Summary5 min read

Risky Bulletin: Russia Starts Criminal Probe of Telegram Founder Pavel Durov

Risky Business Media | February 25, 2026
Prepared by Catalin Cimpanu, read by Claire Aird

Episode Overview

This episode of the Risky Bulletin delivers a rapid-fire rundown of the latest international cybersecurity incidents and news, headlined by the Russian government’s criminal investigation into Telegram founder Pavel Durov. Additional topics include major arrests, hacks, regulatory sanctions, and new threat actor developments across the globe.

Key Discussion Points & Insights

1. Russia Opens Criminal Investigation Against Telegram’s CEO

(00:04 – 01:05)
- Russian authorities launch a probe into Pavel Durov, Telegram's founder/CEO, accusing him of facilitating terrorist and criminal activity on the messaging platform.
- The FSB alleges Telegram was used for organizing school shootings, harassment of military families, and espionage.
- Russia previously throttled and restricted Telegram services; Durov was arrested in France in 2024 on similar grounds.
- Quote:
  - "Russian authorities have launched a criminal investigation into Telegram's founder and CEO, Pavel Durov is accused of facilitating terrorist activity on the messaging platform." (Claire Aird, 00:16)

2. SonicWall Breach Leads to Major Lawsuit

(01:05 – 01:29)
- US fintech firm Marquee sues SonicWall over a data breach that led to theft of firewall configuration data.
- Hackers leveraged stolen configs to breach Marquee in December; SonicWall blames a nation-state threat actor.

3. South Korean Bike Share Service Hacked by Teens

(01:29 – 01:54)
- Two high schoolers arrested for hacking Seoul’s “Terungi” bike-sharing platform, stealing data of 4.6 million users.
- Hackers met on Telegram; attack executed after self-learning cybersecurity.
- Quote:
  - "The two suspects met on Telegram and learned about cybersecurity while they executed." (Claire Aird, 01:43)

4. Ransomware and Data Breaches Around the Globe

Dutch ISP Odido Hack (01:54 – 02:12):
- Shiny Hunters group continues to extort following breach affecting 6.2 million customers. ISP offers F-Secure antivirus vouchers to victims.
New Zealand Healthcare App Medimap (02:12 – 02:28):
- Hack leads to patient data alterations; app pulled offline.
Crypto Thefts (02:28 – 03:05):
- Iotex: $4.4M stolen after attackers compromised a platform private key.
- Yieldblocks: $10M stolen using blockchain price manipulation.
- Step Finance: Ceases operations after $30M hack, fails to secure more funding—subsidiaries to shut down as well.

5. AI Model Theft Accusations – Anthropic vs Chinese Firms

(03:05 – 03:31)
- Anthropic accuses Deepseek, Moonshot AI, and Minimax of distillation attacks involving over 24,000 Claude accounts to steal and train on model outputs.
- Quote:
  - "Anthropic has accused three Chinese AI companies of scraping its Claude model in distillation attacks." (Claire Aird, 03:07)

6. Major Arrests: Hacking and Exploit Sale

(03:31 – 04:11)
- Ex-L3 Harris Trenchant executive Peter Williams sentenced to 87 months for selling exploits to a Russian broker, faces $35M restitution.
- US Treasury sanctions Russian broker Operation Zero and affiliates, implicating them in exploits supply for the Russian government and association with Trickbot malware group.
- Quote:
  - "A hearing to decide whether Williams will need to pay restitution to Trenchant is scheduled for May. His former employer is seeking $35 million." (Claire Aird, 03:45)

7. Crackdown on Hacktivists

(04:11 – 04:22)
- Two additional Phoenix hacktivist group members arrested in Spain, charged with government site DDoS attacks.

8. Malicious .NET Packages Discovered

(04:22 – 04:36)
- Four packages on NuGet found to steal ASP Net identity data, backdoor apps, downloaded over 4,500 times; discovered by Socket Security.

9. Emergent Phishing Campaigns

(04:36 – 04:49)
- Russian-Armenian threat actor targets US and European freight/logistics sectors, steals 1,600+ credentials, campaign infrastructure overlaps with Armenian firms.

