Two Estonian nationals plead guilty to a $577M cryptocurrency Ponzi scheme through HashFlare, defrauding hundreds of thousands globally.…

Two Estonian nationals plead guilty to a $577M cryptocurrency Ponzi scheme through HashFlare, defrauding hundreds of thousands globally. They face 20 years in prison and forfeit $400M in assets.

The US Department of Justice (DoJ) has confirmed that two Estonian nationals have admitted guilt in a large-scale cryptocurrency fraud case that impacted numerous victims worldwide. The perpetrators, identified as Sergei Potapenko and Ivan Turõgin, both 40 years old, were originally arrested in November 2022 and extradited to the US in May 2024. 

They, reportedly, ran a cryptocurrency fraud scheme that amassed over $577 million between 2015 and 2019. This substantial sum was obtained by misleading investors about the capabilities of their purported cryptocurrency mining service, HashFlare.io.

HashFlare’s homepage (Screenshot credit: Hackread.com)

According to the DoJ’s press release, Potapenko and Turõgin operated a complex Ponzi scheme (a scam where insanely high returns are offered with minimal effort) involving cryptocurrency mining services. They marketed contracts to investors, promising a portion of the cryptocurrency generated by HashFlare. 

Over the four-year period, this operation amassed a substantial sum of money, exceeding half a billion dollars. The scheme victimized hundreds of thousands of individuals across the globe, including those in the United States.

The perpetrators employed sophisticated methods to deceive investors. The fraudulent activity involved a discrepancy between the promised mining capacity and the actual resources available. HashFlare lacked the necessary computing power to conduct extensive mining for clients. Operators, therefore, fabricated data on a web platform to show investors their supposed profits, misappropriating funds for their own benefit. 

This means, they not only misrepresented their mining capacity but also created a false impression of profitability through fabricated data. They used the illicitly gained funds to acquire luxury items, including real estate and high-end vehicles and also invested in cryptocurrency and other assets.  

While the figure of $577 million represents the total sales generated by the fraudulent scheme, it is important to note that the defendants agreed to forfeit assets worth over $400 million as part of their plea deal. This indicates the scale of the financial gains they acquired through the scheme. These recovered funds will be used to reimburse those who were harmed by the fraudulent scheme, and the process will be revealed by the DoJ at a later date.

Potapenko and Turõgin have pleaded guilty to conspiracy to commit wire fraud, which involves a maximum sentence of 20 years. They will be sentenced on May 8 and their sentencing depends on various factors, including federal guidelines and other relevant legal considerations. 

The DoJ commended Estonia’s Cybercrime Bureau, the Estonian Prosecutor General, and the Ministry of Justice and Digital Affairs for their assistance in the investigation and extradition process. The FBI is actively urging victims of the HashFlare fraud to come forward.

Featured Image via: PixaBay/Sergei Tokmakov

HashFlare Fraud: Two Estonians Admit to Running $577M Crypto Scam

Despite high-profile attention and even US sanctions, the group hasn’t stopped or even slowed its operation, including the breach of two more US telecoms.

When the Chinese hacker group known as Salt Typhoon was revealed last fall to have deeply penetrated major US telecommunications companies—ultimately breaching no fewer than nine of the phone carriers and accessing Americans' texts and calls in real time—that hacking campaign was treated as a four-alarm fire by the US government. Yet even after those hackers' high-profile exposure, they've continued their spree of breaking into telecom networks worldwide, including more in the US.

Researchers at cybersecurity firm Recorded Future on Wednesday night revealed in a report that they've seen Salt Typhoon breach five telecoms and internet service providers around the world, as well as more than a dozen universities from Utah to Vietnam, all between December and January. The telecoms include one US internet service provider and telecom firm and another US-based subsidiary of a UK telecom, according to the company's analysts, though they declined to name those victims to WIRED.

“They’re super active, and they continue to be super active,” says Levi Gundert, who leads Recorded Future's research team known as Insikt Group. “I think there's just a general under-appreciation for how aggressive they are being in turning telecommunications networks into Swiss cheese.”

To carry out this latest campaign of intrusions, Salt Typhoon—which Recorded Future tracks under its own name, RedMike, rather than the Typhoon handle created by Microsoft—has targeted the internet-exposed web interfaces of Cisco's IOS software, which runs on the networking giant's routers and switches. The hackers exploited two different vulnerabilities in those devices' code, one of which grants initial access, and another that provides root privileges, giving the hackers full control of an often powerful piece of equipment with access to a victim's network.

“Any time you're embedded in communication networks on infrastructure like routers, you have the keys to the kingdom in what you're able to access and observe and exfiltrate,” Gundert says.

Recorded Future found more than 12,000 Cisco devices whose web interfaces were exposed online, and says that the hackers targeted more than a thousand of those devices installed in networks worldwide. Of those, they appear to have focused on a smaller subset of telecoms and university networks whose Cisco devices they successfully exploited. For those selected targets, Salt Typhoon configured the hacked Cisco devices to connect to the hackers' own command-and-control servers via generic routing encapsulation, or GRE tunnels—a protocol used to set up private communications channels—then used those connections to maintain their access and steal data.

When WIRED reached out to Cisco for comment, the company pointed to a security advisory it published about vulnerabilities in the web interface of its IOS software in 2023. “We continue to strongly urge customers to follow recommendations outlined in the advisory and upgrade to the available fixed software release,” a spokesperson wrote in a statement.

Hacking network appliances as entry points to target victims—often by exploiting known vulnerabilities that device owners have failed to patch—has become standard operating procedure for Salt Typhoon and other Chinese hacking groups. That's in part because those network devices lack many of the security controls and monitoring software that's been extended to more traditional computing devices like servers and PCs. Recorded Future notes in its report that sophisticated Chinese espionage teams have targeted those vulnerable network appliances as a primary intrusion technique for at least five years.

That Salt Typhoon continues to carry out business as usual is nonetheless notable, Recorded Future's analysts say. The group's activities have been exposed in the media, in government reports and announcements issued by the FCC, CISA, and the White House, even in sanctions issued by the US Treasury. But that hasn't caused the hackers to change course. On January 17, Treasury sanctioned Sichuan Juxinhe Network Technology, a cybersecurity firm allegedly linked to Salt Typhoon's operations. And yet, Gundert says, Recorded Future hasn't seen any cessation or slowdown of the hackers' activities even since that date.

