Summary6 min read

Risky Bulletin – Srsly Risky Biz: The Cyber Regime Change Pipe Dream

Podcast: Risky Bulletin
Hosts: Amberly Jack & Tom Uren
Date: November 6, 2025
Theme: Dissecting the practical—and strategic—limits of cyber operations as tools for regime change, the pervasive risk of location data brokers, and the real-world collision of cybercrime with classic organized theft.

Episode Overview

This episode of Srsly Risky Biz dives deep into three major stories:

The limits of using cyber operations for regime change, focusing on US efforts in Venezuela.
Investigative reporting exposing how personal geolocation data is globally—and with little resistance—traded and abused by data brokers.
The intersection between cybercrime and organized crime in large-scale cargo theft.

The hosts combine thorough analysis, anecdotes, and candid takes, with Tom Uren's optimistic-yet-realistic perspective on cyber threats running throughout.

Key Discussion Points and Insights

1. The Myth of Cyber Regime Change

(Main segment: 00:44-09:02)

Background:
During Donald Trump’s first term, the US covertly targeted Venezuela’s Maduro regime with several cyber operations—disrupting military pay, knocking out intelligence networks, and even targeting Russian mercenary communications.
Outcome:
These operations, though successful at a tactical level, utterly failed to achieve Trump’s broader goal: unseating Nicolás Maduro.
Analysis:
- The US, described as the "orca" to Venezuela’s "sardine" (03:50), easily succeeded in technical objectives.
- Quote:
  "Of course, you can have a computer fall over, and it doesn't make any difference for the country's leadership." — Tom Uren (03:57)
- Multiple sources (CNN, Wired) confirmed those cyber strikes caused inconvenience, but not enough to fracture internal loyalty or provoke regime change.
- The state’s dire situation—citizens losing 25 pounds on average, mass shortages—meant cyber pain was insignificant compared to daily suffering.
- In context, these cyber ops were less about actual change, more about "a dog and pony show" (07:22), placating leadership pressure for action without real escalation.
Broader Implications:
- Cyber operations are extra tools, offering options without kinetic (military) escalation, but do not deliver strategic transformation.
- Trump later defaulted to traditional military moves (naval deployments, bombings) when cyber failed to deliver “direct action”.
- Quote:
  "It's a very tenuous path to get from not getting paid to overthrowing a regime." — Tom Uren (05:59)

2. Geolocation Data: A Universal, Unsolved Problem

(Main segment: 09:02-13:45)

New Reporting:
A group of European journalists obtained 13 billion records of smartphone geolocation data from data brokers—for free. Each record ties to unique device identifiers, making it easy to reconstruct the routines and identities of politicians, officials, individuals.
Key Insight:
GDPR is not enough—strict European privacy rules did not stop the mass flow of sensitive data from ad tech to data brokers.
Quote:
"Nowhere has stricter privacy rules than the EU. So if that doesn’t stop it, nothing is stopping it." — Tom Uren (12:59)
Examples:
- Visualizations showed pinpointing an individual’s routine in the Swiss report; similar findings across the Netherlands, Norway, Switzerland, Ireland.
- The problem is worldwide: if Europe with GDPR can’t stop data brokerage, “Australia, Canada, UK, everywhere has this problem” (13:18).
Conclusion:
The ad tech-driven data economy enables commercial—and potentially hostile—tracking of almost anyone, everywhere, regardless of privacy laws.

3. Cybercrime, Organized Crime, and the ‘Goodfellas Hackers’ Crossover

(Main segment: 13:54-19:18)

Emerging Threat:
Cybercriminals and organized crime are now collaborating to orchestrate large-scale cargo theft. Reports from Proofpoint and US Senate testimony highlight cyber-enabled "strategic theft" in logistics.
Methods:
- Hack into trucking and logistics firms to access shipment data.
- Exploit access to bid for high-value loads or redirect shipments to locations they control.
- Use real-world theft tactics—impersonation with correct uniforms/trucks, fraudulent paperwork, or rerouting delivery addresses.
Scale:
- US cargo theft is estimated at $35 billion annually—enough to support sophisticated cyber and logistical operations.
- Organized crime groups can operate call centers, appear as legitimate businesses, and even have fully functioning warehouses and marketplaces.
Quotes:
"Sometimes it's just turning up with a truck with the right logo and the right uniform and pretending to be the right shipment." — Tom Uren (15:50)
"Now cybercrime is having real world impacts which seems like bad." — Tom Uren (20:16)
Anecdote:
- High-value illegal energy drinks are among the sought-after cargos, due to their black-market value in regions where they're banned.
- *"Black market illegal energy drink… gone are the days of hijacked cigarette trucks." — Amberly Jack (19:18)
Analyst Take:
This convergence of digital access and physical theft is both a sign of maturing cyber defenses (pushing criminals to harder tasks) and of increasing risk as supply chains digitize.

