Summary5 min read

Risky Bulletin: RPKI Infrastructure Sits on Shaky Ground

Podcast: Risky Bulletin (Risky Business)
Host: Claire Airdrop
Date: February 20, 2026

Episode Overview

This episode delivers tightly-packed cybersecurity news and analysis. Headlining is the troubling insecurity underlying much of the RPKI infrastructure designed to protect the internet’s routing system. Additional stories cover major data breaches, a new UK law targeting non-consensual explicit images, disruptive attacks against public services, as well as notable malware trends and cybercrime enforcement updates.

Key Discussion Points & Insights

1. RPKI Infrastructure Vulnerabilities

[00:04 – 02:00]

Critical Finding: Chinese academics report that many servers distributing RPKI (Resource Public Key Infrastructure) data are themselves insecure.
- Out of 64 servers analyzed, nearly 50% are susceptible to DNS hijacking.
- Most of these are on infrastructure not defended against the very BGP route manipulations RPKI is meant to stop.
Implication: “The very same attacks they're meant to prevent,” servers in the routing security chain are themselves exposed—a “shaky” foundation.

Notable Quote:

“Almost half of the tested servers were vulnerable to DNS hijack attacks. Almost all ran on infrastructure that's not protected against malicious route advertisements.”
—Claire Airdrop, 00:20

2. French Ministry of Economy Data Breach

[02:01 – 02:45]

Incident: Hackers accessed a database (via a compromised staffer) holding details of 1.2 million local bank accounts—names and contact info included.
Response: The French government is notifying all affected.

3. UK Crackdown on Revenge Porn

[02:46 – 03:20]

New Requirement: Tech platforms must remove non-consensual explicit images of UK users within 48 hours.
Consequences: Failure brings potential fines up to 10% of global revenue and possible platform blocking.
Legislative Context: Amendment to Britain’s crime and policing bill.

Quote:

“Companies that fail to act on reports risk fines of up to 10% of their global revenue. Platforms that don't pay their fines may also be blocked.”
—Claire Airdrop, 03:10

4. Major Service Disruptions from Cyber Attacks

Deutsche Bahn DDoS Attack (Germany) [03:21 – 03:50]:
- DDoS takes out ticketing and real-time systems after news of lay-offs. No immediate suspects.
- “No group has taken credit for the attack.” —Claire Airdrop, 03:40
University of Mississippi Medical Centre Ransomware [03:51 – 04:25]:
- All 35 clinics closed, lost EMR system access.
- “Its campus includes the only children's hospital in the state.”
Oklahoma’s C&A Tribes Ransomware [04:26 – 04:50]:
- Attack delayed processing of spring student scholarships.
- 80% of systems restored; Raisida group took credit.

5. Spyware & Data Breaches: Worldwide Reach

Predator Spyware Attack (Angola Journalist) [04:51 – 05:17]:
- WhatsApp click led to phone compromise. Spyware removed on restart.
Australian Fintech Breach (UX) [05:18 – 05:35]:
- Exposed data of 440,000 loan applicants—including ID scans—now for sale online.

6. Open Source & Supply Chain Attacks

Klein AI GitHub Repo Hijacking [05:36 – 06:05]:
- Malicious update injected openclaw AI onto user systems.
- Accomplished via a published GitHub token, following a researcher’s blog on its exposure.
Hotel Booking Hack in Spain [06:06 – 06:25]:
- 20-year-old hacker exploited payments to book €20,000 in luxury hotel rooms for only a few cents.

7. Cybercrime Arrests, Convictions, and Enforcement

US Tax Fraud By Nigerian Hacker [06:26 – 07:00]:
- Eight-year prison sentence; $1.4M stolen via compromised tax firms.
Interpol-Led Crackdown [07:01 – 07:15]:
- 651 arrested across Africa for cybercrime; $4.3M in recovered assets.
Texas Sues TP-Link [07:16 – 07:38]:
- Accusation: Gave Chinese government data access, devices used in attacks against Americans.

8. International Pressure on Tech Platforms

FSB vs Telegram (Russia) [07:39 – 08:12]:
- FSB criticizes Telegram for “harboring criminal activity,” and claims platform leaked military messages—a claim Telegram rejects.
- Platform is being blocked and throttled in Russia.

