Risky Bulletin: Russia Arrests Meduza Stealer Group

Podcast: Risky Bulletin (Risky.biz)
Date: October 31, 2025
Host/Reader: Claire Aird
Prepared by: Catalyn Kim Panu

Episode Overview

This edition of Risky Bulletin presents a rapid-fire roundup of the week’s most pressing cybersecurity headlines. Main themes include: a rare Russian crackdown on the Meduza infostealer gang, U.S. espionage against Venezuela, controversial spyware revelations, and the rollout of stronger admin protections in Windows 11. The episode is characterized by Claire’s clear, newsy delivery and focuses on developments with global impact for cyber defenders and policy watchers.

Key Discussions & Insights

1. Russia Arrests Meduza Stealer Operators

[00:08] Russian Interior Ministry announces the arrest of three suspects behind the Meduza infostealer.
- Meduza used in attacks against Russian government networks.
- Malware was sold via underground forums and as-a-service offerings on Telegram.
- “Three suspects believed to be behind the Meduza infostealer have been arrested in Moscow…” (Claire Aird, 00:10)

2. CIA Hacked Venezuelan Intelligence (2020)

[00:21] CNN report: CIA breached Venezuela’s intelligence services the same year U.S. Cyber Command cut off Wagner mercenary satellite comms.
- Motivated by internal U.S. politics: “The attacks were used to placate President Trump during his first term when he pushed for military action against the Maduro regime.” (Claire Aird, 00:32)

3. Secret Data Pipelines: Amazon, Google, Israel

[00:39] Israeli government required Amazon and Google to notify them when Israeli data is shared with foreign authorities through a hidden, payment-based system.
- System mandated for Israeli government contracts.

4. FCC Pulls Back Cybersecurity Rules for Telcos

[00:54] U.S. Federal Communications Commission announces rollback of Biden-era telco cybersecurity requirements.
- Rules originally introduced after major “SALT Typhoon” intrusions.
- FCC claims industry is now sufficiently secure on its own.
- FCC moves to ban U.S. sales of products containing parts from sanctioned Chinese firms (Huawei, ZTE, etc.).

5. TP Link Faces National Security Ban

[01:18] U.S. Commerce Department supports one of the strictest stances yet against Chinese manufacturer TP Link, proposing a ban due to national security risks.
- TP Link calls the proposed ban “nonsensical.” (Claire Aird, 01:33)

6. Ribbon Communications Incident

[01:39] State-sponsored group breached Ribbon Communications (a U.S. telco service provider) in December; detection only occurred in the past month.
- Downstream compromise of at least three Ribbon customers.

7. Canadian ICS Hacktivism

[01:52] Multiple intrusions at Canadian industrial control systems (ICS):
- Water facility pressure spoofed, oil/gas alarm triggered, grain silo environment adjusted.
- “All the hacked systems were exposed on the Internet.” (Claire Aird, 02:08)

8. U.S. Defense Contractor Sold Exploits to Russia

[02:11] Former L3Harris manager Peter Williams pleads guilty to selling 8 zero-days to Russia.
- Earned $1.3 million from “Operation Zero”.
- Faces up to nine years in prison.

9. Memento Labs Spyware Exposed

[02:28] Memento Labs CEO Paolo Lezzi admits their spyware was detected by Kaspersky.
- Spyware used by undisclosed government client; older version (Dante) flagged in attacks on Russian/Belarusian targets.

10. Polish Investment Scam Gang Arrested

[02:44] Eleven people arrested for scams stealing $20M from at least 1,500 Poles via call centers and fake sites.

11. Australian Police Crack Criminal Crypto Wallet

[02:52] Police recovered $6 million after finding the wallet password encoded on the suspect’s phone.
- Money came from renting “Ghost” encrypted communications app.

12. npm “Invisible Dependencies” Attack

[03:01] 126 malicious npm packages evade standard security scans, infecting developers with malware that steals tokens, CI/CD secrets, and GitHub credentials.

13. Massive Android NFC Payment Data Theft

[03:16] 760+ Android apps found relaying contactless payment card data, fueling fraudulent withdrawals and purchases.
- Trend especially prominent in China and Russia.

14. VPNs: The #1 Ransomware Access Path

[03:29] According to Attbay, 80% of ransomware attacks over five years stemmed from remote access device compromise—mainly VPNs.
- Cisco and Citrix VPNs implicated as disproportionately vulnerable.

15. Confidential Computing Encryption Breaks

[03:44] Two new vulnerabilities defeat LUKS2 disk encryption in 8 confidential computing projects, letting attackers access or tamper with what should be protected data.

16. Chinese Cyber Espionage Targets Japan, Korea

[03:57] Sophos attributes recent Motec’s zero-day exploits to “Bronze Butler” (aka TIC).
- Noted for long-term campaigns against Japan/South Korea.

