Sign in Subscribe

InfoSec News 02MAR2026

General

  • Brian Krebs is continuing his investigation into the Kimwolf botnet, this time looking at one of the administrators - "Dort". Lesson #1 - attacking Brian Krebs rarely ends well for the attacker.
In early January 2026, KrebsOnSecurity revealed how a security researcher disclosed a vulnerability that was used to build Kimwolf, the world’s largest and most disruptive botnet. Since then, the person in control of Kimwolf — who goes by the handle “Dort” — has coordinated a barrage of distributed denial-of-service (DDoS), doxing and email flooding attacks against the researcher and this author, and more recently caused a SWAT team to be sent to the researcher’s home. This post examines what is knowable about Dort based on public information.
...
Why is Dort so mad? ...By the time that story went live, most of the vulnerable proxy providers had been notified by Brundage and had fixed the weaknesses in their systems. That vulnerability remediation process massively slowed Kimwolf’s ability to spread, and within hours of the story’s publication Dort created a Discord server in my name that began publishing personal information about and violent threats against Brundage, Yours Truly, and others.
  • The administrator of the OnlyFake, digital-ID image generation site, has plead guilty in a US court, facing up to 15 years in jail. It was a pretty polished service for generating what appeared to be either a photo or a scan of the requested ID, with whatever details the requester wanted.
Yurii Nazarenko developed a website to produce more than 10,000 fake identification documents, earning hundreds of thousands of dollars from these illicit sales. This platform offered its clients a myriad of criminal opportunities, including bypassing traditional regulations to launder money.
...
OnlyFake customers could customize the type of Digital Fake ID they wanted, including whether the Digital Fake ID should appear to be a scan of a real identification document, or appear to be a photograph of a real identification document taken on a surface like a table.
...
NAZARENKO, 27, of Ukraine, pled guilty to one count of conspiring to commit fraud in connection with identification documents, authentication features, and information, which carries a maximum sentence of 15 years in prison. NAZARENKO also agreed to forfeit $1,200,000, representing the proceeds of OnlyFake’s activity.
When announcing the success of the operation, the agency released photos of a Ledger device, a popular hardware wallet for crypto storage and management.
However, the images also showed a handwritten note of the wallet recovery phrase, which serves as the master key that allows restoring the assets to another device.
...
Reportedly, shortly after the press release was published, 4 million Pre-Retogeum (PRTG) tokens, worth approximately $4.8 million at the time, were transferred out of the confiscated wallet to a new address.
“On-chain data (Etherscan) analysis shows that the attacker first deposited a small amount of Ethereum (ETH) into the wallet to pay transaction fees (gas fees), and then meticulously transferred the 4 million PRTG tokens to their own wallet in three separate transactions,
Unlike familiar TLDs like .com and .net, that are used for domains that host web content, the .arpa TLD has a special role in the domain name system (DNS): it’s primarily used to map IP addresses to domains, providing reverse records. Threat actors have discovered a feature in the DNS record management control of certain providers, which allows them to add IP address records for .arpa domains.
...
Because .arpa is a critical TLD for the operation of the internet, these domain names are unlikely to be blocked.
Instagram will start notifying parents if their teen repeatedly tries to search for terms related to suicide or self-harm within a short period of time.
These alerts are designed to give parents the information they need to support their teen and come with expert resources to help parents approach these sensitive conversations.
Meta is also building similar parental notifications for teens’ conversations with AI, to come later this year.
...
The alerts will be sent to parents via email, text, or WhatsApp, depending on the contact information available, as well as through an in-app notification.

Getting Techy

Every standard font that includes Cyrillic reuses the Latin glyph outlines. This is a deliberate font design decision, not a rendering quirk. No visual inspection can distinguish them.
The practical implication: a string like “аpple.com” with Cyrillic а (U+0430) is pixel-identical to “apple.com” in 40+ fonts. The user, the browser’s address bar, and any visual review process all see the same pixels. This is not theoretical. It is a measured property of the font files shipping on every Mac.

