Risky Business #814 — "It's a bad time to be a scam compound operator"

Date: November 12, 2025
Host: Patrick Gray
Co-host: Adam Boileau
Sponsor Interview: Haroon Mir, Thinkst Canary

Episode Overview

In this episode, Patrick and Adam dive into the week’s biggest information security news stories, focusing heavily on harsh crackdowns on scam operations in Southeast Asia, a major ransomware attack with economic impact, multiple notable breaches, and the evolving security landscape—plus, a deep-dive sponsor segment calling for greater transparency from security vendors. The show maintains Risky Business’s signature frank, insightful, and sometimes irreverent tone.

Key Discussion Points & Insights

1. Crackdown on Scam Compounds in Southeast Asia

Myanmar’s KK Park Compound Dynamited
- Major compound in Myanmar (“KK Park”), hub of large-scale scam operations, partially destroyed in a highly publicized explosion.
- Local reports mixed: Some suggest the destruction was "performative," with key operators extracted before demolition.
- The crackdown reflects increasing outside pressure—as scam operations become too large to ignore.
- Patrick Gray: “Even if that's the case, there is definitely a lot of focus on these scam compounds. They have gotten too big to really kind of continue as they were.” (01:52)
China’s Ruthless Justice
- China sentenced five Myanmar scam ringleaders to death, a recurring pattern in response to such crimes.
- Adam points out that China’s government is motivated partly by ideology: “The exploitation of people for this sort of activity is something that is so offensive to Chinese communist ideology that I'm not surprised that these guys are getting lined up against the wall…” (04:29)
- Ongoing cross-border enforcement activity by Chinese police and military.
Singapore: Caning as Deterrent for Cybercrime
- New laws enforce six to 24 canings for scammers and money mules.
- Severe penalties tied to Singapore's overall low crime rate, but 60% of reported crimes are now scams.
- Adam’s witty but telling summary: “The moral of the story is Singapore, probably not the place to do it. China is certainly not the place to do it, and the other places, you know, a little bit getting more dicey by the day.” (07:33)

2. Regional Law Enforcement Tactics—Anecdotes & Analysis

Patrick recalls Australian Federal Police working alongside Southeast Asian officials: their readiness for extreme actions and legal means, which can be effective but occasionally alarming.
- “Once the wheels of justice start moving in Asia, yeah, they certainly do grind inexorably towards an outcome…” (08:18)

3. Chinese Cybersecurity Breach: Knownsec

Background:
- Knownsec, a well-established cybersecurity firm and Tencent subsidiary, breached.
- Leaked internal documents appeared (briefly) on GitHub; analysis ongoing (documents mostly in Chinese).
What Was Exposed:
- Not a full-on offensive APT shop, but includes: Internet scanning services akin to Shodan, known-vulnerable systems lists (e.g., in Taiwan), data collection from major email providers including Gmail.
- Some ambiguity—sales/marketing claims vs. reality.
- Real interest: whether capabilities advertised are actual or aspirational.
- Adam: “Is it a pen test company plus Shodan, or is it offering like rats to the MSS? Like. We don't actually know yet.” (12:24)

4. US Congressional Budget Office Breach

Ongoing cyber incident at the Congressional Budget Office during the US government shutdown.
- Other agencies advised not to interact with CBO; evidence attackers are still inside.
- Security effectiveness hampered by government staff availability during/after the shutdown.
- Cumulative effect of shutdown and budget cuts predicted to undermine future security.
- Patrick: "I don't think we really know how badly things have atrophied over the last five weeks of this US government shutdown. But yeah... neglect will gradually reveal itself." (14:04)

5. NSO Group Resurrection & US Ties

NSO acquired by US investors, including ex-Trump ambassador David Friedman as Executive Chairman—intent to pursue US government contracts.
- Patrick is openly critical of NSO’s new legitimacy and the risk of a less responsible approach to spyware oversight.
- Adam points out that, in geopolitical terms, US control is "better" than some alternatives ("not the worst place for them to land"), but standards for legal controls and oversight are what really matter.
- Standout Quote:
  - "Seeing anyone involved in that enterprise sort of rewarded and legitimized is a bad thing." — Patrick (17:39)

