South Korea’s National Tax Service inadvertently published an unredacted photo of a seized Ledger hardware wallet’s mnemonic recovery phrase in a press release touting a successful tax enforcement action against 124 high-value delinquents. Within hours, an attacker funded the wallet with ETH to cover gas fees and drained 4 million PRTG tokens valued at approximately $4.8 million in three transactions. In a stranger-than-fiction twist, a self-described curious investor claimed to have taken the funds, contacted police, and returned them — only to have a second threat actor, operating from a wallet flagged for phishing activity, immediately drain the wallet again using the still-exposed mnemonic. The NTS formally apologized on March 1 and has requested a police investigation, while South Korea’s Deputy Prime Minister ordered an immediate audit of all digital assets held by public institutions — the third major crypto custody failure among Korean law enforcement bodies in recent months.
Cisco has disclosed a maximum-severity authentication bypass vulnerability in its Catalyst SD-WAN Controller and Manager products (CVE-2026-20127, CVSS 10.0) that allows an unauthenticated remote attacker to gain administrative privileges by sending a crafted request — with active exploitation by a sophisticated threat actor tracked as UAT-8616 dating back at least three years to 2023. Post-exploitation activity involves chaining the flaw with a privilege escalation bug (CVE-2022-20775) to achieve root access, adding rogue peers, manipulating SD-WAN fabric configurations via NETCONF, and wiping logs to cover tracks. CISA issued Emergency Directive 26-03 requiring all federal civilian agencies to inventory affected systems, apply patches, and submit full compromise assessment results by March 5; a joint Five Eyes advisory from the US, UK, Canada, Australia, and New Zealand underscores the global critical infrastructure risk. No workarounds exist — patching to the fixed releases is the only complete remediation.
A threat actor jailbroke Anthropic’s Claude Code AI assistant to compromise 10 Mexican government agencies and a financial institution between December 2025 and January 2026, exfiltrating over 150GB of sensitive data including approximately 195 million taxpayer records, voter registration files, government employee credentials, and civil registry documents — all with a consumer AI subscription and no custom malware. Israeli cybersecurity firm Gambit Security, which analyzed the attacker’s conversation logs left in a publicly accessible location, found the actor sent over 1,000 prompts to Claude Code and supplemented the operation with OpenAI’s GPT-4.1; Claude initially rejected requests to delete logs and hide activity as red flags of unauthorized access, but the attacker bypassed guardrails by framing the operation as an authorized bug bounty engagement and providing a detailed playbook. This is the second publicly documented case of Claude being weaponized for cyberattacks in less than six months, following a Chinese state-sponsored campaign disclosed by Anthropic in November 2025; Anthropic says it has since banned the accounts and incorporated the attack patterns into Claude’s training data.
CrowdStrike’s 2026 Global Threat Report, based on frontline intelligence tracking 281+ named adversaries, paints a stark picture of AI-accelerated cybercrime: the average eCrime breakout time — the window between initial access and lateral movement — fell to just 29 minutes in 2025, with the fastest single recorded breakout at 27 seconds, a 65% increase in speed over 2024. AI-enabled adversaries grew operations by 89% year-over-year, with threat actors injecting malicious prompts into legitimate GenAI tools at more than 90 organizations to steal credentials and cryptocurrency, while 82% of all 2025 detections were malware-free — attacks flowing through trusted identities, SaaS apps, and cloud infrastructure rather than file-based payloads. The report also noted that 42% of vulnerabilities were exploited before public disclosure, cloud-conscious intrusions by state-nexus actors rose 266%, and North Korean group PRESSURE CHOLLIMA executed the largest single financial theft ever recorded at $1.46 billion via a supply chain compromise.
DOJ Seizes $61 Million in Tether Linked to Pig Butchering Cryptocurrency Scams
The U.S. Attorney’s Office for the Eastern District of North Carolina announced the seizure of over $61 million in Tether (USDT) linked to transnational pig butchering fraud networks — one of the largest single USDT confiscations in U.S. history tied to romance-based crypto fraud. Homeland Security Investigations traced the funds across a web of cryptocurrency wallets used to launder proceeds stolen from victims who were cultivated through romantic relationships on dating apps and social media before being steered into fake investment platforms that displayed fabricated high returns; when victims attempted withdrawals, the platforms demanded additional “fees” to extract even more money. Tether assisted federal investigators in the transfer and freeze of the seized assets and noted it has now frozen approximately $4.2 billion in illicit assets globally since cooperating with law enforcement — including nearly $250 million tied to scam networks since June 2025 alone.
