Risky Bulletin: Russia Starts Criminal Probe of Telegram Founder Pavel Durov

Risky Business Media | February 25, 2026
Prepared by Catalin Cimpanu, read by Claire Aird

Episode Overview

This episode of the Risky Bulletin delivers a rapid-fire rundown of the latest international cybersecurity incidents and news, headlined by the Russian government’s criminal investigation into Telegram founder Pavel Durov. Additional topics include major arrests, hacks, regulatory sanctions, and new threat actor developments across the globe.

Key Discussion Points & Insights

1. Russia Opens Criminal Investigation Against Telegram’s CEO

(00:04 – 01:05)
- Russian authorities launch a probe into Pavel Durov, Telegram's founder/CEO, accusing him of facilitating terrorist and criminal activity on the messaging platform.
- The FSB alleges Telegram was used for organizing school shootings, harassment of military families, and espionage.
- Russia previously throttled and restricted Telegram services; Durov was arrested in France in 2024 on similar grounds.
- Quote:
  - "Russian authorities have launched a criminal investigation into Telegram's founder and CEO, Pavel Durov is accused of facilitating terrorist activity on the messaging platform." (Claire Aird, 00:16)

2. SonicWall Breach Leads to Major Lawsuit

(01:05 – 01:29)
- US fintech firm Marquee sues SonicWall over a data breach that led to theft of firewall configuration data.
- Hackers leveraged stolen configs to breach Marquee in December; SonicWall blames a nation-state threat actor.

3. South Korean Bike Share Service Hacked by Teens

(01:29 – 01:54)
- Two high schoolers arrested for hacking Seoul’s “Terungi” bike-sharing platform, stealing data of 4.6 million users.
- Hackers met on Telegram; attack executed after self-learning cybersecurity.
- Quote:
  - "The two suspects met on Telegram and learned about cybersecurity while they executed." (Claire Aird, 01:43)

4. Ransomware and Data Breaches Around the Globe

Dutch ISP Odido Hack (01:54 – 02:12):
- Shiny Hunters group continues to extort following breach affecting 6.2 million customers. ISP offers F-Secure antivirus vouchers to victims.
New Zealand Healthcare App Medimap (02:12 – 02:28):
- Hack leads to patient data alterations; app pulled offline.
Crypto Thefts (02:28 – 03:05):
- Iotex: $4.4M stolen after attackers compromised a platform private key.
- Yieldblocks: $10M stolen using blockchain price manipulation.
- Step Finance: Ceases operations after $30M hack, fails to secure more funding—subsidiaries to shut down as well.

5. AI Model Theft Accusations – Anthropic vs Chinese Firms

(03:05 – 03:31)
- Anthropic accuses Deepseek, Moonshot AI, and Minimax of distillation attacks involving over 24,000 Claude accounts to steal and train on model outputs.
- Quote:
  - "Anthropic has accused three Chinese AI companies of scraping its Claude model in distillation attacks." (Claire Aird, 03:07)

6. Major Arrests: Hacking and Exploit Sale

(03:31 – 04:11)
- Ex-L3 Harris Trenchant executive Peter Williams sentenced to 87 months for selling exploits to a Russian broker, faces $35M restitution.
- US Treasury sanctions Russian broker Operation Zero and affiliates, implicating them in exploits supply for the Russian government and association with Trickbot malware group.
- Quote:
  - "A hearing to decide whether Williams will need to pay restitution to Trenchant is scheduled for May. His former employer is seeking $35 million." (Claire Aird, 03:45)

7. Crackdown on Hacktivists

(04:11 – 04:22)
- Two additional Phoenix hacktivist group members arrested in Spain, charged with government site DDoS attacks.

8. Malicious .NET Packages Discovered

(04:22 – 04:36)
- Four packages on NuGet found to steal ASP Net identity data, backdoor apps, downloaded over 4,500 times; discovered by Socket Security.

9. Emergent Phishing Campaigns

(04:36 – 04:49)
- Russian-Armenian threat actor targets US and European freight/logistics sectors, steals 1,600+ credentials, campaign infrastructure overlaps with Armenian firms.

10. Cyberwarfare Insights: Ukraine’s Energy Grid

(04:49 – 05:11)
- Ukraine alleges Russian cyber attacks are targeting energy infrastructure to guide missile strikes, focus shifting to facility mapping and recovery tracking.
- Quote:
  - "Attackers have stopped trying to wipe the computers that control power. They appear more focused on mapping facilities, tracking repair crews and assessing recovery efforts." (Claire Aird, 05:03)

11. Microsoft Browser Zero-Day Exploited by APT28

(05:11 – 05:28)
- Akamai links active zero-day exploitation to Russian military-intelligence group APT28; Microsoft patches vulnerability in February.