6. Lapsed US Cyber Information-Sharing Law (CISA)

The Cybersecurity Information Sharing Act (not to be confused with the CISA agency) expired, potentially exposing companies legally who share threat data with the government.
- Bill renewal is tied to government funding—likely to be temporarily extended, but a clear indicator of poor legislative process.
- Adam: “It was a dumb thing to throw out with the bathwater. And I'm glad that, even if it's temporary, it's going to be moving onwards and presumably they will get it right eventually.” (24:25)

7. Ransomware’s Economic Toll: Jaguar Land Rover Attack

Bank of England cited the JLR ransomware event as a direct factor reducing UK economic growth, quantifying the real-world impact.
- Effect was higher, per Bank of England, than the infamous WannaCry event.
- Adam: “That's significant... these guys are going to be looking at taking the rap for the Bank of England saying that GDP is down because of them. That's not going to be good for your process.” (26:16)

8. SonicWall Brute Force (or Not) Incident

SonicWall confirmed its cloud backup config breach was a state-backed actor—but the exact intrusion method (pure brute force? or underlying bug?) is now questioned by Patrick and Adam.
- Adam’s hunch: Original suspicion of brute force may have masked a platform bug that enabled large-scale theft.

9. Nikkei’s Slack Breach: SaaS Risks Highlighted

Japanese media giant suffered a breach of its Slack workspace, exposing chat logs and data for 17,000 users—including sensitive source information and possible credentials.
- Patrick: “I still feel like a lot of organizations, they don't really think enough about what an exposure of something like Slack actually means for them.” (29:33)

10. Intel Insider Data Theft—Amusing Workaround

Disgruntled engineer blocked from USB data exfiltration simply plugged in a NAS on the network to steal sensitive docs—a reminder of the difficulties in preventing insider threats despite technical controls.
- Adam: “You just feel bad for the people that had to work such a long time getting USB controls in place and then circumvented by plug in a NAS...” (33:01)

11. OWASP Top 10 2025: More Sophisticated Threat Landscape

New release candidate moves away from “facepalm dumb stuff” and focuses on categories like:
- Broken Access Control (still #1)
- Security Misconfigurations (#2)
- New: Software Supply Chain Failures—reflecting real-world dependency and packaging attacks
- Cryptographic issues drop in the ranking as overall practices improve
- New: Mishandling of Exceptional Conditions and Logging/Alerting
- Patrick: “It’s more nuanced now, it’s a little bit more sophisticated. So I feel like that’s good.” (35:01)
- Adam: Praises consolidation allowing important new classes of failure to be added.

12. Vulnerability Disclosure Norms: The FFMPEG Debate

Ongoing industry debate: How should open source bug reporting work in an AI-assisted future?
- Patrick and Adam agree—norms should shift from "burn everything in 90 days" to more collaboration, context and constructive engagement—especially with open-source, under-resourced projects.
- Patrick: "Turning that into a bit of a norm is not the worst. But you had a conversation with someone... and they seemed more receptive to our position on that. So I think opinion seems to be split everywhere on this." (40:18)

13. Peter Williams Trenchant Leak: Real-World Harm

New info: A bug sold by the convicted insider ended up in North Korean hands.
- Patrick denounces Williams’ actions, highlighting broader risks of the exploit gray market: "How bad it is, what he did, like, how appalling his actions were..." (44:05)

Notable Quotes & Memorable Moments

On Southeast Asian Scams:
“So 2025 is not really the year of nuance, is it?” — Adam (05:46)
On Singapore’s harsh penalties:
“They're not going to just gently stroke them. They are going to lash them with a cane.” — Patrick (05:59)
On US policy drift:
“You know, it does seem to have been a particularly important thing. And, you know, I think at the moment there is some kind of somewhat bipartisan support for extending it properly...” — Adam (23:50)
On legal controls for spyware:
“When it comes to spyware, the thing that really matters is the legal controls around it, the legal framework around how it's allowed to be used.” — Patrick (20:13)
On enduring security controls:
“The stuff that I'm interested in from a security products point of view... is what I would describe as enduring controls. Right? And the great thing about enduring controls is they tend to be a lot simpler than the stuff that is getting owned sideways these days.” — Patrick (56:37, sponsor segment)