Notable Quotes & Memorable Moments

On Cyber Regime Change:
"The US is an orca and Venezuela is a sardine… Even so… no surprise, the operations are a success. Trump's goal was to get rid of Maduro. And… it doesn't make any difference for the country's leadership." — Tom Uren (03:57)
On Data Brokerage:
"If Europe with GDPR can’t stop data brokerage, everywhere has this problem. We just haven't known it because there hasn't been good reporting about it." — Tom Uren (13:18)
On Organized Cyber Theft:
"Now cybercrime is having real world impacts which seems like bad." — Tom Uren (20:16)

Timestamps for Major Segments

| Timestamp | Segment | |-----------|--------------------------------------------------------------------------------------| | 00:44 | Main story: US cyber ops in Venezuela—background and outcomes | | 03:50 | US vs. Venezuela: "orca and sardine" analogy; effectiveness of operations | | 05:59 | Discussion on futility of cyber regime change in dire political environments | | 07:22 | Cyber ops as “dog and pony show” for political leadership | | 09:02 | New findings: European investigative journalism on geolocation data brokerage | | 11:17 | Data privacy and GDPR’s failure to stop the flow of personal data | | 13:54 | Cargo theft: organized crime & cyber, tactical methods, scale of problem | | 15:50 | Real-world theft methods aided by cyber intelligence | | 18:42 | Unusual black-market goods: energy drinks | | 19:43 | Tom’s “optimist” view: defending as a never-ending, but improving, battle | | 20:54 | Philosophy: Internet’s vulnerability is a result of its open, utilitarian origins |

Tone & Context

The discussion is frank, practical, and occasionally wry, with Tom Uren framing challenges as both worrying and, in their own way, signs of progress (criminals having to innovate).
They highlight the persistent, adaptive nature of digital risk, yet resist sensationalizing the threats—preferring strategic, evidence-driven commentary.

Summary for New Listeners

This episode lays bare the real-world limits of cyber operations—how even the world’s top cyber powers can’t force regime change against targets like Venezuela with just bits and bytes. It underscores the perilous, largely unregulated trade in personal geolocation data, showing modern privacy regulations still offer little real protection. And it paints a vivid picture of how organized crime remixes classic theft with digital tactics, turning trucks full of energy drinks into high-tech heists.

If you want to understand what cyber power can—and cannot—actually do on the global stage, how fragile your location privacy really is, and why criminal hackers and gangsters may be swapping notes, this episode delivers thoughtful, unvarnished insight.