12. Breakout Times in Cybercrime Decline Sharply

(05:28 – 05:50)
- CrowdStrike’s annual report notes the average time to network compromise (“breakout”) has dropped to seconds, with the fastest recorded at just 27 seconds.
- Quote:
  - "The fastest breakout time recorded last was just 27 seconds." (Claire Aird, 05:47)

Notable Quotes & Moments

| Timestamp | Speaker | Quote / Memorable Point | |-----------|----------------|------------------------------------------------------------------------------------------| | 00:16 | Claire Aird | "Russian authorities have launched a criminal investigation into Telegram's founder and CEO, Pavel Durov is accused of facilitating terrorist activity on the messaging platform." | | 01:43 | Claire Aird | "The two suspects met on Telegram and learned about cybersecurity while they executed." | | 03:07 | Claire Aird | "Anthropic has accused three Chinese AI companies of scraping its Claude model in distillation attacks." | | 03:45 | Claire Aird | "A hearing to decide whether Williams will need to pay restitution to Trenchant is scheduled for May. His former employer is seeking $35 million."| | 05:03 | Claire Aird | "Attackers have stopped trying to wipe the computers that control power. They appear more focused on mapping facilities, tracking repair crews and assessing recovery efforts." | | 05:47 | Claire Aird | "The fastest breakout time recorded last was just 27 seconds." |

Timestamps for Important Segments

00:04 — Russia’s criminal case against Telegram’s Durov
01:05 — SonicWall/Marquee lawsuit over cloud breach
01:29 — South Korea bike share teen hackers
01:54 — Dutch ISP Odido ransomware update
02:12 — New Zealand Medimap healthcare app hack
02:28 — Multiple major cryptocurrency thefts
03:05 — Anthropic alleges Chinese model theft
03:31 — Peter Williams sentenced, Operation Zero sanctioned
04:11 — Spain arrests Phoenix hacktivists
04:22 — Malicious .NET NuGet packages
04:36 — Russian-Armenian logistics phishing
04:49 — Russian cyber attacks on Ukrainian power
05:11 — Microsoft browser 0day/Apt28 exploit
05:28 — Cybercrime “breakout time” stats (CrowdStrike)

This episode paints a fast-moving and multifaceted picture of global cybersecurity threats—from state-sponsored attacks and cybercrime to law enforcement crackdowns and rapid technical advancements in both attacks and defenses. The tone is informative and urgent, reflecting the high-stakes and constantly evolving nature of cybersecurity news.

Risky Bulletin: Russia Starts Criminal Probe of Telegram Founder Pavel Durov

Risky Business Media | February 25, 2026
Prepared by Catalin Cimpanu, read by Claire Aird

Episode Overview

Key Discussion Points & Insights

1. Russia Opens Criminal Investigation Against Telegram’s CEO

(00:04 – 01:05)
- Russian authorities launch a probe into Pavel Durov, Telegram's founder/CEO, accusing him of facilitating terrorist and criminal activity on the messaging platform.
- The FSB alleges Telegram was used for organizing school shootings, harassment of military families, and espionage.
- Russia previously throttled and restricted Telegram services; Durov was arrested in France in 2024 on similar grounds.
- Quote:
  - "Russian authorities have launched a criminal investigation into Telegram's founder and CEO, Pavel Durov is accused of facilitating terrorist activity on the messaging platform." (Claire Aird, 00:16)

2. SonicWall Breach Leads to Major Lawsuit

(01:05 – 01:29)
- US fintech firm Marquee sues SonicWall over a data breach that led to theft of firewall configuration data.
- Hackers leveraged stolen configs to breach Marquee in December; SonicWall blames a nation-state threat actor.

3. South Korean Bike Share Service Hacked by Teens

(01:29 – 01:54)
- Two high schoolers arrested for hacking Seoul’s “Terungi” bike-sharing platform, stealing data of 4.6 million users.
- Hackers met on Telegram; attack executed after self-learning cybersecurity.
- Quote:
  - "The two suspects met on Telegram and learned about cybersecurity while they executed." (Claire Aird, 01:43)

4. Ransomware and Data Breaches Around the Globe

Dutch ISP Odido Hack (01:54 – 02:12):
- Shiny Hunters group continues to extort following breach affecting 6.2 million customers. ISP offers F-Secure antivirus vouchers to victims.
New Zealand Healthcare App Medimap (02:12 – 02:28):
- Hack leads to patient data alterations; app pulled offline.
Crypto Thefts (02:28 – 03:05):
- Iotex: $4.4M stolen after attackers compromised a platform private key.
- Yieldblocks: $10M stolen using blockchain price manipulation.
- Step Finance: Ceases operations after $30M hack, fails to secure more funding—subsidiaries to shut down as well.