Sponsor Interview: Greater Transparency from Security Vendors

Guest: Haroon Mir, Thinkst Canary

Main Message: Security vendors should be transparent about how they secure their products and infrastructure, via straightforward “/security" pages detailing practices, architecture, and mitigation strategies.
- Haroon: “Customers should be demanding... 'Hey, you're going to be doing this dangerous internal thing. Show us... how are you auditing this code?'” (47:23)
Larger, older vendors rarely offer this visibility, while smaller startups are held to a higher standard.
Simple, enduring controls (like allow listing, honeypots) are preferable to bloated, complex solutions.
- Haroon: “We shouldn't be introducing those things. And you'll still see a ton of security products still introducing security badness.” (54:43)
New Thinkst Canary releases: Support for Oracle Cloud and Nutanix platforms—further extending deployment options (60:33).
Haroon reflects fondly on “sav[ing] everyone on all seven continents” with their devices, including Antarctica (61:56).

Timestamps for Important Segments

01:00 — Crackdown on Myanmar scam compounds / China’s executions
05:49 — Singapore’s tough anti-scam penalties
09:53 — Knownsec breach analysis
12:13 — Congressional Budget Office breach (ongoing), US government shutdown impacts
17:18 — NSO Group’s US pivot and implications
21:35 — Meta’s ongoing injunction vs. NSO
21:40 — US Cybersecurity Information Sharing Act lapses
24:33 — Jaguar Land Rover ransomware impacts UK GDP
27:10 — SonicWall breach: brute force or something more?
29:44 — Nikkei Slack data breach
31:53 — Intel insider threat method (USB blocked? Try a NAS!)
33:55 — OWASP Top 10: New focus, new risks
39:04 — FFMPEG/Google bug reporting norms
44:13 — Peter Williams/Trenchant exploit sales to threat actors
47:23 — Sponsor interview: Why every vendor needs a transparency page
60:33 — Canary’s new releases (Oracle Cloud, Nutanix)
61:56 — Anecdotes: Antarctic customers and the pride in global reach

Episode Takeaways

Enforcement against cyber-enabled scams is becoming more severe, both in Asia (with dynamite and caning) and in transnational policy.
Ransomware attacks now have quantifiable, macroeconomic impacts—a development that could shape policy and law enforcement focus.
Security breach reporting and vulnerability disclosure norms are overdue for modernization in an era of mass automation and open source reliance.
Security vendors must step up transparency and take real architectural responsibility for the risks their products could create.
Simple, enduring security controls offer robust defense and lower risk.
Frequent theme: The gap between what should be the standard in cybersecurity (transparency, architectural safety, legal controls) and what is common practice.

For security professionals and industry watchers, this week’s episode offers a brisk blend of international enforcement news, practical insights about policymaking, and a strong advocacy message for vendor transparency.

Risky Business #814 — "It's a bad time to be a scam compound operator"

Date: November 12, 2025
Host: Patrick Gray
Co-host: Adam Boileau
Sponsor Interview: Haroon Mir, Thinkst Canary

