🎓️ Vulnerable U | #110

Cybersecurity Professor Disappeared and FBI raids his house, North Korea Fake workers are leveling up, Police shut down a major CSAM site, and much more!

Author

Matt Johansen
April 04, 2025

Read Time: 9 minutes

Brought to you by:

Howdy friends!

Anyone else drowning? Just me? I’ve lost all semblance of balance in the last few weeks and feel like every minute is spoken for. I also got an email from my kid’s school that there is only a few weeks left which is mind boggling.

Who’s all going to RSA? I’ve got a few events that Vulnerable U is going to help support. Looking forward to seeing a lot of you.

ICYMI

🖊️ Something I wrote: Progress > perfection. Keep showing up.

🎧️ Something I heard: Interview with Vibe Coder in 2025 - absolutely hilarious

🎤 Something I said: For topical reasons, I covered a guide to traveling while maintaining your security & privacy. Especially if you have a reason to be government targetted.

🔖 Something I read: Guys. I’m obsessed. This is one of my new favorite book series. Dungeon Crawler Carl is just right up my alley. Ready Player One but R-Rated comedy version.

Vulnerable News

Well, the mysterious disappearance of cybersecurity professor Xiaofeng Wang just got more interesting. First came the FBI raids on his Indiana homes, his university profiles vanishing into thin air, and Indiana University playing dumb about their tenured professor of 20+ years. Now we're getting more details - Wang was apparently under investigation for allegedly failing to disclose Chinese research funding from 2017-2018. His attorney claims he and his wife are "safe" and haven't been arrested, but the university apparently fired him via email (which faculty say violates tenure policies).

The updated info about him being safe is covered by WIRED here: link

Wang had reportedly accepted a position at a university in Singapore starting June 1st. Many academics are drawing uncomfortable parallels to the controversial "China Initiative" that targeted Chinese-born researchers under Trump before being officially abandoned in 2022. Matthew Green from Johns Hopkins summed up what many are thinking: "This is not normal behavior by a university." The whole episode has the academic community on edge, worried this could discourage international talent from working at American universities. Meanwhile, Wang's students and collaborators are left wondering what happened to their mentor. (read more)

To scale your company, you need compliance. And by investing in compliance early, you protect sensitive data and simplify the process of meeting industry standards—ensuring long-term trust and security.

Vanta helps growing companies achieve compliance quickly and painlessly by automating 35+ frameworks—including SOC 2, ISO 27001, HIPAA, GDPR, and more.

And with Vanta continuously monitoring your security posture, your team can focus on growth, stay ahead of evolving regulations, and close deals in a fraction of the time.

Start with Vanta’s Compliance for Startups Bundle, with key resources to accelerate your journey.

  • Step-by-step compliance checklists

  • Case studies from fast-growing startups

  • On-demand videos with industry leaders

*Sponsored

Europol site seizure notice (Source: BleepingComputer)

German police just took down KidFlix, one of the largest CSAM platforms on the dark web. Operation Stream was a massive effort that started back in 2022 and culminated with the server seizure on March 11. The numbers are pretty staggering - they've arrested 79 people so far, identified nearly 1,400 suspects, and seized over 3,000 devices. According to Europol, the platform had a whopping 1.8 million users worldwide during its operation.

Unlike similar platforms, it offered both downloading and streaming options, with a token-based payment system. Users could earn tokens by uploading new content, verifying video information, and categorizing materials - essentially gamifying the abuse. The site had been running since 2021 and hosted over 91,000 unique videos with a combined runtime of 6,288 hours. Information about suspects has been shared with authorities in 35 countries, and many turned out to be repeat offenders already on law enforcement's radar. (read more)

DPRK IT Workers Expanding in Scope and Scale

Remember those North Korean remote workers I've mentioned before? Seems like they're expanding beyond the US market and showing up all over Europe these days. Google's Threat Intel team reports they're getting creative with their job hunting - building fake personas claiming to be from places like Italy, Japan, and Ukraine while targeting companies in the defense sector. They're not just sticking to basic coding gigs either - they're going after blockchain projects, AI development, and smart contracts using tech stacks like Next.js, Solana, and MERN.

When busted, they're now more likely to try extortion, threatening to leak proprietary code unless paid off. And they've found a sweet spot in companies with BYOD policies where workers access corporate systems through VMs - much harder to track activity compared to corporate-owned hardware. They've also built out networks of facilitators in places like the UK who help with identity verification and payment processing. Maybe double-check those impressive remote candidates from Serbia with blockchain experience...(read more)

Researchers at DomainTools (yes again. solid week for them) uncovered nearly 900 fake domains targeting defense and aerospace companies that support Ukraine. The attackers created convincing clones of internal login pages to steal credentials from employees at these firms. What makes this campaign stand out is the scale and infrastructure - they're using a consistent setup of mail servers, Mailu-based login templates, and domains registered through Spaceship (with fun names like "scooby-doo.xyz" and "stupid-buddy.mom").

The operation seems laser-focused on intelligence gathering from companies supporting Ukraine's war effort. Beyond credential harvesting, they also set up fake Cryptshare portals, likely to deliver malware. While DomainTools didn't attribute this to a specific actor, it's got all the hallmarks of a state-sponsored intelligence operation. The tactics aren't particularly novel, but the execution is impressive - and with the US reportedly pulling back some cyber ops against Russia, campaigns like this might face less resistance going forward. Definitely worth checking those IOCs if you're in the defense sector. (read more)

Another week, another Ivanti story - CISA just issued an alert about Chinese hackers exploiting a vulnerability (CVE-2025-0282) with a particularly powerful piece of malware dubbed "Resurge." This malware can do it all - tamper with logs, harvest credentials, create backdoor accounts, and even persist through system upgrades. It sidesteps Ivanti's own Integrity Checker Tool by fraudulently signing the manifest file, meaning you could run the checker and still miss the infection.