“That's the disappointing part about this,” says Gundert. “Even with all the attention, we haven't observed any real change in the volume or velocity of attacks, even in the same target demographic of telecommunications.”

After Salt Typhoon's hacking campaign targeting US telecom networks came to light last fall, then FBI director Christopher Wray described the phone company breaches as China's “most significant cyber-espionage campaign in history.” The intrusions, which in some cases exploited the wiretap mechanisms built into telecoms for law enforcement use, prompted CISA and FBI officials to go so far as to recommend that Americans use end-to-end encrypted communication apps like Signal and WhatsApp to avoid leaving their texts and calls vulnerable to China's real-time spying.

In this latest rash of intrusions, Recorded Future says it's seen the Chinese hackers break into not only the US internet service provider and telecommunications firm and a US affiliate of a UK telecom, but also telecoms in South Africa and Thailand and an internet service provider in Italy, though it declined to name any of those victims. It's also seen the group target a broader range of universities around the world for apparent espionage, including in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, Netherland, Thailand, Vietnam, and the US—including the University of California, California State, Utah Tech, and Loyola University.

Recorded Future says it was able to gain visibility into those intrusions by identifying command-and-control infrastructure used by Salt Typhoon, though it didn't further explain its methodology. The company's analysts note that there may well be other parts of the group's hacking campaign—and other victims—that it hasn't discovered.

“They've only gotten more bold,” says Jon Condra, another Recorded Future analyst. “I strongly suspect it's much larger than what we’ve seen.”

China’s Salt Typhoon Spies Are Still Hacking Telecoms—Now by Exploiting Cisco Routers

In a landscape where cyber threats evolve daily, the Defense Information Systems Agency’s (DISA) Enterprise Patch Management System (EPMS) plays a critical role in maintaining the cybersecurity of the Department of Defense (DoD). EPMS is not just a tool—it's a strategy, bridging software, efficiency and innovation to enhance the security posture of  critical systems.The Importance of EPMSEPMS addresses a core cybersecurity challenge: verifying that all systems are consistently patched against known vulnerabilities. With cyber adversaries growing more sophisticated, leaving any endpoint exp

In a landscape where cyber threats evolve daily, the **Defense Information Systems Agency****’s (DISA) Enterprise Patch Management System (EPMS)** plays a critical role in maintaining the cybersecurity of the Department of Defense (DoD). EPMS is not just a tool—it's a strategy, bridging software, efficiency and innovation to enhance the security posture of  critical systems.

**The Importance of EPMS**

EPMS addresses a core cybersecurity challenge: verifying that all systems are consistently patched against known vulnerabilities. With cyber adversaries growing more sophisticated, leaving any endpoint exposed is a risk the DoD cannot afford. EPMS helps to drive more rapid patch delivery with greater security assurance across classified (SIPR) and unclassified (NIPR) networks, keeping the defense infrastructure resilient.

**Red Hat and EPMS: a powerful alliance**

One of EPMS's core components is its integration with **Red Hat Satellite**, a platform purpose-built for managing Red Hat Enterprise Linux (RHEL) systems. This collaboration delivers several IT security advantages:

*   **Trusted supply chain:** All Red Hat content distributed through EPMS is cryptographically signed and verified, which helps verify the integrity and authenticity of patches
*   **Compliance enforcement:** Built-in tools for OpenSCAP scanning and Security Technical Implementation Guide (STIG) compliance make it easier to improve systems security
*   **Automation for scalability:** Red Hat Ansible Automation Platform provides automation within Satellite that simplifies the application of security baselines across large fleets of systems

**Overcoming the sneakernet bottleneck**

Traditionally, patching disconnected networks like SIPR involved a cumbersome process—downloading updates to unclassified systems, burning them to physical media and manually transferring them to classified networks. EPMS replaces this inefficient process, utilizing **Global Content Distribution Services (GCDS)**, enabling faster downloads. This innovation significantly reduces risk and accelerates the patching cycle.

**Key features and benefits of EPMS**

1.  **Enhanced efficiency:** By automating patch distribution and lifecycle management, EPMS reduces administrative workload and minimizes downtime
2.  **Broad compatibility:** Supporting all major RHEL versions and additional Red Hat solutions like RHEL for SAP and real-time computing
3.  **Scalability:** Hundreds of Red Hat Satellite servers across NIPR and SIPR power security-hardened content delivery at scale
4.  **Secure software supply chain:** The integration of checksums, GPG signature verification and certificate-based authentication provides verification of patch integrity

**The role of automation in security**

Automation is the backbone of EPMS, transforming security operations from reactive to proactive:

*   **Faster updates:** Patches can be deployed 78% faster, reducing exposure to threats
*   **Unified management:** Systems can be grouped for efficient updates to drive consistency across environments
*   **Policy compliance:** Ansible roles enforce security policies across all systems, helping to maintain a stronger security posture

**Why EPMS matters for the future**

As the DoD moves toward increasingly interconnected operations, EPMS remains a cornerstone of its cybersecurity strategy. It represents a shift from fragmented patch management practices to a unified, automated system that offers greater scalability and efficiency, along with an enhanced security footprint. By confirming that critical systems remain updated and compliant, EPMS helps to safeguard not just data but also the integrity of national defense.

In the face of growing cyber threats, EPMS demonstrates how innovation in technology can help protect against vulnerabilities, maintain mission readiness and provide for the security of the nation’s defense infrastructure.

To learn more, contact _EPMS-DoD@Redhat.com_

product trial

**Red Hat Advanced Cluster Security Cloud Service | product trial**

Red Hat Advanced Cluster Security Cloud Service | product trial

Enter keywords here to search blogs

UI\_Icon-Red\_Hat-Close-A-Black-RGB

**Keep exploring**

**Browse by channel**

**Automation**

The latest on IT automation for tech, teams, and environments

**Security**

The latest on how we reduce risks across environments and technologies

**Edge computing**

Updates on the platforms that simplify operations at the edge

**Infrastructure**

The latest on the world’s leading enterprise Linux platform

**Applications**

Inside our solutions to the toughest application challenges

**Original shows**

Entertaining stories from the makers and leaders in enterprise tech

EPMS: the cornerstone of cybersecurity in defense operations

Microsoft’s February Patch Tuesday addresses 63 security vulnerabilities, including two actively exploited zero-days. Update your systems now to…

Microsoft’s February Patch Tuesday addresses 63 security vulnerabilities, including two actively exploited zero-days. Update your systems now to protect against these threats.