17. Administrative Protection in Windows 11

[04:10] Windows 11 now features “Administrative Protection Security”—an extra authentication step for admin actions.
- Off by default, aims to hinder abuse of compromised admin credentials.

Notable Quotes & Memorable Moments

On Meduza Stealer arrests:
“The malware was used in attacks on Russian government networks… offered as a service on Telegram.” (Claire Aird, 00:13)
On FCC’s regulatory retreat:
“The agency now says that telcos have strengthened cybersecurity defenses on their own and there’s no need for the rules.” (Claire Aird, 01:06)
On ransomware attack vectors:
“80% of ransomware attacks were traced to remote access devices in the last five years, Atbay has recorded a shift from remote desktop towards VPNs as the main entry point.” (Claire Aird, 03:31)

Important Segments & Timestamps

[00:08] Meduza Stealer arrests in Moscow
[00:21] CIA hacks Venezuela
[01:18] TP Link ban discussion
[02:11] L3Harris zero-day sale guilty plea
[03:01] npm mimicry malware attack
[03:29] VPNs and ransomware epidemics
[04:10] Windows 11 admin protections go live

Tone & Style Notes

Claire delivers cybersecurity news in a brisk, direct, and slightly sardonic tone, confident in headline importance while sticking to the facts and avoiding editorialization.

For listeners new to the episode, this summary covers all primary storylines, dissects their context, and highlights security themes relevant to defenders, policymakers, and tech industry watchers.

Risky Bulletin: Russia Arrests Meduza Stealer Group

Podcast: Risky Bulletin (Risky.biz)
Date: October 31, 2025
Host/Reader: Claire Aird
Prepared by: Catalyn Kim Panu

Episode Overview

Key Discussions & Insights

1. Russia Arrests Meduza Stealer Operators

[00:08] Russian Interior Ministry announces the arrest of three suspects behind the Meduza infostealer.
- Meduza used in attacks against Russian government networks.
- Malware was sold via underground forums and as-a-service offerings on Telegram.
- “Three suspects believed to be behind the Meduza infostealer have been arrested in Moscow…” (Claire Aird, 00:10)

2. CIA Hacked Venezuelan Intelligence (2020)

[00:21] CNN report: CIA breached Venezuela’s intelligence services the same year U.S. Cyber Command cut off Wagner mercenary satellite comms.
- Motivated by internal U.S. politics: “The attacks were used to placate President Trump during his first term when he pushed for military action against the Maduro regime.” (Claire Aird, 00:32)

3. Secret Data Pipelines: Amazon, Google, Israel

[00:39] Israeli government required Amazon and Google to notify them when Israeli data is shared with foreign authorities through a hidden, payment-based system.
- System mandated for Israeli government contracts.

4. FCC Pulls Back Cybersecurity Rules for Telcos

[00:54] U.S. Federal Communications Commission announces rollback of Biden-era telco cybersecurity requirements.
- Rules originally introduced after major “SALT Typhoon” intrusions.
- FCC claims industry is now sufficiently secure on its own.
- FCC moves to ban U.S. sales of products containing parts from sanctioned Chinese firms (Huawei, ZTE, etc.).

5. TP Link Faces National Security Ban

[01:18] U.S. Commerce Department supports one of the strictest stances yet against Chinese manufacturer TP Link, proposing a ban due to national security risks.
- TP Link calls the proposed ban “nonsensical.” (Claire Aird, 01:33)

6. Ribbon Communications Incident

[01:39] State-sponsored group breached Ribbon Communications (a U.S. telco service provider) in December; detection only occurred in the past month.
- Downstream compromise of at least three Ribbon customers.

7. Canadian ICS Hacktivism

[01:52] Multiple intrusions at Canadian industrial control systems (ICS):
- Water facility pressure spoofed, oil/gas alarm triggered, grain silo environment adjusted.
- “All the hacked systems were exposed on the Internet.” (Claire Aird, 02:08)

8. U.S. Defense Contractor Sold Exploits to Russia

[02:11] Former L3Harris manager Peter Williams pleads guilty to selling 8 zero-days to Russia.
- Earned $1.3 million from “Operation Zero”.
- Faces up to nine years in prison.

9. Memento Labs Spyware Exposed

[02:28] Memento Labs CEO Paolo Lezzi admits their spyware was detected by Kaspersky.
- Spyware used by undisclosed government client; older version (Dante) flagged in attacks on Russian/Belarusian targets.

10. Polish Investment Scam Gang Arrested

[02:44] Eleven people arrested for scams stealing $20M from at least 1,500 Poles via call centers and fake sites.

