the keys also authorise use of the Gemini AI assistant, which can access much more of a user's data. Social media company TikTok has returned to Albania after a year long ban expired last week. The Albanian government banned the app following the death of a teenage boy. The 14 year old was stabbed by another teenager after they clashed online. TikTok says it's heightened security and safety measures around online bullying. Meantime, Meta will notify parent accounts when teenagers search Instagram for terms related to suicide or self harm. The new feature comes after recent regulatory action and lawsuits over social media's impact on young people's mental health. Meta says it's also working on a similar notification system for its AI assistance. The Internet Engineering Task Force has established a new working group to develop quantum resistant digital certificates. The new PKI Logs and Tree Signatures group is currently working with Google on evolving website certificates. They're collaborating on Merkle Tree Certificates, which are an update to the existing X509 certificates that also integrate public logging. And finally, Google will enable certificate transparency by default for all apps in Android 17 apps will be required to use certificates that have been recorded in public logs. Android 17 will be released later this year and that is all for this podcast edition. Today's show was brought to you by our sponsor Okta. Find them@okta.com thanks for your company. Sam.