Microsoft’s February 2025 Patch Tuesday update addresses 63 security vulnerabilities across its product range, including two zero-day exploits actively being used by attackers. Four of these vulnerabilities are classified as critical.

The update covers a variety of vulnerability types, including remote code execution, elevation of privilege, denial of service, spoofing, security feature bypass, information disclosure, and tampering.

Screenshot via SOCRadar

Two zero-day vulnerabilities are of particular concern due to their active exploitation.  

CVE-2025-21391, an elevation of privilege flaw in Windows Storage, could allow attackers to delete critical system files, potentially causing data loss and service disruptions.  While Microsoft states this vulnerability doesn’t expose confidential data, the ability to disrupt services is, nevertheless, a serious concern.  

The second actively exploited zero-day, CVE-2025-21418, affects the Ancillary Function Driver for Windows Sockets.  This vulnerability enables privilege escalation, potentially granting attackers SYSTEM-level access.  Details about the exploitation methods for these vulnerabilities remain undisclosed.

Microsoft is also addressing two publicly disclosed zero-day vulnerabilities. CVE-2025-21194, a hypervisor flaw, could compromise the secure kernel in UEFI-based virtual machines. This vulnerability is speculated to be related to the PixieFail vulnerabilities. Another flaw, CVE-2025-21377, could allow attackers to steal NTLM hashes through minimal user interaction with a malicious file.

Some critical vulnerabilities patched by Microsoft include: CVE-2025-21376, an RCE vulnerability in Windows Lightweight Directory Access Protocol allowing arbitrary code execution. CVE-2025-21177, a Server-Side Request Forgery vulnerability in Dynamics 365 that may lead to privilege escalation. CVE-2025-21379 in the DHCP Client Service and CVE-2025-21381 in Microsoft Excel, both allow remote code execution.  

Another severe flaw addressed was in Microsoft’s High-Performance Compute Pack. Tracked as CVE-2025-21198, it is a remote code execution (RCE) vulnerability that allows attackers to perform RCE on other clusters or nodes connected to the targeted head node by sending a specially crafted HTTPS request

Microsoft also addressed some high-risk flaws in this update including vulnerabilities in Microsoft Office SharePoint, Windows Disk Cleanup Tool, Windows CoreMessaging, Windows Win32 Kernel Subsystem, Windows Setup Files Cleanup, Windows DWM Core Library, and others. These vulnerabilities are considered high-risk due to their potential for exploitation and the lack of existing workarounds.  

Beyond Microsoft’s updates, other vendors, including Adobe, SAP, and Ivanti, have also released security patches.  SAP’s updates address vulnerabilities in BusinessObjects, Supplier Relationship Management, and Approuter, including a critical authorization flaw.  Ivanti’s patch fixes a critical OS command injection vulnerability in its Cloud Services Application.  

These updates highlight the ongoing need for timely security patching. With actively exploited zero-days and a range of critical vulnerabilities, organizations must prioritize applying these updates to mitigate risks. The sheer volume of vulnerabilities tracked by security platforms is staggering, as illustrated by SOCRadar’s Vulnerability Intelligence dashboard.

Screenshot via SOCRadar

Mr. Saeed Abbasi, Manager of Vulnerability Research at Qualys Threat Research Unit, told Hackread.com that CVE-2025-21391, though appearing as a file deletion bug, is actively exploited and far more dangerous when combined with code execution. While it doesn’t threaten confidentiality, it severely impacts integrity and availability, potentially crippling servers. Attackers can exploit it to delete critical system files, replacing them with weakly secured versions, and ultimately gaining SYSTEM-level access. Abbasi warns this is no minor flaw; it’s a stealthy path to full system control.

Patch Tuesday: Microsoft Fixes 63 Bugs with 2 Zero-Days

Hacker claims to have breached OmniGPT, leaking over 30,000 user email address, phone  numbers, and 34 million lines of chat messages. Data includes API keys, credentials, and file links.

A hacker claims to have breached **OmniGPT**, a popular AI-powered chatbot and productivity platform, exposing 30,000 user emails, phone numbers, and more than 34 million (34,270,455) lines of user conversations. The data was published on **Breach Forums** on Sunday at 10:04 AM by a hacker using the alias “Gloomer.”

The leak, as analysed by the Hackread.com research team, includes messages exchanged between users and the chatbot, as well as links to uploaded files, some of which contain credentials, billing information, and API keys. In a post accompanying the download link, Gloomer stated:

> _“This leak contains all messages between the users and the chatbot of this site, as well as all links to the files uploaded by users and also 30k user emails. You can find a lot of useful information in the messages, such as API keys and credentials. Many of the files uploaded to this site are very interesting because sometimes they contain credentials/billing information.”_

If confirmed, this breach would be one of the largest leaks of AI-generated conversation data, exposing users to identity theft, phishing scams, and financial fraud.

The hacker claiming OmniGPT breach on Breach Forums (Screenshot credit: Hackread.com)

****Sample Data: Messages, Files, and User Information****

A sample from the leaked dataset includes chat messages from users discussing technical and development topics, such as:

📌 **User: Kamil**  
_“The cut duration is not displayed correctly.”_

📌 **User: Marcus**  
_“Right now, I’m seeing it be accurate for a cut. How is it displaying incorrectly?”_

📌 **User: Javier**  
_“This comes from review.display\_data (edited).”_

Along with message logs, the leak includes file upload links to documents stored on OmniGPT’s servers, which may contain sensitive information in PDF and Document format. Some of the leaked files include:

*   **Office projects**
*   **University assignments**
*   **Market Analysis Reports**
*   **WhatsApp chat screenshots**
*   **Police verification certificates**
*   **Multiple personal and business-related documents**

_and a lot more._

Screenshot from the leaked data (Screenshot credit: Hackread.com)

****How Does OmniGPT Work****

OmniGPT integrates various advanced language models, including ChatGPT-4, Claude 3.5, Perplexity, Google Gemini, and Midjourney, into a single interface. Designed to enhance efficiency, it offers features such as data encryption, team collaboration tools, document management, image analysis, and WhatsApp integration. Pricing plans start from a free tier with basic features to a Plus plan at $16 per month, providing access to more advanced models and functionalities.

