A Wikipedia security engineer accidentally wakes a dormant JavaScript worm that hadn’t stirred since 2024 – and within minutes, giant woodpecker images are plastered across the internet’s favourite encyclopaedia.
Meanwhile, a crypto contractor hired to help the US Marshals manage seized digital assets allegedly decides to help himself to $46 million of it – and then brags about it on a recorded Telegram call.
Plus: Graham champions Asterix, Trisha discovers the fantasy novels of Robin Hobb, and someone called “Lick” ends up in the nick.
All this, and much more, in episode 458 of the “Smashing Security” podcast with cybersecurity veteran and keynote speaker Graham Cluley, and special guest Tricia Howard.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
I can't believe you've never heard of Asterix.
I'm sorry, I'm sorry, I was born way after you.
All right, all right, blimey.
Just kidding.
Smashing Security, episode 458: How Not to Steal $46 Million from the US Government, with Graham Cluley and special guest Tricia Howard. Hello, hello.
Hello and welcome to Smashing Security episode 458. My name's Graham Cluley.
Hello and welcome to Smashing Security episode 458. My name's Graham Cluley.
And I'm Tricia Howard.
Tricia, welcome back to Smashing Security. Lovely as always to have you here. What's been keeping you busy?
Well, I am currently at a company in stealth mode that will not be in stealth mode much longer. And so that's been consuming most of my time.
Ah, getting ready for the big launch, eh?
Oh yeah. Oh yeah.
That must be consuming hours and hours of your life every week.
It is. It is. I think it's important though to find time to have downtime.
And so when I do have, you know, minutes, so to speak, of that, I have been enjoying very much playing GTA 5 with my partner, starting from the beginning and going through the whole story.
And so when I do have, you know, minutes, so to speak, of that, I have been enjoying very much playing GTA 5 with my partner, starting from the beginning and going through the whole story.
Ah, Grand Theft Auto by Rockstar Games. Now, I've never played it. I'm not very good at these 3D games. I mean, I'm not very good at driving in real life.
And there is a fair amount of driving involved in that game. But I have to say, they are extraordinarily immersive games, aren't they?
And there is a fair amount of driving involved in that game. But I have to say, they are extraordinarily immersive games, aren't they?
Oh my gosh, yes. They're full-blown worlds. I mean, when they say open world, they really mean it. It feels like you're in LA when you're watching it. It's astounding.
No wonder they spend years making these games.
Oh yeah.
A game which is in a very similar vein from the same people, you can see that it's modelled on the same kind of principles, I think, is Red Dead Redemption, set in the Wild West, which I thought was an extraordinary game.
Truly unbelievable. I mean, from an actor's perspective, the production value, the acting value, I mean, it rivals Hollywood. We have come a long way from Nintendo 64.
Let me just say that.
Let me just say that.
Hey, I used to play 3D Monster Maze on my ZX81. So, I mean, we come even further than that.
Amazing.
Well, before we kick off, let's thank this week's wonderful sponsors, Meta, ThreatLocker, and Vanta. We'll be hearing more about them later on in the show.
This week on Smashing Security, we won't be talking about how Leakbase, a cybercrime forum with over 100,000 members, has been seized by law enforcement.
You'll hear no discussion of how Ericsson is blaming a leak of more than 15,000 people's details on a service provider that was sweet-talked via the telephone.
And we won't even mention how hackers bypassed multifactor authentication with a $120 phishing kit until multinational law enforcement shut them down.
So Tricia, what are you going to be talking about this week?
This week on Smashing Security, we won't be talking about how Leakbase, a cybercrime forum with over 100,000 members, has been seized by law enforcement.
You'll hear no discussion of how Ericsson is blaming a leak of more than 15,000 people's details on a service provider that was sweet-talked via the telephone.
And we won't even mention how hackers bypassed multifactor authentication with a $120 phishing kit until multinational law enforcement shut them down.
So Tricia, what are you going to be talking about this week?
I'm going to be talking about when an attacker allegedly, wink wink, stole $46 million from the government and then trolled the investigator on Telegram.
And I'm going to be telling you how Woody Woodpecker tried to wipe out Wikipedia.
Sorry, I'm giggling here. What a mouthful. Woody the Woodpecker Wikipedia.
All this and much more coming up in this episode of Smashing Security. Okay, well, we've just got a bit of time now to talk about one of today's sponsors, ThreatLocker.
Now, most cyberattacks don't start with sophisticated malware. They start with a misconfigured setting, a drifted policy, or an exposed endpoint that nobody noticed.
And when you've got hundreds of endpoints, keeping track of all that manually, basically impossible.
Now, most cyberattacks don't start with sophisticated malware. They start with a misconfigured setting, a drifted policy, or an exposed endpoint that nobody noticed.
And when you've got hundreds of endpoints, keeping track of all that manually, basically impossible.
That's why ThreatLocker built DAC, Defense Against Configurations. It gives you a real-time view of configuration weaknesses across your entire environment.
Every day, DAC runs deep checks on every endpoint.
They scan operating system settings, application settings, and your ThreatLocker policies like allowlisting, ring-fencing, and more.
They scan operating system settings, application settings, and your ThreatLocker policies like allowlisting, ring-fencing, and more.
And this is all on one dashboard showing everything that's misconfigured, categorizes it with clear steps on how to fix it before attackers find the problems first.
You can even verify alignment with frameworks like CIS, NIST, HIPAA, and ISO 27001.
So don't wait for a misconfiguration to become a breach. Try D.A.C. free for 30 days at threatlocker.com.
That's threatlocker.com. And thanks to ThreatLocker for supporting the podcast.
Look, we all love Wikipedia, don't we? Wikipedia's amazing. It's where you go to settle arguments, to do your research at 11 PM.
You know, often I'll be thinking, oh, is Alan Alda dead or is he still alive? I'm not sure. You know, and you'll go to Wikipedia to find out.
Or if you're unsure how old somebody is, you'll go there instantly.
And it's also, let's be honest, a place where significant percentage of students have been plagiarising their essays about, oh, I don't know, all kinds of crazy topics like the South Sea Bubble for the past two decades.
So it's an incredible resource, I kind of like Wikipedia. I know we can't completely trust it, but I kind of like Wikipedia.
You know, often I'll be thinking, oh, is Alan Alda dead or is he still alive? I'm not sure. You know, and you'll go to Wikipedia to find out.
Or if you're unsure how old somebody is, you'll go there instantly.