Loading summary

Transcript33 lines

[00:00]
A
Foreign.
[00:05]
B
And welcome along to Seriously Risky Biz. This is our podcast here, all about cyber security policy and intelligence. My name is Amberly Jack, and in just a moment, I'll bring in Tom Uren, who is our policy and intelligence editor, to chat all about this week's Seriously Risky Business newsletter. And you can, of course, read that and subscribe to it over at our website, Risky Biz. But first, first I'd like to thank the William and if Flora Hewlett foundation, who support Tom's work here, and also Lawfare, who syndicate his newsletter and publish it on the Law Firm Media website. And finally, this week's episode is sponsored by Sublime Security. So a big thank you to them for that. G', day, Tom. Great to have you.
[00:43]
A
G', day, Amberly. How are you?
[00:45]
B
Really good, thanks. And I want to jump into your first story of the newsletter this week. Some reporting's come out that sort of details a few successful disruptive cyber operations that the US has conducted against Venezuela. And this was back during Donald Trump's first term. But as successful as these operations may have been, Tom, you're sort of saying that, you know, using bringing out the cyber guns, I guess, aren't really going to do much when it comes to Trump's broader goal of ousting Venezuelan leader Nicolas Maduro.
[01:20]
A
Yeah, yeah. So the background to this is that for whatever reason, apparently President Trump just really dislikes Maduro and wants him gone.
[01:31]
B
Right.
[01:33]
A
I think I knew the reason at one point, but I don't know what it is now. But the story is that during his first term, he's basically the Trump administration worked as a whole lot of people were kind of, I don't know, restraining maybe Donald Trump's desires for immediate action. And it appears like in this case, they threw up all these kinds of ideas about what could be done. And people are extremely reluctant to use military force against another country, mostly because it's got a long history of being successful. In the short term, you achieve your military objectives, but you never achieve your longer term objectives about reshaping the country, the target country or whatever. And so they came across, I guess, a campaign of different disruptive cyber activities. So some of those have been reported before last year by Zach Dorfman in Wired, and he spoke about a campaign to disrupt the pay of the military. Now, this reporting has the CIA disrupting Maduro's intelligence service, so knocking their network offline, presumably temporarily, because these things never last. And there's another operation described where Cyber Command disrupts the satellite comms of the Wagner Group, which is a group of Russian mercenaries, and they were deployed to Venezuela, reportedly to help support the regime of Nicolas Maduro. And so there are these different campaigns, operations going on, and by all accounts, they were all successful. So if you think about the United States, it's the top, or at least the top one, two or three cyber powers. It's got the most capability to do, like, you know, a vast range of different cyber operations. And then you compare it to Venezuela, which has got to be the smallest fish in the sea.
[03:50]
B
Or as you pointed out in the newsletter here, the US Is an orca and Venezuela is a sardine.
[03:58]
A
I guess a cyber sardine. Even so, like, no surprise, the operations are a success. Trump's goal was to get rid of Maduro. And of course, you can have a computer fall over, and it doesn't make any difference for the country's leadership. And so I think this is a really interesting example of the limits of cyberpower. You've got the most powerful country versus one of. That's got to be one of the least powerful, and it just can't achieve certain goals. So the CNN piece, which is the most recent one, talking about the Wagner Group disruption and the intelligence service disruption, it's got this nice quote from a former White House official who says the hope was that aggressive covert action could cause enough discomfort and create sufficient disturbances that the military, which has played a critical role in keeping Maduro in power, would be convinced to switch sides. So that, at first glance, seems reasonable enough. You make it painful not having second thoughts about supporting this guy. But the previous piece I referred to, which was in Wired last year, it talked about just the state of the country at the time. So an official then is talking about the average person has lost 25 pounds, they have no food, they have no electricity, they have no jobs, they've no medicine. And so if a situation is that dire and you're still able to remain in power, it's not likely that switching off a few computers here and there is going to make any difference whatsoever. So it does seem that the pay disruption, where they cut military pay, like it had some effect. People didn't like it. But I think when you're talking about an entire country, it's just, you know, disrupting those things seems like it's going to be like, it's a very tenuous path to get from not getting paid to overthrowing a regime. So I think it's just a great example of the things that cyber is not good for. And I guess in the broader sort of context. Today we've. It looks like the lesson that Trump learned from this is that cyber operations are not that good. If I want direct action, I want direct action. So today we've got the usss, Gerald Ford, an aircraft carrier steaming, or whatever aircraft carriers do towards the Caribbean, and we've also got a whole lot of strikes of supposed drug boats, a lot of them coming out of Venezuela. And so the lesson he seems to have learned is that if you want real action, you get, like, the real military to launch bombs and sail ships and boats and all that kind of stuff. Yeah, yeah. But I just thought it was a great example of the limits.
[07:08]
B
I appreciate that you sort of said, you know, it seems to highlight, I guess, what these cyber operations are not good for. But it seems, at least in part, they were kind of good at satisfying Donald Trump the first time around.
[07:22]
A