****Data Breach and GDPR****

While the hacker’s modus operandi behind the alleged breach remains unclear, the leaked data suggests that OmniGPT has a global user base, with a major portion of the exposed information belonging to users from South America, particularly Brazil; Europe, especially Italy; and Asia, including India, Pakistan, China, and Saudi Arabia.

If confirmed, this breach could present serious legal and regulatory challenges, particularly concerning **GDPR compliance in Europe**, where strict data protection laws require companies to safeguard user information and report breaches promptly. Failure to address these issues could lead to heavy fines and legal repercussions, further complicating OmniGPT’s position in the global market.

****Consequences: Identity Theft, Phishing, and API Key Exploitation****

If the hacker’s claims are accurate, this leak could pose significant cybersecurity and privacy risks for OmniGPT users. Exposed email addresses and phone numbers may lead to targeted phishing attacks or increase the risk of identity theft.

Additionally, if users shared sensitive API keys or credentials in chatbot conversations, attackers could exploit this information to gain unauthorized access to third-party services or personal accounts. Furthermore, some of the leaked files may contain billing information or confidential business data, exposing companies to financial fraud, data theft, or corporate espionage.

****OmniGPT’s Response: Silence So Far****

As of now, OmniGPT has not issued an official response regarding the alleged breach. Hackead.com has contacted OmniGPT for a response, and this article will be updated as new information becomes available.

If you have an OmniGPT account, it is important to take immediate precautions to protect your data. Start by changing your passwords, especially if you have shared any credentials or sensitive information on the platform. Enabling two-factor authentication (2FA) adds an extra layer of security against unauthorized access.

Stay alert by monitoring your emails and financial accounts for any unusual activity, such as unauthorized logins or fraudulent transactions. Be cautious of phishing attempts, as cybercriminals may use leaked email addresses to send fake messages pretending to be from OmniGPT or other trusted sources. Also, if you have used OmniGPT to process API keys, consider revoking old tokens and generating new ones to prevent unauthorized access.

This is a developing story, and we will update it as more information becomes available.

OmniGPT AI Chatbot Alleged Breach: Hacker Leaks User Data, 34M Messages

But there's plenty in it — including two zero-days — that need immediate attention.

Source: Somphop Krittayaworagul via Shutterstock

Microsoft's February security update contains substantially fewer vulnerabilities for admins to address compared to a month ago, but there's still plenty in it that requires immediate attention.

Topping the list are two zero-day vulnerabilities that attackers are actively exploiting in the wild, two more that are publicly known but not exploited yet, a patch for a zero-day that Microsoft disclosed in December 2024, and an assortment of other common vulnerabilities and exposures (CVEs) with potentially severe consequences for affected organizations.

**63 CVEs, 2 Zero-Days**

In total, Microsoft released patches for 63 unique CVEs, a far cry from the massive 159 CVEs — including a startling eight zero-days — that the company disclosed in January. Microsoft assessed four of the bugs it disclosed today as being of critical severity. It rated the vast majority of the remaining bugs as important to address but of lesser severity for a variety of factors, including attack complexity and privileges required to exploit the vulnerability.

The two actively exploited zero-day bugs in this month's update are CVE-2025-21418 (CVSS score 7.8), an elevation of privilege vulnerability in Windows Ancillary Function Driver for WinSock, and CVE-2025-21391 (CVSS 7.1), another elevation of privilege issue, this time affecting Windows Storage. Per its usual practice, Microsoft's advisories for both bugs offered no details on the exploitation activity. But security researchers had their own take on why organizations need to address the issues ASAP.

CVE-2025-21418, for instance, only enables a local exploit. That means an attacker or malicious insider must already have access to a target machine, via a phishing attack, malicious document, or other vector, said Kev Breen, senior director, cyber threat research, at Immersive Labs. Even so, such flaws are "valuable to attackers as they allow them to disable security tooling, dump credentials, or move laterally across the network to exploit the increased access," Breen said in an emailed comment. An attacker who successfully exploits the flaw can gain SYSTEM level privileges on the affected system, he said, while recommending that organizations make the vulnerability a top priority to fix.

With CVE-2025-21391, the Windows Storage zero-day, the concern is not about the flaw enabling unauthorized data access; rather, the concern is about how attackers could exploit it to affect data integrity and availability. "Microsoft has outlined that if the attacker successfully exploited this vulnerability, they would only be able to delete targeted files on a system," said Natalie Silva, lead cyber security engineer at Immersive Labs, in an emailed comment. "Microsoft has released patches to mitigate this vulnerability. It's recommended for administrators to apply these immediately."

In a blog, researchers at Action1 described the flaw as resulting from a weakness in how Windows Storage resolves file paths and follows links. Attackers can leverage the weakness to "redirect file operations to critical system files or user data, leading to unauthorized deletion," the security vendor said.

Breen recommended that organizations also treat CVE-2025-21377, an NTLM hash disclosure spoofing vulnerability, as a high priority bug that needs immediate attention. When Microsoft originally disclosed the bug in December 2024, it did not have a patch available for it, making the flaw a zero-day threat. "The vulnerability allows a threat actor to steal the NTLM credentials for a victim by sending them a malicious file," Breen said. "The user doesn't have to open or run the executable but simply viewing the file in Explorer could be enough to trigger the vulnerability." Microsoft itself has assessed the vulnerability as something that threat actors are more likely to exploit

The other previously disclosed vulnerability in the February patch update is CVE-2025-21194, a security feature bypass vulnerability in Microsoft Surface.

**Critical Flaws**

The flaws that Microsoft rated as being of critical severity in this latest update are CVE-2025-21379 (CVSS Score 7.1), an RCE in the DHCP client service; CVE-2025-21177 (CVSS Score 8.7), a privilege elevation vulnerability in Microsoft Dynamics 365 Sales; CVE-2025-21381 (CVSS 7.8), a Microsoft Excel RCE; and CVE-2025-21376 (CVSS 8.1), an RCE in Windows LDAP and the only one in the set that Microsoft identified as more vulnerable to exploitation.

Interestingly, one of the flaws that Microsoft rated as critical (CVE-2025-21177) required affected customers to do nothing, but it is an issue that Microsoft has already addressed on its end. This vulnerability makes use of the newer CAR (customer action required) attribute to identify that there is no customer actions required, says Tyler Reguly, associate director security R&D at Fortra. "While these information updates are nice, they can bloat the number of updates that admins may be worried about dealing with on a Patch Tuesday," Reguly said in an emailed comment. "One can't help but wonder if these updates should be issued outside of Patch Tuesday since they do not require customer action."