10. Cyberwarfare Insights: Ukraine’s Energy Grid

(04:49 – 05:11)
- Ukraine alleges Russian cyber attacks are targeting energy infrastructure to guide missile strikes, focus shifting to facility mapping and recovery tracking.
- Quote:
  - "Attackers have stopped trying to wipe the computers that control power. They appear more focused on mapping facilities, tracking repair crews and assessing recovery efforts." (Claire Aird, 05:03)

11. Microsoft Browser Zero-Day Exploited by APT28

(05:11 – 05:28)
- Akamai links active zero-day exploitation to Russian military-intelligence group APT28; Microsoft patches vulnerability in February.

12. Breakout Times in Cybercrime Decline Sharply

(05:28 – 05:50)
- CrowdStrike’s annual report notes the average time to network compromise (“breakout”) has dropped to seconds, with the fastest recorded at just 27 seconds.
- Quote:
  - "The fastest breakout time recorded last was just 27 seconds." (Claire Aird, 05:47)

Notable Quotes & Moments

| Timestamp | Speaker | Quote / Memorable Point | |-----------|----------------|------------------------------------------------------------------------------------------| | 00:16 | Claire Aird | "Russian authorities have launched a criminal investigation into Telegram's founder and CEO, Pavel Durov is accused of facilitating terrorist activity on the messaging platform." | | 01:43 | Claire Aird | "The two suspects met on Telegram and learned about cybersecurity while they executed." | | 03:07 | Claire Aird | "Anthropic has accused three Chinese AI companies of scraping its Claude model in distillation attacks." | | 03:45 | Claire Aird | "A hearing to decide whether Williams will need to pay restitution to Trenchant is scheduled for May. His former employer is seeking $35 million."| | 05:03 | Claire Aird | "Attackers have stopped trying to wipe the computers that control power. They appear more focused on mapping facilities, tracking repair crews and assessing recovery efforts." | | 05:47 | Claire Aird | "The fastest breakout time recorded last was just 27 seconds." |

Timestamps for Important Segments

00:04 — Russia’s criminal case against Telegram’s Durov
01:05 — SonicWall/Marquee lawsuit over cloud breach
01:29 — South Korea bike share teen hackers
01:54 — Dutch ISP Odido ransomware update
02:12 — New Zealand Medimap healthcare app hack
02:28 — Multiple major cryptocurrency thefts
03:05 — Anthropic alleges Chinese model theft
03:31 — Peter Williams sentenced, Operation Zero sanctioned
04:11 — Spain arrests Phoenix hacktivists
04:22 — Malicious .NET NuGet packages
04:36 — Russian-Armenian logistics phishing
04:49 — Russian cyber attacks on Ukrainian power
05:11 — Microsoft browser 0day/Apt28 exploit
05:28 — Cybercrime “breakout time” stats (CrowdStrike)

This episode paints a fast-moving and multifaceted picture of global cybersecurity threats—from state-sponsored attacks and cybercrime to law enforcement crackdowns and rapid technical advancements in both attacks and defenses. The tone is informative and urgent, reflecting the high-stakes and constantly evolving nature of cybersecurity news.