And it's also, let's be honest, a place where significant percentage of students have been plagiarising their essays about, oh, I don't know, all kinds of crazy topics like the South Sea Bubble for the past two decades.
So it's an incredible resource, I kind of like Wikipedia. I know we can't completely trust it, but I kind of like Wikipedia.
It's gotten so much better. I mean, I remember back in college it was banned as a source because of that. But it's come a long way.
Yeah. It's the world's largest encyclopedia. It's maintained by an army of very passionate, fervent volunteers.
They happily spend hours arguing about the correct capitalisation of a fictional spacecraft in some sci-fi TV series.
It is a genuine marvel of the internet age and something which we should be grateful for because it's not monetized. You don't get ads on it. It is purely supported by donations.
So it was with some alarm that on the 5th of March this year, projects at Wikimedia— that's the foundation which operates Wikipedia— some of their projects started misbehaving a little.
So pages were being vandalised and deleted. And when they got messed around with, there'd be a final Russian edit summary.
So someone left a little bit of a summary as to why has this edit occurred? Well, here it is in Russian. It translated rather ominously to closing the project.
And at the same time, enormous, and I do mean enormous, I'm talking 5,000 pixels wide, which is probably wider than every screen here.
5,000-pixel-wide images of woodpeckers were being embedded across random articles on Wikipedia.
They happily spend hours arguing about the correct capitalisation of a fictional spacecraft in some sci-fi TV series.
It is a genuine marvel of the internet age and something which we should be grateful for because it's not monetized. You don't get ads on it. It is purely supported by donations.
So it was with some alarm that on the 5th of March this year, projects at Wikimedia— that's the foundation which operates Wikipedia— some of their projects started misbehaving a little.
So pages were being vandalised and deleted. And when they got messed around with, there'd be a final Russian edit summary.
So someone left a little bit of a summary as to why has this edit occurred? Well, here it is in Russian. It translated rather ominously to closing the project.
And at the same time, enormous, and I do mean enormous, I'm talking 5,000 pixels wide, which is probably wider than every screen here.
5,000-pixel-wide images of woodpeckers were being embedded across random articles on Wikipedia.
Oh man, I shouldn't laugh, but oh my gosh.
That noise you just made, that sounded a little bit like Woody Woodpecker. Him and Scrappy-Doo are just things which should have been strangled at birth, in my opinion.
You know, you have good cartoon characters like Danger Mouse and Bugs Bunny and Daffy Duck, and then you have the rubbish ones. Mickey Mouse and there goes the Disney sponsorship.
Foghorn Leghorn. I liked him, you know.
You know, you have good cartoon characters like Danger Mouse and Bugs Bunny and Daffy Duck, and then you have the rubbish ones. Mickey Mouse and there goes the Disney sponsorship.
Foghorn Leghorn. I liked him, you know.
Oh man.
Yeah. Anyway, so you might be wondering who managed to unleash a self-replicating JavaScript worm across the Wikipedia universe. You might be wondering. Was it a shadowy hacking gang?
Was it a rogue insider? Was it a disgruntled editor with a grudge against Woody Woodpecker? But no, the person who triggered the worm outbreak was a Wikimedia security engineer.
Was it a rogue insider? Was it a disgruntled editor with a grudge against Woody Woodpecker? But no, the person who triggered the worm outbreak was a Wikimedia security engineer.
Oh no.
I'm afraid so. And the reason it happened, it pains for me to say, was surprisingly straightforward. So this engineer was apparently reviewing user-written scripts on the platform.
So if you are one of these administrators, one of these people who's really, really keen on Wikipedia, you can create yourself an account for editing pages.
And you can also, if you don't like the standard editor which is built into Wikipedia, you can have a little user script to set it up exactly as you want it, right?
Which makes sense. So you can upload a script to it.
And what it seems happened is that while this Wikimedia security engineer was reviewing some of the user-written scripts on the platform, they accidentally executed a piece of dormant malicious code that had been sitting silently on a user's test page since 2024.
So if you are one of these administrators, one of these people who's really, really keen on Wikipedia, you can create yourself an account for editing pages.
And you can also, if you don't like the standard editor which is built into Wikipedia, you can have a little user script to set it up exactly as you want it, right?
Which makes sense. So you can upload a script to it.
And what it seems happened is that while this Wikimedia security engineer was reviewing some of the user-written scripts on the platform, they accidentally executed a piece of dormant malicious code that had been sitting silently on a user's test page since 2024.
Oh boy.
Yeah, not good at all. It's the equivalent of you come across a dusty box or something which is labelled, "Definitely not a snake in here," right?
Definitely not a woodpecker in here.
Definitely not a woodpecker pecking away. Definitely not that. And when you open it up, surprise, surprise, there it is.
And so this script in question had been sitting there under the username. Now I'm going to probably make a little mistake here. Ololoshka562 was a user on Russian Wikipedia.
So it's just sat there a coiled spring in a dusty old filing cabinet no one had opened in years. They open it up. And it sprang out.
And what made it much worse is that the account that it was executed under was a staff account, a highly privileged Wikimedia Foundation staff account, which had low-level editing access.
So someone with permissions to edit the global JavaScript that runs across all Wikimedia projects on every page for every single user.
And so this script in question had been sitting there under the username. Now I'm going to probably make a little mistake here. Ololoshka562 was a user on Russian Wikipedia.
So it's just sat there a coiled spring in a dusty old filing cabinet no one had opened in years. They open it up. And it sprang out.
And what made it much worse is that the account that it was executed under was a staff account, a highly privileged Wikimedia Foundation staff account, which had low-level editing access.
So someone with permissions to edit the global JavaScript that runs across all Wikimedia projects on every page for every single user.
You can't see my face right now, but my jaw's on the floor. Yikes.
Yikes. Not good at all. So Wikimedia's own post incident statement, it was, I think the best you can say is diplomatically vague.
I mean, there's been a lot of diplomatic vagueness in the world in recent weeks, but this was also diplomatically vague about the exact sequence of events.
So they said staff had been conducting a security review of user-authored code and had inadvertently activated this dormant code.
And I think the inadvertently is doing a lot of the heavy lifting there. We don't know precisely what happened, whether it was a slip up or a misclick.
You know, it's they thought they were clicking on one thing and they opened another. We don't know what it was, but the result was significant because the script woke up.
It was activated, immediately got to work. It injected itself into the common.js file on MediaWiki.
That is the global JavaScript file that runs in the browser of every logged-in user across the entire Wikimedia ecosystem, including Wikimedia Commons, including Wiktionary, which is a dictionary for witches, I believe, including Wikidata, all of them.