Meanwhile, the only CVE to earn a severity score of 9.0 in this month's update — (CVE-2025-21198) — is an RCE affecting Microsoft High Performance Compute (HPC) Pack. An attacker cannot exploit the flaw unless they have access to the network used to connect to the high-performance cluster, Reguly said. "This networking requirement should limit the impact of what would otherwise be a more serious vulnerability."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Microsoft's February Patch a Lighter Lift Than January's

Salt Typhoon underscores the urgent need for organizations to rapidly adopt modern security practices to meet evolving threats.

Source: vska via Alamy Stock Photo

COMMENTARY

The Chinese-linked hacking group Salt Typhoon recently was detected lurking in major US telecommunication systems, exposing nearly every American's communications to Chinese intelligence and security services. 

In response, on Dec. 4, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI issued a joint statement recommending that American citizens and companies adopt end-to-end encrypted communication tools to avoid exposing sensitive information to China. While this advice is prudent to secure communications, hasty adoption of these technologies could result in regulatory noncompliance for organizations in highly regulated industries. These organizations should carefully examine both their security risk and regulatory obligations as they adopt new security solutions.

**Background: Salt Typhoon**

Salt Typhoon exploited legacy systems throughout the telecommunications industry that were too old to implement modern cybersecurity practices, with some parts dating back to the late 1970s. Commonly accepted baseline cyber protections like multifactor authentication were not implemented. While the scope of this attack is widespread, including voice calls and SMS messages, US intelligence officials noted that communications within encrypted communication applications such as Apple's iMessage, Meta's WhatsApp, and Signal were not exposed.

Salt Typhoon marks one of the most sophisticated attacks on US critical infrastructure in history. US officials have concluded that every major telecommunications provider has been implicated. China remains the most active and persistent cyber threat to the United States, and the Salt Typhoon campaign marks one of the most sophisticated attacks on US critical infrastructure in history. 

**Security vs. Compliance: Adopting End-to-End Encryption Technologies**

US cybersecurity and intelligence officials advised companies and individuals to adopt end-to-end encrypted applications for communications where only the sender and the intended recipients can access the content of the communication. End-to-end encryption works by securing the content of communications using cryptographic keys at both the sender and recipient. The end result is data in transit is secure, rendering the contents of any intercepted or compromised communications indecipherable without the cryptographic key, including by Internet service providers and telecommunications companies — and foreign hackers targeting those entities.

While end-to-end encrypted applications provide obvious advantages for security, many are not designed to comply with the data retention and access requirements imposed upon certain highly regulated industries. 

In the financial services sector, Securities and Exchange Commission (SEC) Rule 17a-4(b)(4) requires that communications received and sent by a member, broker, or dealer that relate to the business of an organization are to be retained for at least three years. Additionally, Section 802 of the Sarbanes-Oxley Act requires accountants who audit or review financial statements to retain records, which include any communications relevant to the audit or review. 

In the healthcare sector, Section 164.312(e) of the Health Insurance Portability and Accessibility Act (HIPAA) requires that covered entities implement technical safeguards to prevent unauthorized access to electronic protected health information (ePHI) that is being transmitted over an electronic communications network. Many encrypted communications applications restrict a covered entity's ability to monitor for or audit unauthorized disclosure of ePHI. Additionally, Section 164.350(j) of HIPAA requires that covered entities retain documentation of any communications containing ePHI for at least six years. 

**Recommendations**

As Salt Typhoon has revealed, unsecured communications of executives and employees across every sector may be targeted by Chinese intelligence services for exploitation. In this new environment, balancing communications security with compliance can be challenging. To appropriately navigate these risks, organizations in every sector should consider three things.

First, organizations should implement end-to-end encryption for all business communications internally and, to the greatest extent practicable, externally. There are numerous mobile and desktop applications currently available that are designed to serve this purpose. For companies in regulated industries, it is important to also consider regulatory retention, monitoring, and auditing requirements when considering these tools. Such organizations should seek to implement solutions that can ensure appropriate encryption standards for messaging, collaboration, and voice and video calls specifically configured to allow for auditing and data preservation. 

Second, organizations should implement policies and procedures to guide the use of encrypted communications. For example, many encrypted communication applications allow users to individually establish time-based purge rules for messages. While valuable for information security, this could render an organization non-compliant with data retention and audit requirements. Where possible, such functions should be disabled for individuals and archiving tools should be in place. Additionally, employees should receive regular training on communications security and regulatory compliance.

Third, a key lesson from Salt Typhoon is that baseline cybersecurity measures still provide meaningful defenses against malicious parties. Cybersecurity measures such as multifactor authentication, use of password managers, encrypting data at rest and in motion, and ensuring that all software and hardware are modern and equipped with the latest updates will give organizations a much stronger cybersecurity posture. 

**Conclusion**

Salt Typhoon underscores the urgent need for organizations to rapidly adopt modern security practices to meet evolving threats. However, in doing so, organizations need to balance the security imperatives with their regulatory obligations. 

**About the Authors**

Co-Leader, Cybersecurity and Data Privacy Practice Group, Buchanan Ingersoll & Rooney

Michael McLaughlin is the co-leader of Buchanan Ingersoll & Rooney’s Cybersecurity and Data Privacy practice group. Michael advises clients in matters involving cybersecurity, public policy, and government relations. Michael helps clients navigate the complexities of cybersecurity, data privacy and the related regulatory landscape. Michael is the co-author of Battlefield Cyber: How China and Russia Are Undermining Our Democracy and National Security.

Jillian Cash, Associate, Corporate Section, Buchanan Ingersoll & Rooney

Jillian Cash is an associate Buchanan’s Corporate Section, where she focuses on a variety of corporate, transactional, and cybersecurity matters.

Kellen Carleton, Associate, Corporate Finance and Technology Group, Buchanan Ingersoll & Rooney

Kellen Carleton is an associate in Buchanan’s Corporate Finance and Technology group where he focuses on a variety of corporate, transactional, and cybersecurity matters.

Salt Typhoon's Impact on the US &amp; Beyond

Android phishing apps are the latest, critical threat for Android users, putting their passwords in danger of new, sneaky tricks of theft.

There are plenty of phish in the sea, and the latest ones have little interest in your email inbox.

In 2024, Malwarebytes detected more than 22,800 phishing apps on Android, according to the recent 2025 State of Malware report. Of those malicious apps, 5,200 could subvert one of the strongest security practices available today, called “multifactor authentication,” by prying into basic text messages sent to a device. Another 4,800 could even read information from an Android device’s “Notifications” bar to obtain the same info.

These “Android phishing apps” may sound high-tech, but they are not. They don’t crack into password managers or spy on passwords entered for separate apps. Instead, they present a modern wrapper on a classic form of theft: Phishing.

By disguising themselves as legitimate apps—including for services like TikTok, Spotify, and WhatsApp—Android phishing apps can trick victims into typing in their real usernames and passwords on bogus login screens that are controlled entirely by cybercriminals. If enough victims unwittingly send their passwords, the cyber thieves may even bundle the login credentials for sale on the dark web. Once the passwords are sold, the new, malicious owners will attempt to use individual passwords for a variety of common online accounts—testing whether, say, an email account password is the same one used for a victim’s online banking system, their mortgage payment platform, or their Social Security portal.

The volume of these apps and their capabilities underscore the importance of securing yourself and your devices. With vigilance, safe behavior, and some extra support, you can avoid Android phishing apps and protect your accounts from cybercriminals.

****Same trick, new delivery****

For more than a decade, phishing was often understood as an email threat. Cybercriminals would send emails disguised as legitimate communications from major businesses, such as Netflix, Uber, Instagram, Google, and more. These emails would frequently warn recipients about a problem with their accounts—a password needed to be updated, or a policy change required a login.

But when victims followed the links within these malicious emails, they’d be brought to a website that, while appearing genuine, would actually be in complete control of cybercriminals. Fooled by similar color schemes, company logos, and familiar layouts, victims would “log in” to their account by entering their username and password. In reality, those usernames and passwords would just be delivered to cybercriminals on the other side of the website.

There never was a problem with a user’s account, and there never was a real request for information from the company. Instead, the entire back-and-forth was a charade.

Over time, phishing emails have advanced—cybercriminals have stolen credit card details by posing as charities—but so, too, have phishing protections from major email providers, sending many cybercriminal efforts into people’s “spam” inboxes, where the emails are, thankfully, never retrieved.

But last year, cybercriminals focused on a new avenue for phishing. They started developing entire mobile apps on Android that could provide the same level of theft.

The lure that convinces people to download these apps varies.

Some Android phishing apps are disguised as regular videogames or utilities which may ask users to connect with a separate social media account for the primary app to function. The requests are bogus and simply a method for harvesting passwords. Other Android phishing apps pose as popular apps, including TikTok, WhatsApp, and Spotify. These decoy apps are often hosted on less popular mobile app stores, as the protections of the Google Play store often flag and remove these apps, should they ever sneak onto the marketplace.

Here, cybercriminals have again found loopholes.

Malwarebytes discovered Android phishing apps last year that do not contain any code—or programmatic “instructions”—to steal passwords. Instead, the apps merely serve ads that, if clicked, send victims to external websites that do all the cybercriminal work outside of the app. These “benign” apps have a better chance of being hosted on legitimate mobile app stores, which gives them greater visibility amongst everyday people, and thus, more chances to steal information.

Most concerning, though, is the recent development from Android phishing apps that pierces one of the strongest security practices in use today: multifactor authentication.

Multifactor authentication is a security measure offered by most major online platforms including banks, retirement systems, social media companies, email providers, and more. With multifactor authentication, a username and password are no longer enough to sign into an account. Instead, the platform will send a separate “code,” typically a six-digit number, that the user must also enter to complete the login process. This code is often sent as a text message directly to the user, who has registered their phone number with the platform.

But now, multifactor authentication codes can also be stolen by Android phishing apps.

Last year, Malwarebytes found 5,200 apps that could steal these codes either by cracking directly into certain text messages or by stealing information from a device’s “Notifications” bar, which can deliver timely summaries or prompts for many apps.

This does not make multifactor authentication useless. Instead, it emphasized a more holistic approach to cybersecurity that, at the very least, includes multifactor authentication.

****Staying safe from Android phishing apps****

Android phishing apps are simple, effective, and hard to spot to the naked eye. But there are behaviors and tools that can help keep you and your accounts safe.

To protect yourself from Android phishing apps:

*   Use mobile security software that detects and stops Android phishing apps from ever being installed on your Android device.
*   Before downloading any apps, you should look at the number of reviews. A low number of reviews may signal a decoy app.
*   Most people will only ever need to download Android apps directly from the Google Play Store. Be wary of other app stores or marketplaces, and never download a mobile app directly from a website.
*   Use a password manager to create and manage unique passwords for every single account. That way, if one password is stolen, it cannot be abused to open other online accounts.
*   Use multifactor authentication on your most sensitive accounts, including your financial, email, social media, healthcare, and government platforms (such as any accounts you use to file taxes).

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Phishing evolves beyond email to become latest Android app threat 

The SAP Approuter Node.js package version v16.7.1 and before is vulnerable to Authentication bypass. When trading an authorization code, an attacker can steal the session of the victim by injecting malicious payload, causing High impact on confidentiality and integrity of the application.

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.

Attack complexity: More severe for the least complex attacks.

Privileges required: More severe if no privileges are required.

User interaction: More severe when no user interaction is required.

Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.

Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.

Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.

Availability: More severe when the loss of impacted component availability is highest.

GHSA-cpfx-964w-4jvp: Authentication bypass in @sap/approuter

Wired reported this week that a 19-year-old working for Elon Musk's so-called Department of Government Efficiency (DOGE) was given access to sensitive US government systems even though his past association with cybercrime communities should have precluded him from gaining the necessary security clearances to do so. As today's story explores, the DOGE teen is a former denizen of 'The Com,' an archipelago of Discord and Telegram chat channels that function as a kind of distributed cybercriminal social network for facilitating instant collaboration.

_Wired_ reported this week that a 19-year-old working for **Elon Musk**‘s so-called **Department of Government Efficiency** (DOGE) was given access to sensitive US government systems even though his past association with cybercrime communities should have precluded him from gaining the necessary security clearances to do so. As today’s story explores, the DOGE teen is a former denizen of ‘**The Com**,’ an archipelago of Discord and Telegram chat channels that function as a kind of distributed cybercriminal social network for facilitating instant collaboration.