11. Australian Police Crack Criminal Crypto Wallet

[02:52] Police recovered $6 million after finding the wallet password encoded on the suspect’s phone.
- Money came from renting “Ghost” encrypted communications app.

12. npm “Invisible Dependencies” Attack

[03:01] 126 malicious npm packages evade standard security scans, infecting developers with malware that steals tokens, CI/CD secrets, and GitHub credentials.

13. Massive Android NFC Payment Data Theft

[03:16] 760+ Android apps found relaying contactless payment card data, fueling fraudulent withdrawals and purchases.
- Trend especially prominent in China and Russia.

14. VPNs: The #1 Ransomware Access Path

[03:29] According to Attbay, 80% of ransomware attacks over five years stemmed from remote access device compromise—mainly VPNs.
- Cisco and Citrix VPNs implicated as disproportionately vulnerable.

15. Confidential Computing Encryption Breaks

[03:44] Two new vulnerabilities defeat LUKS2 disk encryption in 8 confidential computing projects, letting attackers access or tamper with what should be protected data.

16. Chinese Cyber Espionage Targets Japan, Korea

[03:57] Sophos attributes recent Motec’s zero-day exploits to “Bronze Butler” (aka TIC).
- Noted for long-term campaigns against Japan/South Korea.

17. Administrative Protection in Windows 11

[04:10] Windows 11 now features “Administrative Protection Security”—an extra authentication step for admin actions.
- Off by default, aims to hinder abuse of compromised admin credentials.

Notable Quotes & Memorable Moments

On Meduza Stealer arrests:
“The malware was used in attacks on Russian government networks… offered as a service on Telegram.” (Claire Aird, 00:13)
On FCC’s regulatory retreat:
“The agency now says that telcos have strengthened cybersecurity defenses on their own and there’s no need for the rules.” (Claire Aird, 01:06)
On ransomware attack vectors:
“80% of ransomware attacks were traced to remote access devices in the last five years, Atbay has recorded a shift from remote desktop towards VPNs as the main entry point.” (Claire Aird, 03:31)

Important Segments & Timestamps

[00:08] Meduza Stealer arrests in Moscow
[00:21] CIA hacks Venezuela
[01:18] TP Link ban discussion
[02:11] L3Harris zero-day sale guilty plea
[03:01] npm mimicry malware attack
[03:29] VPNs and ransomware epidemics
[04:10] Windows 11 admin protections go live

Tone & Style Notes

Claire delivers cybersecurity news in a brisk, direct, and slightly sardonic tone, confident in headline importance while sticking to the facts and avoiding editorialization.

Risky Bulletin: Russia arrests Meduza Stealer group

Powered by Wave AI

Summary

Risky Bulletin: Russia Arrests Meduza Stealer Group

Episode Overview

Key Discussions & Insights

1. Russia Arrests Meduza Stealer Operators

2. CIA Hacked Venezuelan Intelligence (2020)

3. Secret Data Pipelines: Amazon, Google, Israel

4. FCC Pulls Back Cybersecurity Rules for Telcos

5. TP Link Faces National Security Ban

6. Ribbon Communications Incident

7. Canadian ICS Hacktivism

8. U.S. Defense Contractor Sold Exploits to Russia

9. Memento Labs Spyware Exposed

10. Polish Investment Scam Gang Arrested

11. Australian Police Crack Criminal Crypto Wallet

12. npm “Invisible Dependencies” Attack

13. Massive Android NFC Payment Data Theft

14. VPNs: The #1 Ransomware Access Path

15. Confidential Computing Encryption Breaks

16. Chinese Cyber Espionage Targets Japan, Korea

17. Administrative Protection in Windows 11

Notable Quotes & Memorable Moments

Important Segments & Timestamps

Tone & Style Notes

Summary

Risky Bulletin: Russia Arrests Meduza Stealer Group

Episode Overview

Key Discussions & Insights

1. Russia Arrests Meduza Stealer Operators

2. CIA Hacked Venezuelan Intelligence (2020)

3. Secret Data Pipelines: Amazon, Google, Israel

4. FCC Pulls Back Cybersecurity Rules for Telcos

5. TP Link Faces National Security Ban

6. Ribbon Communications Incident

7. Canadian ICS Hacktivism

8. U.S. Defense Contractor Sold Exploits to Russia

9. Memento Labs Spyware Exposed

10. Polish Investment Scam Gang Arrested

11. Australian Police Crack Criminal Crypto Wallet

12. npm “Invisible Dependencies” Attack

13. Massive Android NFC Payment Data Theft

14. VPNs: The #1 Ransomware Access Path

15. Confidential Computing Encryption Breaks

16. Chinese Cyber Espionage Targets Japan, Korea

17. Administrative Protection in Windows 11

Notable Quotes & Memorable Moments

Important Segments & Timestamps

Tone & Style Notes