Mandiant calls this malware family "Spawn" and confirms it's the work of Chinese state-backed groups who've been quietly exploiting Ivanti products since December. CISA has been warning about Chinese hackers targeting Ivanti vulnerabilities since 2020. If you're running Connect Secure, Policy Secure or ZTA Gateway, CISA's advice is clear: factory reset your devices, change all credentials and passwords, and reach out for help if you think you might be compromised. (read more)

A new report from DomainTools shows how APT28, APT29, and the Internet Research Agency are exploiting domain registrars to spread fake news and propaganda. Their playbook involves registering domains that look like legitimate news sites (think bloomberg-us[.]com instead of bloomberg.com), then use them for phishing or spreading misinformation. They're particularly fond of registrars with minimal compliance requirements like Namecheap, Reg.ru, and Epik.

They're also now "aging" domains by registering them months before use to bypass reputation filters, experimenting with blockchain domains that resist takedowns, and hiding behind bulletproof hosting in places like Moldova. Meanwhile, the US has actually scaled back its counter-disinformation efforts by shutting down key programs like the Global Engagement Center. (read more)

Some clever security folks just pulled off a fascinating hack against Google Gemini. Instead of trying to escape the Python sandbox (worth a cool $100K bounty), these researchers went digging around inside it. They extracted a massive 579MB binary containing actual Google source code and proto files. The researchers didn't break out of the sandbox; they just mapped what was already there using basic Python, then split the binary into chunks they could extract through the interface.

The exfiltrated code revealed how Gemini's sandbox works internally, including RPC pipes to Google services and even parts of the google3 repository (Google's proprietary codebase). They found proto files defining how Google handles security credentials and data classification, which weren't supposed to be bundled with the sandbox. Google acknowledged the issue but confirmed no user data was exposed. (read more)

Researchers at Silent Push uncovered a network of fake recruitment sites targeting Russians who might want to join Ukrainian paramilitary groups fighting against Moscow. These aren't your everyday credential-stealing pages - they're FSB honeypots designed to identify political dissidents. One letter change in a domain (legiohliberty vs legionliberty) and suddenly your "application" to fight against Putin lands directly with Russian intelligence, potentially leading to terrorism charges and 20 years in prison.

They’re not distributing these through emails but by gaming search engine results. Yandex (no surprise), but also DuckDuckGo and Bing, frequently rank these phishing sites above legitimate ones. (read more)

OpenSNP, an open-source genetic data repository, is pulling the plug and wiping all its data on April 30th. The co-founder's decision stems from growing concerns about how genetic data could be weaponized by authoritarian regimes. It’s giving “today's innocent research data could become tomorrow's surveillance tool.” The shutdown highlights a broader tension in the scientific community between open data sharing and protecting sensitive genetic information from potential misuse. (read more)

Apple's App Tracking Transparency (ATT) framework just landed them a €150M fine from French regulators. While the privacy tool's goal of requiring user consent for cross-app tracking isn't the issue, France's competition watchdog says Apple implemented it in a way that's basically kneecapping smaller publishers while giving Apple's own apps special treatment. Apple made users jump through extra hoops to allow tracking (two clicks) but made it super easy to refuse (one click), plus their own apps got to bypass these rules entirely.

Apple’s still dealing with that €1.8B music streaming fine from the EC, and France already hit them with an €8M privacy fine previously. The French authority is particularly peeved that ATT's implementation doesn't even properly align with GDPR standards, and smaller publishers who rely on ad targeting are getting disproportionately hurt since they don't have Apple's massive proprietary data advantage. (read more)

Remember that massive Epik hack from 2021 that exposed tons of right-wing website data? Looks like they got their guy. Aubrey "Kirtaner" Cottle, a prominent Anonymous hacker, was just arrested in Canada for allegedly breaching Epik and snagging 20TB of Texas GOP data. He couldn't help but brag about it - showing up to Epik's CEO's press conference about the breach and leaving breadcrumbs across Discord and TikTok. Even when Epik's CEO Rob Monster directly asked if he did it, Cottle responded with the cheeky "I would never, ever admit to a federal crime in a space like this."

The feds found the stolen Texas GOP data on his devices during a raid, and he's now facing up to 5 years if convicted. The hack was apparently a response to Texas' abortion law, with attackers defacing the GOP website and creating a dump site for the stolen Epik data. (read more)

The DoJ just clawed back $8.2M in crypto from a pig butchering operation, including $650k from a Cleveland victim who was convinced to liquidate her entire retirement. The scammers used the classic playbook - anonymous numbers, messaging apps, and fake relationships to convince victims to "invest" their money. The funds went through a maze of DeFi platforms, cross-chain swaps, and unhosted wallets before landing in three TRON addresses.

FBI investigators spotted patterns in wallet reuse and routing that cracked the case. This is part of a larger investigation into these scams, which are often backed by human trafficking operations in Southeast Asia. The feds are now working backwards through the blockchain to identify more victims beyond the 30 already found. (read more)

Miscellaneous mattjay

How'd I do this edition?

It's hard doing this in a vacuum. Screaming into a void. Feedback is incredibly valuable to make sure I'm making a newsletter you love getting every week.

Login or Subscribe to participate in polls.

Parting Thoughts:

Community was foundational in launching and propelling my career. Community is the only reason I can stand being in Texas during the summer months. Community is the point. Today, I invite you to embrace discomfort on the road to a more vulnerable you.

Stay safe, Matt Johansen
@mattjay