In other words, this worm didn't just vandalize pages. It managed to plant code in the one place that could potentially execute in every editor's browser across the platform.
What could possibly go wrong with that, Tricia?
I mean, there's been a lot of diplomatic vagueness in the world in recent weeks, but this was also diplomatically vague about the exact sequence of events.
So they said staff had been conducting a security review of user-authored code and had inadvertently activated this dormant code.
And I think the inadvertently is doing a lot of the heavy lifting there. We don't know precisely what happened, whether it was a slip up or a misclick.
You know, it's they thought they were clicking on one thing and they opened another. We don't know what it was, but the result was significant because the script woke up.
It was activated, immediately got to work. It injected itself into the common.js file on MediaWiki.
That is the global JavaScript file that runs in the browser of every logged-in user across the entire Wikimedia ecosystem, including Wikimedia Commons, including Wiktionary, which is a dictionary for witches, I believe, including Wikidata, all of them.
In other words, this worm didn't just vandalize pages. It managed to plant code in the one place that could potentially execute in every editor's browser across the platform.
What could possibly go wrong with that, Tricia?
No idea at all. I mean, I guess if you're gonna do it, do it big, right?
You know, it's astounding too, because this is an unfortunate reality that we deal with in security a lot, is that so, so many things are actually just caused by accidents.
We love to talk about, you know, the big scary stuff, and we should be, of course, they're interesting stories if nothing else.
But the truth of the matter is, this is the reality of security people every day.
They're dealing with somebody who accidentally clicks on something and sends Woody the Woodpecker across the Wikipedia.
You know, it's astounding too, because this is an unfortunate reality that we deal with in security a lot, is that so, so many things are actually just caused by accidents.
We love to talk about, you know, the big scary stuff, and we should be, of course, they're interesting stories if nothing else.
But the truth of the matter is, this is the reality of security people every day.
They're dealing with somebody who accidentally clicks on something and sends Woody the Woodpecker across the Wikipedia.
And just to be thorough, it also embedded a copy of itself into the individual script files of about 85 other users.
So it's a backup, if you like, in case someone found and cleaned up the global file.
So it's a backup, if you like, in case someone found and cleaned up the global file.
It's a real belts and braces kind of approach, you know. What a little overachiever.
Yeah, right. But I'll infect these other people, 'cause maybe one day someone else will blunder into those and activate the code there, and off we go again.
So thousands of pages were vandalized. They were plastered with that 5,000-pixel-wide woodpecker image and hidden script tags, spreading itself to other users.
It also tried to phone home to a remote Russian web server, danger, danger, presumably to try and fetch further instructions.
Now, I don't know if that domain was live or defunct or simply abandoned by whoever created it.
Thankfully, it looks like the callback didn't appear to cause any additional harm, but in theory, that could have grabbed more malicious code or instructions, which could have caused an even bigger problem.
You can imagine how something like this could have become a much, much bigger threat, maybe stealing data from users as well, or maybe trying to run something else malicious on their actual computers.
So thousands of pages were vandalized. They were plastered with that 5,000-pixel-wide woodpecker image and hidden script tags, spreading itself to other users.
It also tried to phone home to a remote Russian web server, danger, danger, presumably to try and fetch further instructions.
Now, I don't know if that domain was live or defunct or simply abandoned by whoever created it.
Thankfully, it looks like the callback didn't appear to cause any additional harm, but in theory, that could have grabbed more malicious code or instructions, which could have caused an even bigger problem.
You can imagine how something like this could have become a much, much bigger threat, maybe stealing data from users as well, or maybe trying to run something else malicious on their actual computers.
Well, and honestly, the fact that it was the woodpecker that they chose is also kind of a nice thing, 'cause it could have been much worse than that too.
Like Porky Pig, he's thinking.
Yeah, correct. Yeah, you got it.
So we can be grateful for that. Now, this whole rampage lasted just 23 minutes. So again, some credit there to the guys at Wikimedia.
Wow, that's quick.
Yeah, their engineers realised what was happening. They locked down everything into read-only mode. They realised, whoa, whoa, whoa, something bad's happening. Pulled a big red lever.
Suddenly everything is locked down. It then took them a couple of hours to investigate and contain the infection. They began scrubbing the code from thousands of files.
By the end of the day, all the affected pages had been restored and no personal data, as far as we know, has been breached in any way. So that's good.
So most of the visible vandalism, by the way, that landed on MetaWiki, which isn't the encyclopedia that you use every day online, but it's rather like the back office of Wikimedia.
It's where the volunteer community hangs out and debates policy and gets very pedantic with each other. Highly political, I expect.
Most members of the public have never heard of it, but potentially, you know, that injected JavaScript ran across the entire ecosystem, including Wikipedia itself.
So while your average reader looking up the history of the Roman Empire probably noticed nothing, any logged-in editor active during those 23 minutes was potentially exposed.
I'm trying to remember in the Terminator movies, don't they plug in the chip or give it autonomy and it only takes about 23 minutes or something to become self-aware and decide we don't need the humans anymore?
I can't remember what the actual figure is, but, you know, 23 minutes can sometimes in this day and age be long enough to cause an awful lot of damage.
Suddenly everything is locked down. It then took them a couple of hours to investigate and contain the infection. They began scrubbing the code from thousands of files.
By the end of the day, all the affected pages had been restored and no personal data, as far as we know, has been breached in any way. So that's good.
So most of the visible vandalism, by the way, that landed on MetaWiki, which isn't the encyclopedia that you use every day online, but it's rather like the back office of Wikimedia.
It's where the volunteer community hangs out and debates policy and gets very pedantic with each other. Highly political, I expect.
Most members of the public have never heard of it, but potentially, you know, that injected JavaScript ran across the entire ecosystem, including Wikipedia itself.
So while your average reader looking up the history of the Roman Empire probably noticed nothing, any logged-in editor active during those 23 minutes was potentially exposed.
I'm trying to remember in the Terminator movies, don't they plug in the chip or give it autonomy and it only takes about 23 minutes or something to become self-aware and decide we don't need the humans anymore?
I can't remember what the actual figure is, but, you know, 23 minutes can sometimes in this day and age be long enough to cause an awful lot of damage.
Oh yeah. I mean, 23 minutes in the tech world is an eternity, but 23 minutes in the world of AI is—
Right.
Effectively an eon. Good on them for finding it that quick.
Yes.
And being able to contain it in the way that they did. That's a really good point.