Episode Overview

Key Discussion Points & Insights

1. Crackdown on Scam Compounds in Southeast Asia

Myanmar’s KK Park Compound Dynamited
- Major compound in Myanmar (“KK Park”), hub of large-scale scam operations, partially destroyed in a highly publicized explosion.
- Local reports mixed: Some suggest the destruction was "performative," with key operators extracted before demolition.
- The crackdown reflects increasing outside pressure—as scam operations become too large to ignore.
- Patrick Gray: “Even if that's the case, there is definitely a lot of focus on these scam compounds. They have gotten too big to really kind of continue as they were.” (01:52)
China’s Ruthless Justice
- China sentenced five Myanmar scam ringleaders to death, a recurring pattern in response to such crimes.
- Adam points out that China’s government is motivated partly by ideology: “The exploitation of people for this sort of activity is something that is so offensive to Chinese communist ideology that I'm not surprised that these guys are getting lined up against the wall…” (04:29)
- Ongoing cross-border enforcement activity by Chinese police and military.
Singapore: Caning as Deterrent for Cybercrime
- New laws enforce six to 24 canings for scammers and money mules.
- Severe penalties tied to Singapore's overall low crime rate, but 60% of reported crimes are now scams.
- Adam’s witty but telling summary: “The moral of the story is Singapore, probably not the place to do it. China is certainly not the place to do it, and the other places, you know, a little bit getting more dicey by the day.” (07:33)

2. Regional Law Enforcement Tactics—Anecdotes & Analysis

Patrick recalls Australian Federal Police working alongside Southeast Asian officials: their readiness for extreme actions and legal means, which can be effective but occasionally alarming.
- “Once the wheels of justice start moving in Asia, yeah, they certainly do grind inexorably towards an outcome…” (08:18)

3. Chinese Cybersecurity Breach: Knownsec

Background:
- Knownsec, a well-established cybersecurity firm and Tencent subsidiary, breached.
- Leaked internal documents appeared (briefly) on GitHub; analysis ongoing (documents mostly in Chinese).
What Was Exposed:
- Not a full-on offensive APT shop, but includes: Internet scanning services akin to Shodan, known-vulnerable systems lists (e.g., in Taiwan), data collection from major email providers including Gmail.
- Some ambiguity—sales/marketing claims vs. reality.
- Real interest: whether capabilities advertised are actual or aspirational.
- Adam: “Is it a pen test company plus Shodan, or is it offering like rats to the MSS? Like. We don't actually know yet.” (12:24)

4. US Congressional Budget Office Breach

Ongoing cyber incident at the Congressional Budget Office during the US government shutdown.
- Other agencies advised not to interact with CBO; evidence attackers are still inside.
- Security effectiveness hampered by government staff availability during/after the shutdown.
- Cumulative effect of shutdown and budget cuts predicted to undermine future security.
- Patrick: "I don't think we really know how badly things have atrophied over the last five weeks of this US government shutdown. But yeah... neglect will gradually reveal itself." (14:04)

5. NSO Group Resurrection & US Ties

NSO acquired by US investors, including ex-Trump ambassador David Friedman as Executive Chairman—intent to pursue US government contracts.
- Patrick is openly critical of NSO’s new legitimacy and the risk of a less responsible approach to spyware oversight.
- Adam points out that, in geopolitical terms, US control is "better" than some alternatives ("not the worst place for them to land"), but standards for legal controls and oversight are what really matter.
- Standout Quote:
  - "Seeing anyone involved in that enterprise sort of rewarded and legitimized is a bad thing." — Patrick (17:39)

6. Lapsed US Cyber Information-Sharing Law (CISA)

The Cybersecurity Information Sharing Act (not to be confused with the CISA agency) expired, potentially exposing companies legally who share threat data with the government.
- Bill renewal is tied to government funding—likely to be temporarily extended, but a clear indicator of poor legislative process.
- Adam: “It was a dumb thing to throw out with the bathwater. And I'm glad that, even if it's temporary, it's going to be moving onwards and presumably they will get it right eventually.” (24:25)

7. Ransomware’s Economic Toll: Jaguar Land Rover Attack

Bank of England cited the JLR ransomware event as a direct factor reducing UK economic growth, quantifying the real-world impact.
- Effect was higher, per Bank of England, than the infamous WannaCry event.
- Adam: “That's significant... these guys are going to be looking at taking the rap for the Bank of England saying that GDP is down because of them. That's not going to be good for your process.” (26:16)

8. SonicWall Brute Force (or Not) Incident

SonicWall confirmed its cloud backup config breach was a state-backed actor—but the exact intrusion method (pure brute force? or underlying bug?) is now questioned by Patrick and Adam.
- Adam’s hunch: Original suspicion of brute force may have masked a platform bug that enabled large-scale theft.