Geo-Politics

  • [EU] The teen social-media ban could spread to all of the EU, under a new "opinion proposing that youth under 16 not be allowed to access social media platforms without parental consent. The opinion also states that social media access should not be allowed for children below age 13 under any circumstances."
    That's not all - the "Draft Compromise Amendments" discuss quite a few items, including privacy, generative AI threats, disinformation, mental health of minors.
In November, the European Parliament passed a resolution calling on the EU to set threshold ages under which children cannot access social media.
...
The text of the opinion proposes that a ban be included in a future law known as the Digital Fairness Act and argues that practices like targeted advertising, influencer promotions, addictive design features and virtual currencies in video games be covered by the new legislation.
The current blackout is not an isolated panic reaction but a stress test for a long-term strategy, say advocacy groups—a two-tiered or “class-based” internet known as Internet-e-Tabaqati.
...
In July 2025, the council passed a regulation formally institutionalizing a two-tiered hierarchy. Under this system, access to the global internet is no longer a default for citizens, but instead a privilege granted based on loyalty and professional necessity. The implementation includes such things as “white SIM cards“: special mobile lines issued to government officials, security forces, and approved journalists that bypass the state’s filtering apparatus entirely.
...
The regime’s goal is to make the cost of a general shutdown manageable by ensuring that the state and its loyalists remain connected while plunging the public into darkness. (In the latest shutdown, for instance, white SIM holders regained connectivity earlier than the general population.)
U.S. prosecutors accused a decorated former U.S. Air Force officer of conspiring with a convicted Chinese hacker on a scheme to provide detailed training to Chinese military pilots.
...
According to prosecutors, Brown worked with Bin to hammer out his deal and was open about his desire to train Chinese pilots in combat aircraft operations. Brown eventually traveled to China in December 2023 and met with PRC officials to explain his extensive resume.
...
Brown had his first court appearance on Thursday. Roman Rozhavsky, Assistant Director of the FBI’s Counterintelligence and Espionage Division, claimed Brown “betrayed his country by training Chinese pilots to fight against those he swore to protect.”
Gottumukkala struggled to lead the agency during his tenure as acting director and caused security headaches, including the uploading of sensitive government documents to ChatGPT, according to reports. Staffing at the agency was slashed by one-third. Gottumukkala also reportedly failed a counterintelligence polygraph he took in order to view classified documents, and suspended several career officials in response, including the agency’s then-chief security officer.
...
The agency still hasn’t had a permanent Senate-confirmed director since Trump returned to office.
...
Nextgov reported Thursday that CISA lost another top senior official, Bob Costello, the agency’s chief information officer tasked with overseeing the agency’s IT systems and data policies.

Privacy

  • A new attack against pseudonymity - LLM's can cross-reference data, to identify likely real-world users.
We show that large language models can be used to perform at-scale deanonymization. With full Internet access, our agent can re-identify Hacker News users and Anthropic Interviewer participants at high precision, given pseudonymous online profiles and conversations alone, matching what would take hours for a dedicated human investigator.
...
In each setting, LLM-based methods substantially outperform classical baselines, achieving up to 68% recall at 90% precision compared to near 0% for the best non-LLM method. Our results show that the practical obscurity protecting pseudonymous users online no longer holds and that threat models for online privacy need to be reconsidered.
As part of the agreement, Samsung must halt any collection or processing of ACR viewing data without obtaining Texas consumers’ express consent.
Additionally, it compels Samsung to promptly update its smart TVs and implement disclosures and consent screens that are clear and conspicuous to ensure that Texans can make an informed decision regarding whether their data is collected and how it’s used.
The app, called Nearby Glasses, has one sole purpose: Look for smart glasses nearby and warn you.
This app notifies you when smart glasses are nearby. It uses company identificators in the Bluetooth data sent out by these.
....
Why?
Because I consider smart glasses an intolerable intrusion, consent neglecting, horrible piece of tech that is already used for making various and tons of equally truely disgusting 'content'.
Some smart glasses feature small LED signifying a recording is going on. But this is easily disabled, whilst manufacturers claim to prevent that and take no responsibility at all (tech tends to do that for decades now).
Smart glasses have been used for instant facial recognition before and reportedly will be out of the box. This puts a lot of people in danger.
Amazon is telling people who use its wishlists feature to switch to post office boxes or non-residential delivery addresses if they want to ensure their home addresses remain private, as part of a change in how it processes gifts bought from third-party sellers.
...
In an email sent to list holders, Amazon said beginning March 25, it will reveal users’ shipping addresses to third-party sellers. The platform added that gift purchasers might end up seeing your address as part of this process, too.

AI

  • Shouldn't need to be said...don't use LLM-generated passwords. The outputs from multiple runs are telling - not a lot of entropy there. Could be an interesting way to fingerprint the LLM though. "G7$k..." = Claude Opus, "vQ7!...." = GPT, "kP9!.... = Gemini.
At the heart of any strong password generator is a cryptographically-secure pseudorandom number generator (CSPRNG), responsible for generating the password characters in such a way that they are very hard to predict, and are drawn from a uniform probability distribution over all possible characters.
Conversely, the LLM output token sampling process is designed to do exactly the opposite. Basically, all LLMs do is iteratively predict the next token; the random generation of tokens is, by definition, predictable (with the token probabilities decided by the LLM), and the probability distribution over all possible tokens is very far from uniform.

Subscribe to Deuxieme RE Banque News

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe