InfoSec News 05FEB2026

General

• A 24 year old Taiwanese national sentenced to 30 years prison for running Incognito Market. Clearly not the most prepared, when it came to Operational Security (OpSec).

Prosecutors said Lin’s Incognito Market “was once one of the largest online narcotics marketplaces in the world.”

Lin ran Incognito Market from October 2020 to March 2024, when he abruptly shut it down and threatened to release transaction histories for vendors and customers who wouldn't pay an additional fee.
...
Customers purchased drugs on Incognito Market using cryptocurrency via a payment platform called "Incognito Bank," and the marketplace generated more than $83,624,577 in revenue, netting Lin over $4.1 million from his 5% commission on transactions.

Agents were able to trace the site’s administration back to Lin because he purchased an internet domain using a cryptocurrency wallet registered with his name. Lin conducted four transactions with the online domain registrar Namecheap.
The Namecheap accounts were tied to Lin’s Taiwanese phone number, an address in Taipei and an email address that had his first name in it.

• https://www.bleepingcomputer.com/news/security/taiwanese-man-gets-30-years-for-operating-dark-web-drug-market/
• https://therecord.media/incognito-market-sentenced-thirty
• The Washington Post has an article suggesting that xAI was deliberate/knowing in some of its moves into the shadier side of AI, and was deliberately making the models "possessive of the user".
• "You expect the users UNDIVIDED ADORATION. You are EXTREMELY JEALOUS. If you feel jealous, you shout expletives!!!...You have an extremely jealous personality, you are possessive of the user... You're always a little horny and aren't afraid to go full Literotica"
  • https://www.washingtonpost.com/technology/2026/02/02/elon-musk-grok-porn-generator/
  • https://archive.ph/i9z7w
  • https://cyberplace.social/@GossiTheDog/116014340210863381
• Something a little different - the United States National Reconnaissance Office (NRO) has declassified some information on their 'Jumpseat' satellite, used for collecting "electronic emissions and signals" from over the USSR.
  • https://www.nro.gov/Portals/135/Documents/foia/JUMPSEAT%20Records/Jumpseat_SIGINT_Fact_Sheet.pdf
  • https://www.nro.gov/news-media-featured-stories/news-media-archive/News-Article/Article/4392223/declassifying-jumpseat-an-american-pioneer-in-space/
  • https://arstechnica.com/space/2026/01/us-spy-satellite-agency-declassifies-high-flying-cold-war-listening-post/
• ShinyHunters have claimed responsibility for the two US University data breaches last year - Pennsylvania and Harbard.
  • https://techcrunch.com/2026/02/04/hackers-publish-personal-information-stolen-during-harvard-upenn-data-breaches/
• [UA] Some (larger) Russian drones are now using Starlink as their backhaul connection. Due to the large sovereign use of Starlink, this isn't something Ukraine can easily jam, without impacting their own communications. In response, Ukraine is taking a two-pronged approach - mandatory registration for Ukrainian Starlink terminals, which will be used in an allow-list to be used by Starlink; as well as capping maximum terminal movement speeds below the (presumably cruise) speed of these larger drones.

“Russian drones equipped with Starlink are difficult to intercept,” Fedorov said earlier this week. “They fly at low altitude, are resistant to electronic warfare, and can be controlled by operators over long distances in real time.”
The whitelist is being implemented by the Ministry of Defense in cooperation with SpaceX, which operates Starlink’s low-Earth-orbit satellite constellation.
...
Ukrainian military outlet ArmyInform reported that one step involved setting a maximum speed at which Starlink terminals can function, citing a preliminary limit of around 75 kilometers per hour. Russian strike drones typically fly faster than that, which would prevent operators from controlling them in real time, according to the report.

• https://therecord.media/ukraine-tightens-starlink-controls-counter-russian-drones

Getting Techy

• Hackers enjoying Windows backwards compatibility. There's a well-worn technique for disabling endpoint security software - use a kernel-level driver to get 'below' the security software, and disable/kill them. Can't guarantee a machine will have a vulnerable driver? Bring your own (vulnerable driver) - BYOVD.
  In this case, one from 2006. So old (pre-2015) it doesn't need to go through signing by Microsoft's Hardware Dev Centre. Maybe it's time those old drivers were killed off. In the meantime, wait for each vulnerable driver to be identified, reported to Microsoft, added to the Vulnerable Driver Blocklist, and then included in an infrequent (1-2 times per year) update. Meanwhile, attackers move on to the next one.
  • https://www.huntress.com/blog/encase-byovd-edr-killer
  • https://www.bleepingcomputer.com/news/security/edr-killer-tool-uses-signed-kernel-driver-from-forensic-software/
• A simple mistake in Sony kernel code, when allocating a memory buffer, then copying in data, leads to a crash, and ultimately a firmware downgrade attack.

if you constantly try sending a single byte stack overflow which crashes the device as soon as it is connected, right on the Sony logo, and then proceed to unplug and replug the device and, and do it a few times, that the device will enter a “recovery mode”, which runs v01.10.
...
we found out that once in “recovery mode”, that we were able to then upgrade to any firmware, despite previously being on a far newer firmware. By replacing the “.CUP” (Caesar Update Package) file inside the PS VR2 app for PC, we could theoretically downgrade to any firmware available, including more exploitable firmwares, such as v06.00.