When we're dealing with something like that, it's not just the initial infection that you have to deal with.
It's the repercussions that come after it and the collateral damage, frankly, like these additional editors.
When we're dealing with something like that, it's not just the initial infection that you have to deal with.
It's the repercussions that come after it and the collateral damage, frankly, like these additional editors.
Yeah, it's a big problem. Now, I was wondering what the lessons that we can learn from this. An obvious one is the principle of least privilege, right? That exists for a reason.
Right.
So even well-intentioned security teams can take actions on an overprivileged account that can have serious consequences.
So all of us need to be careful about how we are actually logged in, what rights we have.
If we don't need them for a particular thing that we are doing, then maybe you shouldn't be logged into them.
And certainly you probably shouldn't be clicking on other people's scripts if you're inside something which had that much power.
Also, if you're on a platform which has scripts or has user-generated content, maybe you need to audit it from time to time for dormant malicious scripts, because it turns out something can sit undetected for the better part of a couple of years before roaring back to life.
And maybe just use a test environment as well, where the damage can be limited as to what you can do. So there's good news. Everything's now been cleaned up, it seems.
Nothing was permanently lost. That's great. Wikimedia says it is working on further security mitigations as well.
So hopefully they'll be better protected against this kind of problem in the future.
Right, before we crack on any further, Joe and I want to take a moment to tell you about one of today's sponsors, Vanta.
So all of us need to be careful about how we are actually logged in, what rights we have.
If we don't need them for a particular thing that we are doing, then maybe you shouldn't be logged into them.
And certainly you probably shouldn't be clicking on other people's scripts if you're inside something which had that much power.
Also, if you're on a platform which has scripts or has user-generated content, maybe you need to audit it from time to time for dormant malicious scripts, because it turns out something can sit undetected for the better part of a couple of years before roaring back to life.
And maybe just use a test environment as well, where the damage can be limited as to what you can do. So there's good news. Everything's now been cleaned up, it seems.
Nothing was permanently lost. That's great. Wikimedia says it is working on further security mitigations as well.
So hopefully they'll be better protected against this kind of problem in the future.
Right, before we crack on any further, Joe and I want to take a moment to tell you about one of today's sponsors, Vanta.
We've got a question for you. What's the thing that keeps you staring at the ceiling at 2 AM when it comes to your company's security?
Is it wondering whether you've actually got the right controls in place? Whether one of your suppliers has been quietly compromised?
Or is it the truly soul-destroying one: why on earth are we still running our entire security program out of a spreadsheet?
Or is it the truly soul-destroying one: why on earth are we still running our entire security program out of a spreadsheet?
If any of that hit a little too close to home, that's where Vanta comes in.
Vanta takes all that tedious manual security grind, chasing down evidence, wrestling with questionnaires, updating the same cells for the thousandth time, and automates the whole thing.
Vanta takes all that tedious manual security grind, chasing down evidence, wrestling with questionnaires, updating the same cells for the thousandth time, and automates the whole thing.
Their trust management platform keeps a continuous eye on your systems. It pulls everything into one central place and keeps your security program audit-ready around the clock.
Yes, it uses AI, but the genuinely useful kind, flagging risks, streamlining evidence collection, and slotting into the tools your team already relies on.
The upshot of this is you move faster, scale without the usual headaches, and maybe, just maybe, actually get a decent night's sleep.
Yes, it uses AI, but the genuinely useful kind, flagging risks, streamlining evidence collection, and slotting into the tools your team already relies on.
The upshot of this is you move faster, scale without the usual headaches, and maybe, just maybe, actually get a decent night's sleep.
Sounds lush. Find out more and get started at vanta.com/smashing.
That's V-A-N-T-A.com/smashing. Vanta.com/smashing. And a big thank you to Vanta for supporting the show. Tricia, what's your story for us this week?
All right. Well, I mean, it is in a similar vein of attack path, I guess.
So I'm going to start my story with a little bit of backstory, if for literally no other reason than to show off what I learned, because I apparently have no idea what the US Marshals do or who they are.
So I'm going to start my story with a little bit of backstory, if for literally no other reason than to show off what I learned, because I apparently have no idea what the US Marshals do or who they are.
Okay.
So when a crime gets busted, right? Something bad happens. They come in, they find all of the seized assets that were obtained through some type of illegal means.
This could be money, houses, cars, anything in GTA, actually. What a nice little callback that is.
This could be money, houses, cars, anything in GTA, actually. What a nice little callback that is.
Okay, so the US Marshals, they go in and they gather up the cash and the assets and—
Not yet.
Oh, okay. All right.
So the law enforcement people who bust it, they do the raid, they find all the stuff, then the marshals are responsible for managing that stuff.
Okay, so they are the go-between between the initial "we caught you" to "all right, we're going to put you in prison now and here's why," right?
So shocker, a big portion of these assets that they obtain are crypto. I mean, who knew that crypto was used for sketchy stuff?
Okay, so they are the go-between between the initial "we caught you" to "all right, we're going to put you in prison now and here's why," right?
So shocker, a big portion of these assets that they obtain are crypto. I mean, who knew that crypto was used for sketchy stuff?
What a surprise.
I know. And when I say a lot, I mean a lot, lot, $3.4 billion lot.
Ooh.
That was the last hard number that I saw.
It's probably different now, but that came directly from them that at one point they were managing $3.4 billion just in crypto assets alone that were obtained.
So with crypto, now I'm not part of the crypto scene, so this may be old news to everybody. It was news to me.
There's a lot of technical stuff in the backend that has to happen to make sure that these transitions between the illegal means to legal means happen above board, right?
So the US Marshals Service is shockingly not a crypto expert first and foremost.
So when they bust these things and get these assets, they will bring in third-party contractors who are experts in crypto. I'm sure you can see where this is going.
It's probably different now, but that came directly from them that at one point they were managing $3.4 billion just in crypto assets alone that were obtained.
So with crypto, now I'm not part of the crypto scene, so this may be old news to everybody. It was news to me.
There's a lot of technical stuff in the backend that has to happen to make sure that these transitions between the illegal means to legal means happen above board, right?
So the US Marshals Service is shockingly not a crypto expert first and foremost.
So when they bust these things and get these assets, they will bring in third-party contractors who are experts in crypto. I'm sure you can see where this is going.
Oh, sounds reasonable enough.
Now, that's fine. I mean, third parties are often your partners, but they can also be another example of insiders, right? It's an extended insider risk.
And that's all well and good until it gets stolen.
And that's all well and good until it gets stolen.
Oh.
Now, I'm going to say this, Graham.
If Law & Order: SVU is to be used as a trusted source of how law enforcement works, and I'm very willing to believe that that's true, when they don't have a named perpetrator, they call them John or Jane Doe.
So I literally laughed almost out of my chair because the alleged perpetrator is literally named John D. Okay. So it was a John Degida. I'm not sure if I'm pronouncing that correctly.
He allegedly has stolen $46 million worth of crypto directly from wallets managed by the US Marshals.
If Law & Order: SVU is to be used as a trusted source of how law enforcement works, and I'm very willing to believe that that's true, when they don't have a named perpetrator, they call them John or Jane Doe.
So I literally laughed almost out of my chair because the alleged perpetrator is literally named John D. Okay. So it was a John Degida. I'm not sure if I'm pronouncing that correctly.
He allegedly has stolen $46 million worth of crypto directly from wallets managed by the US Marshals.
And he's a guy who was brought in by the US Marshals to help them with the handling of this.
Yeah. So his dad owns one of the firms that have an active contract with the US Marshals, and that is theoretically how he got in.
Now, there were some mixed reporting on this that John himself had an active contract.
Nothing that I saw actually implicated the father in this in any other way other than owning the company. But first off, John goes by Lick online. Gross. I need a shower.
Now, there were some mixed reporting on this that John himself had an active contract.
Nothing that I saw actually implicated the father in this in any other way other than owning the company. But first off, John goes by Lick online. Gross. I need a shower.
Oh, that's his online handle, you mean?
Yeah. Yeah.
Lick.
John Lick.
Ooh.
So he was recently arrested, actually this past week, as part of a dual operation between the FBI and France's version of the FBI, which I will not insult the French language at trying to pronounce.
So Lick is now in the nick.
Oh boy. Yes, correct. Right.
While he was recently arrested, this actually all started back in January when a blockchain investigator who apparently got wrecked before and then decided to become an investigator as a result of that, which is pretty cool.
His Twitter handle is @Zackxbt.
While he was recently arrested, this actually all started back in January when a blockchain investigator who apparently got wrecked before and then decided to become an investigator as a result of that, which is pretty cool.
His Twitter handle is @Zackxbt.
Ah, yes. We've spoken about him before. He's extraordinary—he has uncovered so much shadiness going on on the blockchain. Yeah, he's very good.
Unbelievable work. Yes.
So back in January of this year, he noticed about $23 million in shady transactions that were directly tied to these wallets that were known to be associated with the U.S.
Marshals Service. And some of the funds in these wallets, by the way, were connected to the infamous Bitfinex attack in 2016, the largest crypto scam of all time. Yeah.
So naturally, when things this happen, you have to ask, how did not only the initial thing occur, but how did they get caught?
So back in January of this year, he noticed about $23 million in shady transactions that were directly tied to these wallets that were known to be associated with the U.S.
Marshals Service. And some of the funds in these wallets, by the way, were connected to the infamous Bitfinex attack in 2016, the largest crypto scam of all time. Yeah.
So naturally, when things this happen, you have to ask, how did not only the initial thing occur, but how did they get caught?
Yes.
And this is where I'm not going to lie, Graham. I giggled really, really hard at the schadenfreude of all of this.
Okay.
Happiness at the misfortune of others, which I usually try not to do.
But whenever they're less than savory individuals, which if the transcripts of this person is to be believed, I would argue he's very less than savory.
It's just kind of funny, especially when they do it to themselves. All right. So there was the initial thing that Zach found, and then Zach started reporting on it he does.
But whenever they're less than savory individuals, which if the transcripts of this person is to be believed, I would argue he's very less than savory.
It's just kind of funny, especially when they do it to themselves. All right. So there was the initial thing that Zach found, and then Zach started reporting on it he does.
Yeah.
And John started trolling him by sending little— what I now know is a term called dust transactions.
Well, what's a dust transaction?
So dusting or a dust transaction is something known in the crypto community as kind of a virtual hand wave.
To say, yep, this is me, because it's, you know, anonymized and all that stuff. So John started sending them to Zach's wallets.
And what is problematic about that is, because this was associated with illegal activity, theoretically Zach's wallets could be affected negatively. He could—
To say, yep, this is me, because it's, you know, anonymized and all that stuff. So John started sending them to Zach's wallets.
And what is problematic about that is, because this was associated with illegal activity, theoretically Zach's wallets could be affected negatively. He could—
Right, right—
could be banned from exchange platforms. It could be actually quite bad. Also, having the association with the illegal stuff is usually not people's thing that they want to do.
It's not really good opsec to start trolling the person who's investigating you.
I don't know, maybe not the strongest one, but a worse opsec strategy than that is getting on a recorded call and telling on yourself.
It's not really good opsec to start trolling the person who's investigating you.
I don't know, maybe not the strongest one, but a worse opsec strategy than that is getting on a recorded call and telling on yourself.
What? He did what?
So, you know, threat actors, turns out, not the most savory individuals, as we recently discovered. They also to brag a lot.
So not only was he a thief, he was a braggart and got on a Telegram call with another known threat actor who was calling John out and saying that John didn't actually have access, that his claims were false.
And so he proved that he had access to these wallets, and that was recorded. You can actually watch the recordings on Zach's Twitter thread where he talks about this.
Language warning, by the way, if you watch them.
So not only was he a thief, he was a braggart and got on a Telegram call with another known threat actor who was calling John out and saying that John didn't actually have access, that his claims were false.
And so he proved that he had access to these wallets, and that was recorded. You can actually watch the recordings on Zach's Twitter thread where he talks about this.
Language warning, by the way, if you watch them.
Holy shit, he just opened up a second hardware wallet. I bet. Now, look, this is actually going to be funny as hell for all of us.
After I clown this, he shows all his money.
I just show 3 times more. All empty.
All of them are empty.
That's really embarrassing. So all of them are empty. You might actually be a kid. It's nice. Save address 3 to 9, 4 to 9. Keep saving them, bro.
I know you got them fat ass fingers.
He literally just told on himself on screen record. I'm sorry, it's just so funny to me. Graham literally told on yourself. So let's just recap here, right?
You have tens of millions of dollars in seized crypto assets sitting in a government-managed wallet. Those wallets are handled by outside contractors.
This guy's dad is one of those contractors, and he himself may have had direct access.
He steals those funds, then trolls the investigator who calls him out for it, and then brags about it online, proving that he did all of this. How 2026 is that?