Since President Trump’s second inauguration, Musk’s DOGE team has gained access to a truly staggering amount of personal and sensitive data on American citizens, moving quickly to seize control over databases at the **U.S. Treasury**, the **Office of Personnel Management**, the **Department of Education**, and the **Department of Health and Human Resources**, among others.

_Wired_ first reported on Feb. 2 that one of the technologists on Musk’s crew is a 19-year-old high school graduate named **Edward Coristine**, who reportedly goes by the nickname “Big Balls” online. One of the companies Coristine founded, **Tesla.Sexy LLC**, was set up in 2021, when he would have been around 16 years old.

“Tesla.Sexy LLC controls dozens of web domains, including at least two Russian-registered domains,” _Wired_ reported. “One of those domains, which is still active, offers a service called Helfie, which is an AI bot for Discord servers targeting the Russian market. While the operation of a Russian website would not violate US sanctions preventing Americans doing business with Russian companies, it could potentially be a factor in a security clearance review.”

Mr. Coristine has not responded to requests for comment. In a follow-up story this week, _Wired_ found that someone using a Telegram handle tied to Coristine solicited a DDoS-for-hire service in 2022, and that he worked for a short time at a company that specializes in protecting customers from DDoS attacks.

A profile photo from Coristine’s WhatsApp account.

Internet routing records show that Coristine runs an Internet service provider called **Packetware** (AS400495). Also known as “**DiamondCDN**,” Packetware currently hosts tesla\[.\]sexy and diamondcdn\[.\]com, among other domains.

DiamondCDN was advertised and claimed by someone who used the nickname “**Rivage**” on several Com-based Discord channels over the years. A review of chat logs from some of those channels show other members frequently referred to Rivage as “Edward.”

From late 2020 to late 2024, Rivage’s conversations would show up in multiple Com chat servers that are closely monitored by security companies. In November 2022, Rivage could be seen requesting recommendations for a reliable and powerful DDoS-for-hire service.

Rivage made that request in the cybercrime channel “**Dstat**,” a core Com hub where users could buy and sell attack services. Dstat’s website dstat\[.\]cc was seized in 2024 as part of “Operation PowerOFF,” an international law enforcement action against DDoS services.

Coristine’s LinkedIn profile said that in 2022 he worked at an anti-DDoS company called **Path Networks**, which _Wired_ generously described as a “network monitoring firm known for hiring reformed blackhat hackers.” _Wired_ wrote:

“At Path Network, Coristine worked as a systems engineer from April to June of 2022, according to his now-deleted LinkedIn résumé. Path has at times listed as employees **Eric Taylor**, also known as Cosmo the God, a well-known former cybercriminal and member of the hacker group UGNazis, as well as Matthew Flannery, an Australian convicted hacker whom police allege was a member of the hacker group LulzSec. It’s unclear whether Coristine worked at Path concurrently with those hackers, and WIRED found no evidence that either Coristine or other Path employees engaged in illegal activity while at the company.”

The founder of Path is a young man named **Marshal Webb**. I wrote about Webb back in 2016, in a story about a DDoS defense company he co-founded called **BackConnect Security LLC**. On September 20, 2016, KrebsOnSecurity published data showing that the company had a history of hijacking Internet address space that belonged to others.

Less than 24 hours after that story ran, KrebsOnSecurity.com was hit with the biggest DDoS attack the Internet had ever seen at the time. That sustained attack kept this site offline for nearly 4 days.

The other founder of BackConnect Security LLC was **Tucker Preston**, a Georgia man who pleaded guilty in 2020 to paying a DDoS-for-hire service to launch attacks against others.

The aforementioned Path employee Eric Taylor pleaded guilty in 2017 to charges including an attack on our home in 2013. Taylor was among several men involved in making a false report to my local police department about a supposed hostage situation at our residence in Virginia. In response, a heavily-armed police force surrounded my home and put me in handcuffs at gunpoint before the police realized it was all a dangerous hoax known as “swatting.”

CosmoTheGod rocketed to Internet infamy in 2013 when he and a number of other hackers set up the Web site exposed\[dot\]su, which “doxed” dozens of public officials and celebrities by publishing the address, Social Security numbers and other personal information on the former First Lady Michelle Obama, the then-director of the FBI and the U.S. attorney general, among others. The group also swatted many of the people they doxed.

_Wired_ noted that Coristine only worked at Path for a few months in 2022, but the story didn’t mention why his tenure was so short. A screenshot shared on the website pathtruths.com includes a snippet of conversations in June 2022 between Path employees discussing Coristine’s firing.

According to that record, Path founder Marshal Webb dismissed Coristine for leaking internal documents to a competitor. Not long after Coristine’s termination, someone leaked an abundance of internal Path documents and conversations. Among other things, those chats revealed that one of Path’s technicians was a Canadian man named **Curtis Gervais** who was convicted in 2017 of perpetrating dozens of swatting attacks and fake bomb threats — including at least two attempts against our home in 2014.

A snippet of text from an internal Path chat room, wherein members discuss the reason for Coristine’s termination: Allegedly, leaking internal company information. Source: Pathtruths.com.

On May 11, 2024, Rivage posted on a Discord channel for a DDoS protection service that is chiefly marketed to members of The Com. Rivage expressed frustration with his time spent on Com-based communities, suggesting that its profitability had been oversold.

“I don’t think there’s a lot of money to be made in the com,” Rivage lamented. “I’m not buying Heztner \[servers\] to set up some com VPN.”

Rivage largely stopped posting messages on Com channels after that. _Wired_ reports that Coristine subsequently spent three months last summer working at **Neuralink**, Elon Musk’s brain implant startup.

The trouble with all this is that even if someone sincerely intends to exit The Com after years of consorting with cybercriminals, they are often still subject to personal attacks, harassment and hacking long after they have left the scene.

That’s because a huge part of Com culture involves harassing, swatting and hacking other members of the community. These internecine attacks are often for financial gain, but just as frequently they are perpetrated by cybercrime groups to exact retribution from or assert dominance over rival gangs.

Experts say it is extremely difficult for former members of violent street gangs to gain a security clearance needed to view sensitive or classified information held by the U.S. government. That’s because ex-gang members are highly susceptible to extortion and coercion from current members of the same gang, and that alone presents an unacceptable security risk for intelligence agencies.

And make no mistake: The Com is the English-language cybercriminal hacking equivalent of a violent street gang. KrebsOnSecurity has published numerous stories detailing how feuds within the community periodically spill over into real-world violence.