9. Malware Trends & Vulnerability News

Phishing via Indonesia’s Tax Platform [08:13 – 08:40]:
- "Gold Factory" group used large-scale phishing to steal $2 million by impersonating the government site.
ClickFix Attack Vector [08:41 – 09:12]:
- Accounted for 50% of observed malware infections in 2025, tricks users into pasting commands in terminals.
- “First spotted in 2024 and has since become a workhorse technique.”
ATM Jackpotting (USA) [09:13 – 09:24]:
- Over 700 attacks last year, $20M in losses—“a significant spike.”
PromptSpy Android Trojan [09:25 – 09:39]:
- Uses Google Gemini for persistence and UI manipulation. Spread outside Play Store, targeting Argentina.
Tomcat OpenID Vulnerability [09:40 – 09:59]:
- Plugin flaw allows JWTs with unknown signature algorithms—still unpatched since September.

10. Cloud and Enterprise Security Admin Heads-Up

Kubernetes Retires nginx Ingress [10:00 – 10:16]:
- Administrators urged to migrate or face increased exposure to attacks.

11. DEFCON Bans Epstein-Linked Individuals

DEFCON Ban List Expands [10:17 – 10:30]:
- Joichi Ito, Vincenzo Iotto, and Pablos Holman banned due to Epstein file mentions.
- “None… have been charged by US Authorities” but files document contact with Epstein.

Memorable Quotes

On RPKI insecurity:

“Almost half of the tested servers were vulnerable to DNS hijack attacks. Almost all ran on infrastructure that's not protected against malicious route advertisements.”
—Claire Airdrop, 00:20
On UK tech platform crackdown:

“Companies that fail to act on reports risk fines of up to 10% of their global revenue. Platforms that don't pay their fines may also be blocked.”
—Claire Airdrop, 03:10
On malware trends:

“The clickfix technique was the entry point for more than half of all malware infections spotted by Huntress Labs last year.”
—Claire Airdrop, 08:50

Important Timestamps

00:04 – RPKI infrastructure vulnerabilities
02:01 – French Ministry of Economy breach
02:46 – UK’s new revenge porn removal window
03:21 – Deutsche Bahn DDoS attack
03:51 – UMMC ransomware disruption
04:26 – Oklahoma tribes ransomware, Predator spyware attack, Australian fintech breach
05:36 – Supply chain attack on Klein AI, Spanish hotel booking hack
06:26 – US and Interpol cybercrime actions
07:16 – Texas sues TP-Link
07:39 – Russia’s FSB vs Telegram
08:13 – Indonesian tax phishing, ClickFix malware vector
09:13 – ATM jackpotting, PromptSpy, Tomcat OpenID flaw
10:00 – Kubernetes ingress retirement, DEFCON bans

Takeaways

Critical infrastructure and security tools need better self-protection: The RPKI story underscores systemic gaps in the architecture of Internet security.
Governments worldwide are responding to personal data abuse and attacks with stronger regulation and law enforcement.
Malware and phishing methods adapt quickly—trends like ClickFix highlight the importance of user vigilance.
Open source and supply chain risks remain front and center, as does the global scale of cybercrime enforcement and cross-border operations.

Episode prepared by Catalyn Kim Panu and read by Claire Airdrop (Risky Business).