5. AI Model Theft Accusations – Anthropic vs Chinese Firms

(03:05 – 03:31)
- Anthropic accuses Deepseek, Moonshot AI, and Minimax of distillation attacks involving over 24,000 Claude accounts to steal and train on model outputs.
- Quote:
  - "Anthropic has accused three Chinese AI companies of scraping its Claude model in distillation attacks." (Claire Aird, 03:07)

6. Major Arrests: Hacking and Exploit Sale

(03:31 – 04:11)
- Ex-L3 Harris Trenchant executive Peter Williams sentenced to 87 months for selling exploits to a Russian broker, faces $35M restitution.
- US Treasury sanctions Russian broker Operation Zero and affiliates, implicating them in exploits supply for the Russian government and association with Trickbot malware group.
- Quote:
  - "A hearing to decide whether Williams will need to pay restitution to Trenchant is scheduled for May. His former employer is seeking $35 million." (Claire Aird, 03:45)

7. Crackdown on Hacktivists

(04:11 – 04:22)
- Two additional Phoenix hacktivist group members arrested in Spain, charged with government site DDoS attacks.

8. Malicious .NET Packages Discovered

(04:22 – 04:36)
- Four packages on NuGet found to steal ASP Net identity data, backdoor apps, downloaded over 4,500 times; discovered by Socket Security.

9. Emergent Phishing Campaigns

(04:36 – 04:49)
- Russian-Armenian threat actor targets US and European freight/logistics sectors, steals 1,600+ credentials, campaign infrastructure overlaps with Armenian firms.

10. Cyberwarfare Insights: Ukraine’s Energy Grid

(04:49 – 05:11)
- Ukraine alleges Russian cyber attacks are targeting energy infrastructure to guide missile strikes, focus shifting to facility mapping and recovery tracking.
- Quote:
  - "Attackers have stopped trying to wipe the computers that control power. They appear more focused on mapping facilities, tracking repair crews and assessing recovery efforts." (Claire Aird, 05:03)

11. Microsoft Browser Zero-Day Exploited by APT28

(05:11 – 05:28)
- Akamai links active zero-day exploitation to Russian military-intelligence group APT28; Microsoft patches vulnerability in February.

12. Breakout Times in Cybercrime Decline Sharply

(05:28 – 05:50)
- CrowdStrike’s annual report notes the average time to network compromise (“breakout”) has dropped to seconds, with the fastest recorded at just 27 seconds.
- Quote:
  - "The fastest breakout time recorded last was just 27 seconds." (Claire Aird, 05:47)

Notable Quotes & Moments

Timestamps for Important Segments

00:04 — Russia’s criminal case against Telegram’s Durov
01:05 — SonicWall/Marquee lawsuit over cloud breach
01:29 — South Korea bike share teen hackers
01:54 — Dutch ISP Odido ransomware update
02:12 — New Zealand Medimap healthcare app hack
02:28 — Multiple major cryptocurrency thefts
03:05 — Anthropic alleges Chinese model theft
03:31 — Peter Williams sentenced, Operation Zero sanctioned
04:11 — Spain arrests Phoenix hacktivists
04:22 — Malicious .NET NuGet packages
04:36 — Russian-Armenian logistics phishing
04:49 — Russian cyber attacks on Ukrainian power
05:11 — Microsoft browser 0day/Apt28 exploit
05:28 — Cybercrime “breakout time” stats (CrowdStrike)

wavePod

Risky Bulletin: Russia starts criminal probe of Telegram founder Pavel Durov

Powered by Wave AI

Summary

Risky Bulletin: Russia Starts Criminal Probe of Telegram Founder Pavel Durov

Episode Overview

Key Discussion Points & Insights

1. Russia Opens Criminal Investigation Against Telegram’s CEO

2. SonicWall Breach Leads to Major Lawsuit

3. South Korean Bike Share Service Hacked by Teens

4. Ransomware and Data Breaches Around the Globe

5. AI Model Theft Accusations – Anthropic vs Chinese Firms

6. Major Arrests: Hacking and Exploit Sale

7. Crackdown on Hacktivists

8. Malicious .NET Packages Discovered

9. Emergent Phishing Campaigns

10. Cyberwarfare Insights: Ukraine’s Energy Grid

11. Microsoft Browser Zero-Day Exploited by APT28

12. Breakout Times in Cybercrime Decline Sharply

Notable Quotes & Moments

Timestamps for Important Segments

Summary

Risky Bulletin: Russia Starts Criminal Probe of Telegram Founder Pavel Durov

Episode Overview

Key Discussion Points & Insights

1. Russia Opens Criminal Investigation Against Telegram’s CEO

2. SonicWall Breach Leads to Major Lawsuit

3. South Korean Bike Share Service Hacked by Teens

4. Ransomware and Data Breaches Around the Globe

5. AI Model Theft Accusations – Anthropic vs Chinese Firms

6. Major Arrests: Hacking and Exploit Sale

7. Crackdown on Hacktivists

8. Malicious .NET Packages Discovered

9. Emergent Phishing Campaigns

10. Cyberwarfare Insights: Ukraine’s Energy Grid

11. Microsoft Browser Zero-Day Exploited by APT28

12. Breakout Times in Cybercrime Decline Sharply

Notable Quotes & Moments

Timestamps for Important Segments