9. Nikkei’s Slack Breach: SaaS Risks Highlighted

Japanese media giant suffered a breach of its Slack workspace, exposing chat logs and data for 17,000 users—including sensitive source information and possible credentials.
- Patrick: “I still feel like a lot of organizations, they don't really think enough about what an exposure of something like Slack actually means for them.” (29:33)

10. Intel Insider Data Theft—Amusing Workaround

Disgruntled engineer blocked from USB data exfiltration simply plugged in a NAS on the network to steal sensitive docs—a reminder of the difficulties in preventing insider threats despite technical controls.
- Adam: “You just feel bad for the people that had to work such a long time getting USB controls in place and then circumvented by plug in a NAS...” (33:01)

11. OWASP Top 10 2025: More Sophisticated Threat Landscape

New release candidate moves away from “facepalm dumb stuff” and focuses on categories like:
- Broken Access Control (still #1)
- Security Misconfigurations (#2)
- New: Software Supply Chain Failures—reflecting real-world dependency and packaging attacks
- Cryptographic issues drop in the ranking as overall practices improve
- New: Mishandling of Exceptional Conditions and Logging/Alerting
- Patrick: “It’s more nuanced now, it’s a little bit more sophisticated. So I feel like that’s good.” (35:01)
- Adam: Praises consolidation allowing important new classes of failure to be added.

12. Vulnerability Disclosure Norms: The FFMPEG Debate

Ongoing industry debate: How should open source bug reporting work in an AI-assisted future?
- Patrick and Adam agree—norms should shift from "burn everything in 90 days" to more collaboration, context and constructive engagement—especially with open-source, under-resourced projects.
- Patrick: "Turning that into a bit of a norm is not the worst. But you had a conversation with someone... and they seemed more receptive to our position on that. So I think opinion seems to be split everywhere on this." (40:18)

13. Peter Williams Trenchant Leak: Real-World Harm

New info: A bug sold by the convicted insider ended up in North Korean hands.
- Patrick denounces Williams’ actions, highlighting broader risks of the exploit gray market: "How bad it is, what he did, like, how appalling his actions were..." (44:05)

Notable Quotes & Memorable Moments

On Southeast Asian Scams:
“So 2025 is not really the year of nuance, is it?” — Adam (05:46)
On Singapore’s harsh penalties:
“They're not going to just gently stroke them. They are going to lash them with a cane.” — Patrick (05:59)
On US policy drift:
“You know, it does seem to have been a particularly important thing. And, you know, I think at the moment there is some kind of somewhat bipartisan support for extending it properly...” — Adam (23:50)
On legal controls for spyware:
“When it comes to spyware, the thing that really matters is the legal controls around it, the legal framework around how it's allowed to be used.” — Patrick (20:13)
On enduring security controls:
“The stuff that I'm interested in from a security products point of view... is what I would describe as enduring controls. Right? And the great thing about enduring controls is they tend to be a lot simpler than the stuff that is getting owned sideways these days.” — Patrick (56:37, sponsor segment)

Sponsor Interview: Greater Transparency from Security Vendors

Guest: Haroon Mir, Thinkst Canary

Main Message: Security vendors should be transparent about how they secure their products and infrastructure, via straightforward “/security" pages detailing practices, architecture, and mitigation strategies.
- Haroon: “Customers should be demanding... 'Hey, you're going to be doing this dangerous internal thing. Show us... how are you auditing this code?'” (47:23)
Larger, older vendors rarely offer this visibility, while smaller startups are held to a higher standard.
Simple, enduring controls (like allow listing, honeypots) are preferable to bloated, complex solutions.
- Haroon: “We shouldn't be introducing those things. And you'll still see a ton of security products still introducing security badness.” (54:43)
New Thinkst Canary releases: Support for Oracle Cloud and Nutanix platforms—further extending deployment options (60:33).
Haroon reflects fondly on “sav[ing] everyone on all seven continents” with their devices, including Antarctica (61:56).