Loading summary

Transcript1 lines

[00:04]
A
RPKI relies on vulnerable service the French Ministry of Economy discloses a data breach. The UK gives tech platforms 48 hours to remove revenge porn and click fix attacks are responsible for half of malware infections. This is the risky bulletin prepared by Catalyn Kim Panu and read by me, Claire Airdrop. Today is the 20th of February and this podcast episode is brought to you by Run Zero, the Total Attack surface and exposure management platform. In today's top story, Chinese academics say many backend servers that support RPKI secure Internet route distribution are themselves vulnerable to takeover. Recent research analysed 64 servers that publish route origin authorisation data. This data is used by Internet networks to verify BGP route advertisements. The researchers found that almost half of the tested servers were vulnerable to DNS hijack attacks. Almost all ran on infrastructure that's not protected against malicious route advertisements, the very same attacks they're meant to prevent. In other news, hackers have compromised a French Ministry of Economy staffer and accessed a database of local bank accounts. The database stored information about more than 1.2 million accounts, including owner names and contact details. The the government will notify all affected account holders. Tech platforms will be given 48 hours to remove non consensual explicit images of UK users. The new requirement is being added to Britain's crime and policing bill. Companies that fail to act on reports risk fines of up to 10% of their global revenue. Platforms that don't pay their fines may also be blocked. In the UK, a coordinated DDoS attack is disrupting Germany's national rail operator Deutsche Bahn said Tuesday's attack has affected ticketing and real time information systems. The attack came shortly after the company announced layoffs in its freight cargo division. Six thousand of its 14,000 employees would be let go. No group has taken credit for the attack. A cyber attack has forced the University of Mississippi Medical Centre to temporarily close its 35 clinics. All surgeries and appointments will be rescheduled for later dates. The hospital group said it lost access to all IT funds functions, including its electronic medical records system. UMMC has more than 10,000 employees. Its campus includes the only children's hospital in the state. A ransomware attack has disrupted the IT systems of Oklahoma's Cyan and Arapaho tribes. The incident occurred in December and disabled the tribal government's IT phone and email systems. The incident primarily impacted its higher education program, delaying the processing of spring scholarships. Officials have now restored access to 80% of affected systems. The Raisida group has taken credit for the attack. The Predator spyware was used to hack the personal phone of a prominent Angolan journalist and activist, according to an Amnesty international investigation. Tayshire Kanjido's phone was infected in 2024 when he clicked a malicious link in WhatsApp. The spyware was removed after Kanjiro restarted his phone. Predator's developer Intellexa, said it only sells its spyware to government clients. A breach at an Australian finance tech company has exposed the personal information of more than 440,000 citizens. The breach at Sydney firm UX occurred last week. Hackers are now selling the data on underground forums. The stolen information includes the personal details of loan applicants, including government identification scans. A threat actor has hijacked the GitHub repository of the Klein AI coding agent. The attacker used the repo to push a malicious update to Klein's NPM library. The update didn't deploy malware. Instead, it deployed a version of the openclaw AI agent on Klein's user systems. The attacker stole the project's GitHub published token after security researcher Adnan Khan blogged about a vulnerability that exposed the token. Spanish police have detained a 20 year old who's accused of hacking a hotel reservation platform. He manipulated the site's payment system to book luxury hotel rooms for 1 cent. Police arrested him at a Madrid hotel on Wednesday, where he racked up a bill of more than €20,000. A Nigerian hacker has been sentenced to eight years in a US prison for hacking Massachusetts tax preparation firms. Matthew A. Akunde used to stolen data to file fraudulent tax returns with the IRS. He made almost $1.4 million before being arrested in Mexico in 2024. A joint operation between Interpol and multiple African countries has led to the arrest of 651 cybercrime suspects. The detained individuals have been linked to investment scams, mobile fraud and bad loan applications. Authorities also recovered $4.3 million in stolen assets. The US state of Texas has sued router maker TP Link. Texas Attorney General Ken Paxton claims the company granted the Chinese government access to Americans data. The suit also claims the devices have been used by Chinese hackers against Americans. Russian FSB chief Alexander Bortnikov has accused Telegram of harbouring criminal activity. In a statement, Bortnikov said the messaging platform ignored more than 150,000 content removal requests from Russian authorities. Russian officials also claim that foreign intelligence services have read messages exchanged between its soldiers. Telegram said the statement was a fabrication. Russia began blocking and throttling the platform's traffic last week. Hackers have impersonated Indonesia's tax platform and stolen up to $2 million. A large scale phishing operation that targeted Android users began in January, ahead of the country's tax deadlines. Security firm Group IB has linked the attacks to a group it tracks as the Gold Factory. The clickfix technique was the entry point for more than half of all malware infections spotted by Huntress Labs last year. The method was first spotted in 2024 and has since become a workhorse technique. It tricks users into copy pasting malicious commands into their Windows or MacBooks terminals. The FBI says the number of ATM jackpotting attacks have spiked. In the U.S. more than 700 attacks were last year, which resulted in $20 million in losses. In the four years prior, just 1,200 total attacks were reported. ESET has discovered a new Android remote access trojan that abuses Google Gemini to remain active on infected devices. PromptSpy uses Gemini to analyze contents on screens and plan its interactions with the user interface. The malware is distributed outside of the Play Store and has been used in campaigns targeting Argentina. A Vulnerability in an OpenID plugin for Tomcat allows threat actors to bypass authentication. According to security firm ERNW, the Tomcat's OpenID Connect authenticator will accept JWT tokens with an unknown signature algorithm. The issue was discovered in September but remains unpatched, as the library's developer could not be contacted. The Kubernetes project is retiring its nginx ingress controller in March. The project has warned administrators that continuing to use the controller will leave them exposed to attacks. Developers will need to migrate to a new ingress controller. And finally, the DEFCON Security Conference has banned three individuals who were mentioned in the Epstein files from attending its Vincenzo Iotto, Joichi Ito and Pablos Holman were added to the ban list this week. None of the individuals have been charged by US Authorities, but files released by the DOJ detailed their contact with the late Jeffrey Epstein. And that is all for this podcast edition. Today's show is brought to you by our sponsor Run Zero. Find them@runzero.com thanks for your company, Sam.