You have tens of millions of dollars in seized crypto assets sitting in a government-managed wallet. Those wallets are handled by outside contractors.
This guy's dad is one of those contractors, and he himself may have had direct access.
He steals those funds, then trolls the investigator who calls him out for it, and then brags about it online, proving that he did all of this. How 2026 is that?
The education system has got a lot to answer for, hasn't it?
I mean, in some ways we're grateful because it makes it easier to catch— I mean, this guy, these are allegations at this point.
I mean, in some ways we're grateful because it makes it easier to catch— I mean, this guy, these are allegations at this point.
Of course.
He'll have his day in court. But frankly, we have to be grateful that sometimes the cybercriminals are caught out by their own dumb behaviour.
But it also leaves you with your head in your hands thinking, oh, for goodness' sake, couldn't you have done a bit better than that?
But it also leaves you with your head in your hands thinking, oh, for goodness' sake, couldn't you have done a bit better than that?
Yeah, you know, it's astounding, actually.
When I worked at Akamai in the research organization, we actually saw this a fair amount where the threat actors would be proud of what they were doing, not unlike we are proud of things that we do at work.
And they would get called out and said, no, you don't actually have this. And they would prove it themselves.
It's an interesting tactic, I guess, make them tell on themselves by playing to their ego. Huh, who knew that would work?
When I worked at Akamai in the research organization, we actually saw this a fair amount where the threat actors would be proud of what they were doing, not unlike we are proud of things that we do at work.
And they would get called out and said, no, you don't actually have this. And they would prove it themselves.
It's an interesting tactic, I guess, make them tell on themselves by playing to their ego. Huh, who knew that would work?
Right, let's take a moment to talk about one of today's sponsors, Meta. So picture this. You need to set up a network for a new office.
Suddenly you're juggling ISPs, floor plans, hardware configuration. Oh, what a headache. It's basically a second job.
Suddenly you're juggling ISPs, floor plans, hardware configuration. Oh, what a headache. It's basically a second job.
Ah yes, the classic experience of paying a contractor to arrive on the wrong day at the wrong address to install the wrong thing.
Right. Well, Meta's entire pitch is this: what if that just wasn't your problem?
Huh. Tell me more.
They are a network as a service company. They are genuinely end to end. You hand them a physical address and a floor plan and they handle everything.
They sort out the ISP, they design the network, they show up on site, they rack their own hardware, not reselling someone else's kit, and they get the whole thing running.
They sort out the ISP, they design the network, they show up on site, they rack their own hardware, not reselling someone else's kit, and they get the whole thing running.
So I don't have to spend 45-odd minutes on hold with a company whose hold music is a 15-second loop of pan flute that I've committed to heart.
No, you don't. And once you're up and running, you get a single dashboard covering monitoring, management, security, VLANs, firewall, DNS security, SD-WAN, all of it.
Full visibility and control. None of the tedious legwork.
Full visibility and control. None of the tedious legwork.
Oh, that sounds actually useful. But what's the catch?
No catch, Joe, just a subscription model with no nasty surprises. They've even got a hardware buyback program if you've already invested in kit from another vendor.
Very sensible. Where do we send people?
Go to meter.com/smashing. Go on, do it right now. Take a look.
That's meter.com/smashing. Thanks to Meter for supporting the show.
And welcome back, and you join us at our favourite part of the show that we like to call Pick of the Week.
Pick of the Week.
Pick of the Week is the part of the show where everyone chooses something they like.
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security-related necessarily. Well, my Pick of the Week this week is not security-related. My Pick of the Week this week is a blast back to my childhood.
Yes, I remember the 1870s when all we had to enjoy was a hoop and a stick. We had fun in those days. That's all we needed. Occasionally, we know we'd go out into the garden.
We might find a pebble and a rock to bash together as well and try and make some sparks. Not quite that old, for goodness' sake. No, more recent than that. Asterix. Asterix the Gaul.
Are you familiar with Asterix the Gaul, Tricia?
Could be a funny story, a book that they've read, a TV show, a movie, a record, a podcast, a website, or an app, whatever they wish.
It doesn't have to be security-related necessarily. Well, my Pick of the Week this week is not security-related. My Pick of the Week this week is a blast back to my childhood.
Yes, I remember the 1870s when all we had to enjoy was a hoop and a stick. We had fun in those days. That's all we needed. Occasionally, we know we'd go out into the garden.
We might find a pebble and a rock to bash together as well and try and make some sparks. Not quite that old, for goodness' sake. No, more recent than that. Asterix. Asterix the Gaul.
Are you familiar with Asterix the Gaul, Tricia?
I am not.
Oh, for goodness' sake.
I know.
Are you familiar with Tintin? Hergé's Adventures?
No.
Good, because Tintin's rubbish compared to Asterix. I was going to say Asterix is a much, much better version.
So Asterix is a plucky little Gaul in the— I think it's 50 AD is when he's living. And was it 50 BC? It doesn't matter. It's 2,000 years ago.
And he lives in a village which is holding out against the Roman Empire. It's the final bit of what would later become France. Everywhere else has been conquered.
And he's living in this little village, and it's a small, stubborn place. They're holding out against the Roman Empire.
They are armed with nothing more than their wits and magic potion, which gives them super strength.
So Asterix is a plucky little Gaul in the— I think it's 50 AD is when he's living. And was it 50 BC? It doesn't matter. It's 2,000 years ago.
And he lives in a village which is holding out against the Roman Empire. It's the final bit of what would later become France. Everywhere else has been conquered.
And he's living in this little village, and it's a small, stubborn place. They're holding out against the Roman Empire.
They are armed with nothing more than their wits and magic potion, which gives them super strength.
Amazing.
And this is a cartoon strip book. I guess you would call it a graphic novel these days. I don't— I think it's called a graphic album is what the French used to call it.
These were originally in French. They've been translated around the world. They are very, very funny.
These were originally in French. They've been translated around the world. They are very, very funny.
Okay. Love it.
They've got great characters. They made movies of them. I've never seen the movies. I mean, that just seems wrong to me.
I think they had Gérard Depardieu as Obélix, the one who carries the menhir everywhere. There's even a theme park, I think, in France as well. But forget all of those.
I'm talking about the classic Asterix books made from about 1960 until about 1977. By Goscinny and Uderzo. They're still making the books today.
Well, not those two because they're dead. But the books are still being cranked out. And here's some of the reasons. I can't believe you've never heard of Asterix.
I think they had Gérard Depardieu as Obélix, the one who carries the menhir everywhere. There's even a theme park, I think, in France as well. But forget all of those.
