Risky Bulletin: RPKI Infrastructure Sits on Shaky Ground

Podcast: Risky Bulletin (Risky Business)
Host: Claire Airdrop
Date: February 20, 2026

Episode Overview

This episode delivers tightly-packed cybersecurity news and analysis. Headlining is the troubling insecurity underlying much of the RPKI infrastructure designed to protect the internet’s routing system. Additional stories cover major data breaches, a new UK law targeting non-consensual explicit images, disruptive attacks against public services, as well as notable malware trends and cybercrime enforcement updates.

Key Discussion Points & Insights

1. RPKI Infrastructure Vulnerabilities

[00:04 – 02:00]

• Critical Finding: Chinese academics report that many servers distributing RPKI (Resource Public Key Infrastructure) data are themselves insecure.
  • Out of 64 servers analyzed, nearly 50% are susceptible to DNS hijacking.
  • Most of these are on infrastructure not defended against the very BGP route manipulations RPKI is meant to stop.
• Implication: “The very same attacks they're meant to prevent,” servers in the routing security chain are themselves exposed—a “shaky” foundation.

Notable Quote:

“Almost half of the tested servers were vulnerable to DNS hijack attacks. Almost all ran on infrastructure that's not protected against malicious route advertisements.”
—Claire Airdrop, 00:20

2. French Ministry of Economy Data Breach

[02:01 – 02:45]

• Incident: Hackers accessed a database (via a compromised staffer) holding details of 1.2 million local bank accounts—names and contact info included.
• Response: The French government is notifying all affected.

3. UK Crackdown on Revenge Porn

[02:46 – 03:20]

• New Requirement: Tech platforms must remove non-consensual explicit images of UK users within 48 hours.
• Consequences: Failure brings potential fines up to 10% of global revenue and possible platform blocking.
• Legislative Context: Amendment to Britain’s crime and policing bill.

Quote:

“Companies that fail to act on reports risk fines of up to 10% of their global revenue. Platforms that don't pay their fines may also be blocked.”
—Claire Airdrop, 03:10

4. Major Service Disruptions from Cyber Attacks

• Deutsche Bahn DDoS Attack (Germany) [03:21 – 03:50]:
  • DDoS takes out ticketing and real-time systems after news of lay-offs. No immediate suspects.
  • “No group has taken credit for the attack.” —Claire Airdrop, 03:40
• University of Mississippi Medical Centre Ransomware [03:51 – 04:25]:
  • All 35 clinics closed, lost EMR system access.
  • “Its campus includes the only children's hospital in the state.”
• Oklahoma’s C&A Tribes Ransomware [04:26 – 04:50]:
  • Attack delayed processing of spring student scholarships.
  • 80% of systems restored; Raisida group took credit.

5. Spyware & Data Breaches: Worldwide Reach

• Predator Spyware Attack (Angola Journalist) [04:51 – 05:17]:
  • WhatsApp click led to phone compromise. Spyware removed on restart.
• Australian Fintech Breach (UX) [05:18 – 05:35]:
  • Exposed data of 440,000 loan applicants—including ID scans—now for sale online.

6. Open Source & Supply Chain Attacks

• Klein AI GitHub Repo Hijacking [05:36 – 06:05]:
  • Malicious update injected openclaw AI onto user systems.
  • Accomplished via a published GitHub token, following a researcher’s blog on its exposure.
• Hotel Booking Hack in Spain [06:06 – 06:25]:
  • 20-year-old hacker exploited payments to book €20,000 in luxury hotel rooms for only a few cents.

7. Cybercrime Arrests, Convictions, and Enforcement

• US Tax Fraud By Nigerian Hacker [06:26 – 07:00]:
  • Eight-year prison sentence; $1.4M stolen via compromised tax firms.
• Interpol-Led Crackdown [07:01 – 07:15]:
  • 651 arrested across Africa for cybercrime; $4.3M in recovered assets.
• Texas Sues TP-Link [07:16 – 07:38]:
  • Accusation: Gave Chinese government data access, devices used in attacks against Americans.

8. International Pressure on Tech Platforms

• FSB vs Telegram (Russia) [07:39 – 08:12]:
  • FSB criticizes Telegram for “harboring criminal activity,” and claims platform leaked military messages—a claim Telegram rejects.
  • Platform is being blocked and throttled in Russia.

9. Malware Trends & Vulnerability News

• Phishing via Indonesia’s Tax Platform [08:13 – 08:40]:
  • "Gold Factory" group used large-scale phishing to steal $2 million by impersonating the government site.
• ClickFix Attack Vector [08:41 – 09:12]:
  • Accounted for 50% of observed malware infections in 2025, tricks users into pasting commands in terminals.
  • “First spotted in 2024 and has since become a workhorse technique.”
• ATM Jackpotting (USA) [09:13 – 09:24]:
  • Over 700 attacks last year, $20M in losses—“a significant spike.”
• PromptSpy Android Trojan [09:25 – 09:39]:
  • Uses Google Gemini for persistence and UI manipulation. Spread outside Play Store, targeting Argentina.
• Tomcat OpenID Vulnerability [09:40 – 09:59]:
  • Plugin flaw allows JWTs with unknown signature algorithms—still unpatched since September.

10. Cloud and Enterprise Security Admin Heads-Up

• Kubernetes Retires nginx Ingress [10:00 – 10:16]:
  • Administrators urged to migrate or face increased exposure to attacks.

11. DEFCON Bans Epstein-Linked Individuals

• DEFCON Ban List Expands [10:17 – 10:30]:
  • Joichi Ito, Vincenzo Iotto, and Pablos Holman banned due to Epstein file mentions.
  • “None… have been charged by US Authorities” but files document contact with Epstein.

Memorable Quotes

• On RPKI insecurity:

  “Almost half of the tested servers were vulnerable to DNS hijack attacks. Almost all ran on infrastructure that's not protected against malicious route advertisements.”
  —Claire Airdrop, 00:20

• On UK tech platform crackdown:

  “Companies that fail to act on reports risk fines of up to 10% of their global revenue. Platforms that don't pay their fines may also be blocked.”
  —Claire Airdrop, 03:10

• On malware trends:

  “The clickfix technique was the entry point for more than half of all malware infections spotted by Huntress Labs last year.”
  —Claire Airdrop, 08:50

Important Timestamps

• 00:04 – RPKI infrastructure vulnerabilities
• 02:01 – French Ministry of Economy breach
• 02:46 – UK’s new revenge porn removal window
• 03:21 – Deutsche Bahn DDoS attack
• 03:51 – UMMC ransomware disruption
• 04:26 – Oklahoma tribes ransomware, Predator spyware attack, Australian fintech breach
• 05:36 – Supply chain attack on Klein AI, Spanish hotel booking hack
• 06:26 – US and Interpol cybercrime actions
• 07:16 – Texas sues TP-Link
• 07:39 – Russia’s FSB vs Telegram
• 08:13 – Indonesian tax phishing, ClickFix malware vector
• 09:13 – ATM jackpotting, PromptSpy, Tomcat OpenID flaw
• 10:00 – Kubernetes ingress retirement, DEFCON bans

Takeaways

• Critical infrastructure and security tools need better self-protection: The RPKI story underscores systemic gaps in the architecture of Internet security.
• Governments worldwide are responding to personal data abuse and attacks with stronger regulation and law enforcement.
• Malware and phishing methods adapt quickly—trends like ClickFix highlight the importance of user vigilance.
• Open source and supply chain risks remain front and center, as does the global scale of cybercrime enforcement and cross-border operations.

Episode prepared by Catalyn Kim Panu and read by Claire Airdrop (Risky Business).