Loading summary

Transcript1 lines

[00:04]
A
Russia launches a criminal probe into Telegram's founder Two teenagers arrested for a South Korean bike share hack Anthropic accuses Chinese AI firms of distillation attacks and the US treasury sanctions a Russian exploit broker this is the risky bulletin prepared by Catalyn Kimpanu and read by me, Claire aird. Today is the 25th of February and this podcast episode is brought to you by Socket Security, a developer first security platform that prevents vulnerable and malicious open source dependencies from infiltrating software supply chains. In today's top story, Russian authorities have launched a criminal investigation into Telegram's founder and CEO, Pavel Durov is accused of facilitating terrorist activity on the messaging platform. The FSB intelligence service claims Telegram has been used to organise school shootings, harass military families and recruit spies and saboteurs. Russian authorities blocked voice calls on the platform last year and began throttling instant messaging this year. In 2024, Durov was also arrested in France and faced accusations that Telegram facilitated criminal activity. US fintech company Marquee is suing Sonicwall over a recent security breach. Marquee claims the firewall maker failed to secure its cloud service that backed up firewall configs. Hackers stole config configuration data from Sonicwall's service, which were used to breach Marquee in December. In September last year, Sonicwall confirmed the breach of its cloud service and blamed a state sponsored threat actor. Two high school students have been arrested in South Korea for hacking Seoul's bike sharing service. They're accused of breaching Terungi and stealing data about 4.6 million users. The hack occurred in June 2024 but was only discovered this year. The two suspects met on Telegram and learned about cybersecurity while they executed. Hack the Shiny Hunters group has taken credit for hacking Dutch ISP Odido. The hackers continued to demand a ransom this week, threatening to release the stolen data. Odido previously confirmed that 6.2 million customers were affected by the breach. The ISP is offering all affected customers vouchers for F Secure antivirus Hackers have gained access to the New Zealand healthcare app medimap. The app is used for medication management in hospice and elderly care. It took down its website on Sunday after discovering the hack. The intruders changed the names of some patients to Charlie Kirk and marked others deceased. Hackers have stolen $4.4 million worth of crypto assets from the Iotex platform. The attackers stole the funds after compromising a private key for one of the platform's integrations. The company has offered the hackers a bounty of 10% if they return the rest of the funds. A threat actor has exploited the Yieldblocks lending platform and stolen $10 million in crypto. The hackers manipulated prices on the stellar blockchain to withdraw more than they put in. Yieldblocks has also offered a 10% bounty for the return of the stolen funds. Step Finance has ceased operations after losing $30 million in a hack last month. The company says it failed to secure new funds or an acquisition following the breach. The two other platforms owned by the same company, Solana Floor and Remora Markets, are also shutting down. Anthropic has accused three Chinese AI companies of scraping its Claude model in distillation attacks. The company accused Deepseek, Moonshot AI and Minimax of setting up more than 24,000 Claude accounts. The company has used the accounts to run millions of queries and train their models on Claude's output. A former L3 Harris trenchant executive has been sentenced to 87 months in prison for selling the company's exploits to a Russian broker. Australian Peter Williams pleaded guilty to theft of trade secrets last year and was sentenced on Tuesday. A hearing to decide whether Williams will need to pay restitution to Trenchant is scheduled for May. His former employer is seeking $35 million. In related news, the U.S. treasury has sanctioned entities associated with Operation Zero. The Russian broker paid Peter Williams for the stolen exploits. The company supplies exploits and zero days to the Russian government. Sanctions were levied against Operation Zero's parent company, a UAE affiliate, CEO Sergei Zelinyuk, his assistant, and two business partners. The treasury says the business partners are also members of the Trikbot malware group and run an exploit brokerage company in the UAE and Uzbekistan. That company was also sanctioned. Spanish authorities have arrested two further members of the anonymous Phoenix hacktivist group. Two leaders were initially arrested in May last year. The latest two were detained last week. The four have been charged with launching DDoS attacks against government sites, political parties and public institutions. Four malicious.net packages have been available on the NuGet repository for more than a year. The packages worked together to deploy a proxy, steal ASP Net identity data and backdoor any locally developed apps. According to Socket Security, the packages have been downloaded more than 4,500 times. A Russian Armenian threat actor is behind a new phishing platform targeting the freight and logistics sector. The attacker has stolen more than 1,600 credentials from companies across the US and Europe. Security researchers have found overlaps between the phishing kit's infrastructure and Armenian logistics firms. Ukraine says Russian cyber attacks on its energy grid are being used to guide missile strikes. According to Ukraine's cybersecurity agency. Attackers have stopped trying to wipe the computers that control power. They appear more focused on mapping facilities, tracking repair crews and assessing recovery efforts. Russian state sponsored hackers are exploiting a Microsoft browser, 0day. Akamai has linked the attacks to APT28 and a cyber unit inside Russia's military intelligence agency. The zero day can allow attackers to bypass several browser security boundaries and run malicious code outside the sandbox. Microsoft patched the bug earlier this month and finally some cybercrime groups compromised the entire network within half an hour of initial entry, according to CrowdStrike. The company's annual threat report says breakout times are down from the 98 minutes recorded in 2021. The fastest breakout time recorded last was just 27 seconds. And that is all for this podcast edition. Today's show was brought to you by our sponsor, Socket Security. Find them at socket.dev. thanks to your company.