I'm talking about the classic Asterix books made from about 1960 until about 1977. By Goscinny and Uderzo. They're still making the books today.
Well, not those two because they're dead. But the books are still being cranked out. And here's some of the reasons. I can't believe you've never heard of Asterix.
I'm sorry. I'm sorry. I was born way after you.
Okay. All right. All right. Blimey.
Just kidding.
But Asterix is an absolute institution. So these are very funny books, first of all. So there are lots of puns. And the puns survive being translated.
So the translators who have translated Asterix from the original French into other languages, they are absolute unsung heroes.
So the translators who have translated Asterix from the original French into other languages, they are absolute unsung heroes.
Wow, good for them.
So you get characters like there's a druid called Getafix. There's the chief of the village called Vitalstatistix. There's a bard called Cacofonix.
There's even a village postman called Postaldistrix. There's slapstick.
There's even a village postman called Postaldistrix. There's slapstick.
Oh man.
There's also political satire in there. Adults will get a lot out of it.
There are Asterix books which are probably thinly veiled discussions as to whether Britain should become members of the European Union. Look what happened there.
So you can see how old some of these books are. They are genuinely a joy, however old you are. There's some gentle mocking of national stereotypes.
So when Asterix goes to Britain, for instance, to meet a tribe over there, there's warm British beer and there's boiled food, there's Roman bureaucracy.
When he goes to Switzerland, there's lots of fondue, things like this.
There are Asterix books which are probably thinly veiled discussions as to whether Britain should become members of the European Union. Look what happened there.
So you can see how old some of these books are. They are genuinely a joy, however old you are. There's some gentle mocking of national stereotypes.
So when Asterix goes to Britain, for instance, to meet a tribe over there, there's warm British beer and there's boiled food, there's Roman bureaucracy.
When he goes to Switzerland, there's lots of fondue, things like this.
Amazing.
But there's real affection. It's never cruel. Apart from, of course, to the Roman legionnaires who keep on getting bashed up by these plucky little villagers on their magic potion.
The artwork is fantastic. You've got to Google image Asterix the Gaul right now to see some of this. Magnificent battle scenes, dozens of Romans flying through the air.
If you need an excuse, buy the Asterix books for your kids. But I'm sure you will love them too. You can use the kids as an excuse, but they're really, really great.
And as I said, it's much better than Tintin. So Asterix is my Pick of the Week.
The artwork is fantastic. You've got to Google image Asterix the Gaul right now to see some of this. Magnificent battle scenes, dozens of Romans flying through the air.
If you need an excuse, buy the Asterix books for your kids. But I'm sure you will love them too. You can use the kids as an excuse, but they're really, really great.
And as I said, it's much better than Tintin. So Asterix is my Pick of the Week.
Amazing. I cannot wait to go through this, if for no other reason than the ability to maintain the puns. That is honestly, wow. Unsung heroes is certainly the correct term for that.
It's lovely, lovely fun stuff. Tricia, what's your Pick of the Week?
Okay, my Pick of the Week is the author Robin Hobb. Are you familiar with Robin Hobb?
No, no, I'm not, Tricia, because I've spent my time learning about other things which are important, like Asterix, for instance. No, I've not heard of Robin Hobb.
Well, she is a British writer who is—
I'm so sorry for not knowing.
No, that's okay. Okay, right.
For goodness' sake. Asterix.
She is unbelievable. She is an incredible fantasy writer.
And I was going to choose a specific trilogy of hers to be my pick of the week, but I could not decide between them because they are all so good.
So for reference on how amazing Robin Hobb is, she has been publicly praised by none other than the god of fantasy himself, George R.R. Martin. Don't know if you've heard of him.
And I was going to choose a specific trilogy of hers to be my pick of the week, but I could not decide between them because they are all so good.
So for reference on how amazing Robin Hobb is, she has been publicly praised by none other than the god of fantasy himself, George R.R. Martin. Don't know if you've heard of him.
Oh, yes. Game of Thrones. Yes.
Ah, yes. So he says, and I quote, "Robin Hobb writes fantasy the way fantasy should be written." Astounding.
The two that I'm in the middle of right now are the Liveship Traders and the Farseer trilogy. Farseer came first, and then the Liveship Traders came afterward. They are thick books.
It's certainly a commitment. But oh, my goodness. I am somebody who loves to get swept away in the story. And she has an unbelievable way of not only telling these stories.
I mean, she's got an incredible mind, but the way that she paints pictures, I mean, you can tell she's lived, all right?
She's been through some stuff, and it comes through very, very clearly.
The two that I'm in the middle of right now are the Liveship Traders and the Farseer trilogy. Farseer came first, and then the Liveship Traders came afterward. They are thick books.
It's certainly a commitment. But oh, my goodness. I am somebody who loves to get swept away in the story. And she has an unbelievable way of not only telling these stories.
I mean, she's got an incredible mind, but the way that she paints pictures, I mean, you can tell she's lived, all right?
She's been through some stuff, and it comes through very, very clearly.
What's the sort of background to the story? When you say fantasy, obviously, my mind instantly turned to Fifty Shades of what's-it or something.
We're not talking that kind of fantasy.
We're not talking that kind of fantasy.
No.
Is it more sort of like dragons and wizardry and that kind of stuff?
Precisely. So the Farseer trilogy, I believe, was actually her first trilogy. And it follows a rogue assassin from childhood.
And he's the bastard child of the prince who is going to become the king. And the kid gets dumped at the palace, and he becomes an assassin, or what is known as a Kingsman.
And it is— my goodness, Graham, it's really astounding. I will say, though, you need to dedicate time to read them because you cannot put it down after a certain amount of time.
The pages fly through. Really, really lovely.
And he's the bastard child of the prince who is going to become the king. And the kid gets dumped at the palace, and he becomes an assassin, or what is known as a Kingsman.
And it is— my goodness, Graham, it's really astounding. I will say, though, you need to dedicate time to read them because you cannot put it down after a certain amount of time.
The pages fly through. Really, really lovely.
So if people are intrigued about this, what book do you recommend that they start with?
Oh, see, this is why I didn't know which one to pick.
I would— I started with The Liveship Traders, and I think that's a strong one to start with because it introduces her world because both of them take place in the same world, just completely different times.
So start with that because it's a standalone. The Farseer trilogy has a couple of other offshoots of it.
So if you're just looking for a quick, quote unquote, trilogy to get introduced to her and her style, I would say The Liveship Traders is the one to go with.