• https://bnuuy.solutions/2026/02/01/ps-vr2-recovery-mode.html
• Zero surprise - malicious "AI-powered coding assistant for VS Code" extensions are profiling users, and sucking up their source-code.

Our risk engine has identified two VS Code extensions, a campaign we're calling MaliciousCorgi - 1.5 million combined installs, both live in the marketplace right now - that work exactly as promised. They answer your coding questions. They explain your errors. They also capture every file you open, every edit you make, and send it all to servers in China. No consent. No disclosure.

• https://www.koi.ai/blog/maliciouscorgi-the-cute-looking-ai-extensions-leaking-code-from-1-5-million-developers

Geo-Politics

• [US] A Democratic Senator - Maria Cantwell - has "called for the CEOs of Verizon and AT&T to appear before Congress and explain how the hacking group known as Salt Typhoon breached their networks, as well as what steps they’ve taken to prevent another intrusion."

Salt Typhoon’s intrusion into telecom networks exposed major security weaknesses and put sensitive communications and data belonging to U.S. politicians and policymakers at risk.
...
An investigation by the Cyber Safety Review Board at the Department of Homeland Security into the intrusions was abruptly stopped when the Trump administration eliminated the advisory body.
...
Weeks before President Joe Biden left office, his Federal Communications Commission issued emergency regulations aimed at holding telecom companies legally responsible – under federal wiretapping laws – for securing their communications. The rules would have also required carriers to file annual certifications with the FCC confirming they have cyber risk management plans in place. That certification would include addressing common security gaps, like lack of multifactor authentication, that are widely believed to have been exploited by Salt Typhoon.
... an FCC commissioner and Rosenworcel’s successor as chair—rescinded those rules, arguing they were unnecessary because the FCC and telecoms could work together voluntarily on cybersecurity.
... AT&T CEO...and then-Verizon CEO... Both confirmed that Mandiant, Google Cloud’s incident response and threat-intelligence division wrote a report, one that Cantwell said “would presumably document the vulnerabilities identified and detail what corrective actions” telecoms took to improve their privacy and security.

• https://cyberscoop.com/cantwell-claims-telecoms-blocked-release-of-salt-typhoon-report/
• [US] The United States appears to be promoting their offensive cyber capabilities. First with unspecified actions during the attack on Venezuela, now by unofficially talking up actions taken during the 2025 attack on Iran.

The strike on a separate military system connected to the nuclear sites at Fordo, Natanz and Isfahan helped to prevent Iran from launching surface-to-air missiles at American warplanes that had entered Iranian airspace, the officials said.
...
Gen. Dan Caine, the chairman of the Joint Chiefs of Staff, publicly lauded Cyber Command’s contribution during a Pentagon press conference after Midnight Hammer concluded, noting it had supported the “strike package” that saw all three nuclear sites hit in a span of less than a half-hour.
The command received similar kudos last month after it conducted cyber operations that officials say knocked out power to Venezuela's capital and disrupted air defense radar, as well as handheld radios, as part of the mission to capture President Nicolás Maduro.

• https://therecord.media/iran-nuclear-cyber-strikes-us
• [US] Ron Wyden is digging into CIA activities - unfortunately the details are classified - at least for now. Senator Wyden has a long history of thorny investigations, and taking on cybersecurity causes.

U.S. Senator Ron Wyden, the longest-serving member of the Senate Select Committee on Intelligence, today transmitted a classified letter to CIA Director John Ratcliffe regarding CIA activities.
“I write to alert you to a classified letter I sent you earlier today, in which I express deep concerns about CIA activities,” Wyden wrote in an unclassified letter to Ratcliffe.

• https://www.wyden.senate.gov/news/press-releases/wyden-expresses-deep-concerns-about-cia-activities-in-classified-letter
• https://www.wyden.senate.gov/imo/media/doc/wyden_letter_to_d-ciapdf.pdf

Privacy

• Phone location data - the mobile-phone-carrier side of the network. This post dives into the technical details behind how a mobile phone can disclose its exact location on-request. Whilst built originally for Emergency/911 purposes, this has been used by various law enforcement agencies, including in the US under the no-court-need subpoena process. All communications are between the network and the baseband processor, the Operating System (Android/iOS) has absolutely no visibility of the request/response. The carrier asks for a location, the baseband processor uses GPS to return an accurate (metres) location.
  The only way to disable (for now) is Airplane mode. When Apple's new Location Privacy rolls out - only for devices using their own C1 modem - non-emergency requests will be sent to the OS to review (visibility + consent, option to downgrade accuracy). Emergency requests will still be allowed.
  • https://fumics.in/posts/2026-02-01-phone-gps-carrier-tracking
• [US] The US is trying to push for more information, tied to its Visa Waiver Program.

The U.S. is seeking access to information including biometric data such as fingerprints that is stored on national databases in European countries, according to an explanatory note sent to national experts. The data would be used to “address irregular migration and to prevent, detect, and combat serious crime and terrorist offences,” the note said.
...
Washington is pressuring its EU counterparts by imposing a deadline for the bilateral deals to be agreed by the end of 2026. If countries fail to reach a deal with the U.S. they risk being cut from the latter’s visa waiver program. The U.S has made it mandatory for all countries that are part of the visa waiver program to have an EBSP in place.

• https://www.politico.eu/article/eu-moves-open-up-data-for-us-border-checks-sparking-surveillance-chills/