Yeah, yeah. That's one of the points the reporters make, is that part of the value of these operations was that they were, I guess, a dog and pony show where you could say, look, President Trump, here are the things we're doing. These are, you know, highly sophisticated, finely tuned, orchestrated operations that will achieve a specific effect and sort of sidestepped the requirement to do something more muscular or more kinetic, I guess. And so it's. It was a way of avoiding the quagmire. And I think it is a good example of they give you extra options. So if you want to disrupt Maduro's intelligence service, it's a big step to do that with a guided missile or a cruise missile or whatever. That's like a very different thing. Doing it with a cyber operation, like, it's not as. In some sense, it's not as good, it's not as enduring, it's not likely to degrade their capacity for a long time, but it's better in the sense that you can do it, you can do it now, you could probably do it next week, you might be able to do it the week after that. And you're not committing to a military engagement that you, in some sense, lose control of when it starts and when it stops. And I guess the ramifications are just a lot more significant. So I think there is still, like, tremendous value in them. It's just the right time, the right place for the right purpose. Yeah.
[09:03]
B
And I want to move on, Tom, to your second piece, and this is sort of something that you've given great analysis on before, is the sort of unconstrained collection of geolocation data being a real national security risk. In the U.S. but there's some new reporting that you've touched on today that kind of highlights that out of control ad tech issue is a problem for everyone. So tell me a little bit about what that reporting was and what it found.
[09:33]
A
Okay, so a group of investigative journalists in Europe gathered together basically free samples of data from, well, information from data brokers. And that contained mostly smartphone geolocation data. They amassed 13 billion records that they got for free. So presumably they went around to a number of data brokers. They don't say how many. It struck me as that's, that's a large amount of records. They say each record was associated with a unique device identifier. So if you've done any work or any thinking about this kind of material, it means that once you've got a unique device identifier, you can track a device over time. And because it's geolocations, you've got it over time and over places. So it's very easy to construct a pattern of life for an individual device. And that means you can tie it to workplaces, homes, places of worship, where they visit doctors, medical facilities. It's like trivial to do that if it's a unique identifier and they got this data and then they basically said, in this country, here's an example of the types of people that we were able to essentially identify or docs or whatever around the European Parliament. We were able to find senior EU officials, people working for this organization, people working for that organization. And because it's a group of journalists, they did that in a number of different countries. The Netherlands, Norway, Switzerland, Ireland. It's all the same story. If you've got data like that, you can find important people and you can basically track them and know where they go.
[11:18]
B
And being able to collate that kind of, to that daily routine so easily, I mean, that's, you know, kind of important and scary stuff.
[11:26]
A
Yeah, yeah, yeah. The, the Swiss report, it actually contains a very nice data visualization of one particular individual. And they've got the dots on maps at this time they went here and this time they're here. And that person was actually fairly rigorous with the types of apps that they used. So they weren't used all the apps all the time with all the permissions. So that seemed like a realistic example of what you could do with a particular normal person. And that was quite a striking visualization. So people have done that. The New York Times did that in the US and it's never been clear to me, you know, the Europeans use Apple and Google, but they've got the gdpr, the General Data Protection Rule, which is viewed as the most stringent data privacy rule. So it was never quite clear to me, at the top of the funnel, they're using the same Internet advertising technologies. But is the sort of process of that data working its way through to data brokers, is that disrupted by the gdpr? Does that mean that they're safe? So a couple of years ago, the Irish Council for Civil Liberties looked at this thing called rtb, which is like kind of, it's an auction. Every time you visit a web page, there's an auction to sell you an ad. Yeah. And so that's one way that that feeds data into the advertising machine. So I knew that at the top of the funnel there's this stuff that goes on, but this reporting shows that, yeah, it actually does flow through to data brokers, collating and reselling it in a way that the individual consumer can't control. So we've known that it's a problem in the us and this reporting just shows that it's going to be a problem everywhere. Like nowhere has stricter privacy rules than the eu. So if it's not, that doesn't stop it. Nothing is stopping it. So, you know Australia, where I live, I'm sure we've got this problem. Canada, the uk, everywhere has this problem. We just haven't known it because there hasn't been good reporting about it.
[13:46]
B
Yeah, yeah.
[13:47]
A
Even New Zealand.
[13:51]
B
Even way down here in little old New Zealand.
[13:54]
A
That's right.
[13:54]
B
Now, Tom, I want to jump into your final piece of reporting here, which is that we've seen a report recently about how organised crime is collaborating with cyber criminals to steal cargo from logistics company. And this kind of feels like the goodfellas hackers crossover that we never knew we wanted. But how exactly are they doing? Do we know how exactly they're doing this? And tell me a little bit more about what's going on here.
[14:22]
A
How exactly? It depends what you mean by exactly, because the exact answer is that they're hacking and then they're stealing. Proofpoint has this report. They're like a cyber security company. And so I think it's very good at the first parts, which is they, you know, use various mechanisms to get into trucking and logistics companies and they're using legitimate tools and they're abusing them to gain access and then they use that to bid to carry cargo from point A to point B. So apparently they're these marketplaces. It seems like they get I guess you call it intelligence about what the high value loads are or loads that they would be interested in and it appears that they bid for them. And then proofpoint is not a shipping company, so it gets a bit hazy there. But there's testimony from a woman, Donna Lem, on behalf of the American Trucking association, where she testified to the U.S. senate. And she talks about what she calls is strategic theft of cargo. And that often involves cyber enabled parts and some so that she's got. She breaks it down quite nicely in. There's these different ways that you can steal cargo. Sometimes it's just turning up with a truck with the right logo and the right uniform and pretending to be the right shipment. And so you could imagine that if you're a cybercriminal, you get the right information, the organised crime group could turn up with the right looking truck.
[16:00]
B
Yeah.
[16:01]
A
At the right time or perhaps just ahead of the right time, take the cargo and be gone. But that part's a bit, I guess there's many options. Another way is that you just alter the shipping destination and you send it somewhere else. So the legitimate purchase or you know, they've got an address, but you just alter it so it ends up somewhere else that the organized crime group can take control of. Now she actually Lem said that these organized groups can be vast and have their own call centers, operate seemingly legitimate warehouses and online marketplaces. So it seems that once you're operating at that scale, you've got a lot of different options and that the cyber enabled part, you would choose whatever works for you, like however you want to do that part, it would facilitate, you know, the next step, whatever you're good at. So I thought this was just fascinating and it also seemed that when you've got that scale, and that's because cargo theft is a huge business. So apparently in the states it's like $35 billion. That seems like a number to me. It's a big enough number that you can afford to either pay hackers or employ them. And if they're, you know, adding a percentage or 10% to your business, like that's actually a pretty good deal. I think it just struck me that both the U.S. senate testimony, she said this is becoming a bigger thing, like there's, as the supply chain becomes more digitized, there's more opportunities to use like basically malware or illegitimate access to sort of boost, boost your thefts. And it's also something that proofpoint's observed, is that they've observed lots and lots of these campaigns I think it was just a dozen since maybe August or something like this. So quite a lot recently. And they also have another report which is basically the same thing, just a different mechanism of using cyber to steal stuff. And that was more aimed at high end electronics and it used a different way. I think it was coming up with kind of bill of lading or something like that.
[18:31]
B
But, you know, same idea just suddenly popped into my head as well. You were also mentioning to me this morning that one of the, one of the favorite things was energy drinks. Is that. That's right.
[18:43]
A
So. So the US apparently it's quite common to have energy drinks that are just illegal in other countries because you know, it's a free country, you can drink whatever you like, even if it's freedom drinks, even if it's going to kill you. And so the they're high value, you can transport them to somewhere else where they're illegal and you can get a premium. Wow. Because of that, I guess black market nature of the energy drink, you know, it's not just an energy drink, it's a black market illegal energy drink.
[19:19]
B
Gone are the days of hijacked cigarette trucks.
[19:23]
A
Oh well, yeah, I don't know. That's gotta be a thing too, surely.
[19:27]
B
Yeah. Tom, I kind of love in this newsletter how you refer to yourself as an eternal cyber security optimist as well. But you have sort of no hopes of this kind of real world cyber enabled crime to be stopping anytime soon.
[19:44]
A
I kind of think of cybersecurity as you're plugging the obvious holes first. And in a way, if you're an optimist, that means you get to the less obvious holes because you're plugging the obvious ones. And I think cyber criminals doing this kind of hacking is a non obvious hole. So in a way it's an evidence that things are getting better because it's harder to just be a cybercriminal and steal like magic money just by yourself. And so in a way, in a weird way this is a sign of optimism. But I think it also makes it worse at the same time because now cybercrime is having real world impacts which seems like bad.
[20:38]
B
And I guess that's kind of, I mean that's a sort of theme that we touch on quite a bit. Seems to be, you know, no matter how good or how many ways we find to stop whatever's happening, there's always something in the background ready to come up and seems like, yeah, I think.
[20:55]
A
Like sort of my meta philosophy about this is that everything was built without security in mind. Yeah. And that made us get to a place where, like, the Internet is very, very useful. It's just, like, very, very insecure. And because it's been built the entire time without those security checks, it takes a long time to, you know, build them into processes now. But if we'd been building security in from the beginning, we probably would wouldn't really have the Internet. So, you know, it's okay.
[21:32]
B
All right, Tom. Hey, on that note, we may actually leave it there, but thank you so much for joining me once again. And, of course, you can read Tom's full analysis in the Seriously Risky Business newsletter on our website, Risky Biz. But, Tom, have a great week, and we'll catch you same time next week.
[21:47]
A
Thanks, Amberly. Sam.