It follows a family of sailors that have been traders for many, many years. And bad stuff happens to them.
I would— I started with The Liveship Traders, and I think that's a strong one to start with because it introduces her world because both of them take place in the same world, just completely different times.
So start with that because it's a standalone. The Farseer trilogy has a couple of other offshoots of it.
So if you're just looking for a quick, quote unquote, trilogy to get introduced to her and her style, I would say The Liveship Traders is the one to go with.
It follows a family of sailors that have been traders for many, many years. And bad stuff happens to them.
Oh, okay. Well, I feel like we've both had rather cultural picks of the week.
I agree, Bram. I agree.
I feel like we've both introduced each other to something which we weren't previously familiar with. And I feel— Are you having a drink?
I was, yeah. Yep. It's the American way, man.
Right. Well, that just about wraps up the show for this week. Thank you so much, Tricia, for joining us.
I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way to do that?
I'm sure lots of our listeners would love to find out what you're up to and follow you online. What's the best way to do that?
The way to find me is on LinkedIn. So linkedin.com/in/triciakicksass, that's S-A-A-S, is the easiest way to find me.
And you can find me, Graham Cluley, on LinkedIn as well, or follow Smashing Security on BlueSky or Mastodon and places like that.
And don't forget to ensure that you never miss another episode, follow Smashing Security on your favorite podcast apps such as Apple Podcasts, Pocket Casts, and Spotify.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of 458-odd episodes with the emphasis on odd, check out smashingsecurity.com.
Until next time, cheerio, bye-bye.
And don't forget to ensure that you never miss another episode, follow Smashing Security on your favorite podcast apps such as Apple Podcasts, Pocket Casts, and Spotify.
For episode show notes, sponsorship info, guest lists, and the entire back catalog of 458-odd episodes with the emphasis on odd, check out smashingsecurity.com.
Until next time, cheerio, bye-bye.
Cybernara.
You've been listening to Smashing Security with me, Graham Cluley, and thanks so much to Tricia Howard for joining us this week and to this episode's sponsors, ThreatLocker, Vanta, and Meta, and of course, to the following chums who support Smashing Security via Patreon.
We're going to grab a few names out of the hat. Give it up for JBSK, who we can only assume is too cool to have a full name.
Bashora, the nerd who named themselves after a shell terminal. William Reddick, the very soft and breathable Matt Cotton. The positively electric Bobby Hendrix.
Matt H, presumably because the username Matt was already taken, perhaps by Matt Cotton. Frankie Guzikowski. Mansui Dijon.
Alexander Huy Guiz, which sounds less like a person and more like a very grand Dutch country estate. And finally, Dmitry, just Dmitry, no last name, very mysterious.
We respect you, Dmitry, and all the rest of you as well.
If you fancy having your name read out at the end of the show and you fancy having ad-free episodes of Smashing Security, all you have to do is support us at smashingsecurity.com.
Smashingsecurity.com/plus. That will take you to the page where you can sign up, and maybe you'll get thanked in a future episode as well.
Of course, not everyone can stretch to supporting the show financially. That's absolutely fine. I get it. There's absolutely no pressure to do that.
Instead, what you can do is you can go and tell your friends. There's lots of pressure on you to do that.
Go and tell your friends about Smashing Security and encourage them to tune in to some of our past episodes as well as the future ones too.
Thank you everybody who supports the show, leaves 5-star reviews, likes, subscribes, and spreads the word. I really do appreciate it. And until our next episode, I will now sign off.
So toodle-oo from me. Bye-bye.
We're going to grab a few names out of the hat. Give it up for JBSK, who we can only assume is too cool to have a full name.
Bashora, the nerd who named themselves after a shell terminal. William Reddick, the very soft and breathable Matt Cotton. The positively electric Bobby Hendrix.
Matt H, presumably because the username Matt was already taken, perhaps by Matt Cotton. Frankie Guzikowski. Mansui Dijon.
Alexander Huy Guiz, which sounds less like a person and more like a very grand Dutch country estate. And finally, Dmitry, just Dmitry, no last name, very mysterious.
We respect you, Dmitry, and all the rest of you as well.
If you fancy having your name read out at the end of the show and you fancy having ad-free episodes of Smashing Security, all you have to do is support us at smashingsecurity.com.
Smashingsecurity.com/plus. That will take you to the page where you can sign up, and maybe you'll get thanked in a future episode as well.
Of course, not everyone can stretch to supporting the show financially. That's absolutely fine. I get it. There's absolutely no pressure to do that.
Instead, what you can do is you can go and tell your friends. There's lots of pressure on you to do that.
Go and tell your friends about Smashing Security and encourage them to tune in to some of our past episodes as well as the future ones too.
Thank you everybody who supports the show, leaves 5-star reviews, likes, subscribes, and spreads the word. I really do appreciate it. And until our next episode, I will now sign off.
So toodle-oo from me. Bye-bye.
Host:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Guest:
Tricia Howard:
/ triciakickssaas
Episode links:
- Major data leak forum dismantled in global action against cybercrime forum – Europol.
- Ericsson blames vendor vishing slip-up for breach exposing thousands of records – The Register.
- How hackers bypassed MFA with a $120 phishing kit – until law enforcement shut them down – Hot for Security.
- Wikipedia hit by self-propagating JavaScript worm that vandalized pages – Bleeping Computer.
- FBI arrests crypto thief accused of stealing $46 million from seized government wallet – Tom’s Hardware.
- Twitter thread by ZachXBT about John Daghita’s arrest – Twitter.
- Asterix – Wikipedia.
- Robin Hobb.
- The Complete Farseer trilogy – Harper Collins.
- Smashing Security merchandise (t-shirts, mugs, stickers and stuff)
Sponsored by:
- Vanta – Expand the scope of your security program with market-leading compliance automation… while saving time and money. Smashing Security listeners get $1000 off!
- ThreatLocker – Start your free trial and book a demo of ThreatLocker today to see how you can implement Zero Trust in your environment.
- Meter – Network infrastructure for the enterprise. Get a free personalised demo.
Support the show:
You can help the podcast by telling your friends and colleagues about “Smashing Security”, and leaving us a review on Apple Podcasts or Podchaser.
Join Smashing Security PLUS for ad-free episodes and our early-release feed!
Follow us:
Follow the show on Bluesky, or join us on the Smashing Security subreddit, or visit our website for more episodes.
Thanks:
Theme tune: “Vinyl Memories” by Mikael Manvelyan.
Assorted sound effects: AudioBlocks.