Timestamps for Important Segments

01:00 — Crackdown on Myanmar scam compounds / China’s executions
05:49 — Singapore’s tough anti-scam penalties
09:53 — Knownsec breach analysis
12:13 — Congressional Budget Office breach (ongoing), US government shutdown impacts
17:18 — NSO Group’s US pivot and implications
21:35 — Meta’s ongoing injunction vs. NSO
21:40 — US Cybersecurity Information Sharing Act lapses
24:33 — Jaguar Land Rover ransomware impacts UK GDP
27:10 — SonicWall breach: brute force or something more?
29:44 — Nikkei Slack data breach
31:53 — Intel insider threat method (USB blocked? Try a NAS!)
33:55 — OWASP Top 10: New focus, new risks
39:04 — FFMPEG/Google bug reporting norms
44:13 — Peter Williams/Trenchant exploit sales to threat actors
47:23 — Sponsor interview: Why every vendor needs a transparency page
60:33 — Canary’s new releases (Oracle Cloud, Nutanix)
61:56 — Anecdotes: Antarctic customers and the pride in global reach

Episode Takeaways

Enforcement against cyber-enabled scams is becoming more severe, both in Asia (with dynamite and caning) and in transnational policy.
Ransomware attacks now have quantifiable, macroeconomic impacts—a development that could shape policy and law enforcement focus.
Security breach reporting and vulnerability disclosure norms are overdue for modernization in an era of mass automation and open source reliance.
Security vendors must step up transparency and take real architectural responsibility for the risks their products could create.
Simple, enduring security controls offer robust defense and lower risk.
Frequent theme: The gap between what should be the standard in cybersecurity (transparency, architectural safety, legal controls) and what is common practice.

Risky Business #814 -- It's a bad time to be a scam compound operator

Powered by Wave AI

Summary

Risky Business #814 — "It's a bad time to be a scam compound operator"

Episode Overview

Key Discussion Points & Insights

1. Crackdown on Scam Compounds in Southeast Asia

2. Regional Law Enforcement Tactics—Anecdotes & Analysis

3. Chinese Cybersecurity Breach: Knownsec

4. US Congressional Budget Office Breach

5. NSO Group Resurrection & US Ties

6. Lapsed US Cyber Information-Sharing Law (CISA)

7. Ransomware’s Economic Toll: Jaguar Land Rover Attack

8. SonicWall Brute Force (or Not) Incident

9. Nikkei’s Slack Breach: SaaS Risks Highlighted

10. Intel Insider Data Theft—Amusing Workaround

11. OWASP Top 10 2025: More Sophisticated Threat Landscape

12. Vulnerability Disclosure Norms: The FFMPEG Debate

13. Peter Williams Trenchant Leak: Real-World Harm

Notable Quotes & Memorable Moments

Sponsor Interview: Greater Transparency from Security Vendors

Timestamps for Important Segments

Episode Takeaways

Summary

Risky Business #814 — "It's a bad time to be a scam compound operator"

Episode Overview

Key Discussion Points & Insights

1. Crackdown on Scam Compounds in Southeast Asia

2. Regional Law Enforcement Tactics—Anecdotes & Analysis

3. Chinese Cybersecurity Breach: Knownsec

4. US Congressional Budget Office Breach

5. NSO Group Resurrection & US Ties

6. Lapsed US Cyber Information-Sharing Law (CISA)

7. Ransomware’s Economic Toll: Jaguar Land Rover Attack

8. SonicWall Brute Force (or Not) Incident

9. Nikkei’s Slack Breach: SaaS Risks Highlighted

10. Intel Insider Data Theft—Amusing Workaround

11. OWASP Top 10 2025: More Sophisticated Threat Landscape

12. Vulnerability Disclosure Norms: The FFMPEG Debate

13. Peter Williams Trenchant Leak: Real-World Harm

Notable Quotes & Memorable Moments

Sponsor Interview: Greater Transparency from Security Vendors

Timestamps for Important Segments

Episode Takeaways