When Coristine’s name surfaced in _Wired_‘s report this week, members of The Com immediately took notice. In the following segment from a February 5, 2025 chat in a Com-affiliated hosting provider, members criticized Rivage’s skills, and discussed harassing his family and notifying authorities about incriminating accusations that may or may not be true.

> 2025-02-05 16:29:44 UTC vperked#0 they got this nigga on indiatimes man  
> 2025-02-05 16:29:46 UTC alexaloo#0 Their cropping is worse than AI could have done  
> 2025-02-05 16:29:48 UTC hebeatsme#0 bro who is that  
> 2025-02-05 16:29:53 UTC hebeatsme#0 yalla re talking about  
> 2025-02-05 16:29:56 UTC xewdy#0 edward  
> 2025-02-05 16:29:56 UTC .yarrb#0 rivagew  
> 2025-02-05 16:29:57 UTC vperked#0 Rivarge  
> 2025-02-05 16:29:57 UTC xewdy#0 diamondcdm  
> 2025-02-05 16:29:59 UTC vperked#0 i cant spell it  
> 2025-02-05 16:30:00 UTC hebeatsme#0 rivage  
> 2025-02-05 16:30:08 UTC .yarrb#0 yes  
> 2025-02-05 16:30:14 UTC hebeatsme#0 i have him added  
> 2025-02-05 16:30:20 UTC hebeatsme#0 hes on discord still  
> 2025-02-05 16:30:47 UTC .yarrb#0 hes focused on stroking zaddy elon  
> 2025-02-05 16:30:47 UTC vperked#0 https://en.wikipedia.org/wiki/Edward\_Coristine  
> 2025-02-05 16:30:50 UTC vperked#0 no fucking way  
> 2025-02-05 16:30:53 UTC vperked#0 they even made a wiki for him  
> 2025-02-05 16:30:55 UTC vperked#0 LOOOL  
> 2025-02-05 16:31:05 UTC hebeatsme#0 no way  
> 2025-02-05 16:31:08 UTC hebeatsme#0 hes not a good dev either  
> 2025-02-05 16:31:14 UTC hebeatsme#0 like????  
> 2025-02-05 16:31:22 UTC hebeatsme#0 has to be fake  
> 2025-02-05 16:31:24 UTC xewdy#0 and theyre saying ts  
> 2025-02-05 16:31:29 UTC xewdy#0 like ok bro  
> 2025-02-05 16:31:51 UTC .yarrb#0 now i wanna know what all the other devs are like…  
> 2025-02-05 16:32:00 UTC vperked#0 “\`Coristine used the moniker “bigballs” on LinkedIn and @Edwardbigballer on Twitter, according to The Daily Dot.\[“\`  
> 2025-02-05 16:32:05 UTC vperked#0 LOL  
> 2025-02-05 16:32:06 UTC hebeatsme#0 lmfaooo  
> 2025-02-05 16:32:07 UTC vperked#0 bro  
> 2025-02-05 16:32:10 UTC hebeatsme#0 bro  
> 2025-02-05 16:32:17 UTC hebeatsme#0 has to be fake right  
> 2025-02-05 16:32:22 UTC .yarrb#0 does it mention Rivage?  
> 2025-02-05 16:32:23 UTC xewdy#0 He previously worked for NeuraLink, a brain computer interface company led by Elon Musk  
> 2025-02-05 16:32:26 UTC xewdy#0 bro what  
> 2025-02-05 16:32:27 UTC alexaloo#0 I think your current occupation gives you a good insight of what probably goes on  
> 2025-02-05 16:32:29 UTC hebeatsme#0 bullshit man  
> 2025-02-05 16:32:33 UTC xewdy#0 this nigga got hella secrets  
> 2025-02-05 16:32:37 UTC hebeatsme#0 rivage couldnt print hello world  
> 2025-02-05 16:32:42 UTC hebeatsme#0 if his life was on the line  
> 2025-02-05 16:32:50 UTC xewdy#0 nigga worked for neuralink  
> 2025-02-05 16:32:54 UTC hebeatsme#0 bullshit  
> 2025-02-05 16:33:06 UTC Nashville Dispatch ##0000 ||@PD Ping||  
> 2025-02-05 16:33:07 UTC hebeatsme#0 must have killed all those test pigs with some bugs  
> 2025-02-05 16:33:24 UTC hebeatsme#0 ur telling me the rivage who failed to start a company  
> 2025-02-05 16:33:28 UTC hebeatsme#0 https://cdn.camp  
> 2025-02-05 16:33:32 UTC hebeatsme#0 who didnt pay for servers  
> 2025-02-05 16:33:34 UTC hebeatsme#0 ?  
> 2025-02-05 16:33:42 UTC hebeatsme#0 was too cheap  
> 2025-02-05 16:33:44 UTC vperked#0 yes  
> 2025-02-05 16:33:50 UTC hebeatsme#0 like??  
> 2025-02-05 16:33:53 UTC hebeatsme#0 it aint adding up  
> 2025-02-05 16:33:56 UTC alexaloo#0 He just needed to find his calling idiot.  
> 2025-02-05 16:33:58 UTC alexaloo#0 He found it.  
> 2025-02-05 16:33:59 UTC hebeatsme#0 bro  
> 2025-02-05 16:34:01 UTC alexaloo#0 Cope in a river dude  
> 2025-02-05 16:34:04 UTC hebeatsme#0 he cant make good money right  
> 2025-02-05 16:34:08 UTC hebeatsme#0 doge is about efficiency  
> 2025-02-05 16:34:11 UTC hebeatsme#0 he should make $1/he  
> 2025-02-05 16:34:15 UTC hebeatsme#0 $1/hr  
> 2025-02-05 16:34:25 UTC hebeatsme#0 and be whipped for better code  
> 2025-02-05 16:34:26 UTC vperked#0 prolly makes more than us  
> 2025-02-05 16:34:35 UTC vperked#0 with his dad too  
> 2025-02-05 16:34:52 UTC hebeatsme#0 time to report him for fraud  
> 2025-02-05 16:34:54 UTC hebeatsme#0 to donald trump  
> 2025-02-05 16:35:04 UTC hebeatsme#0 rivage participated in sim swap hacks in 2018  
> 2025-02-05 16:35:08 UTC hebeatsme#0 put that on his wiki  
> 2025-02-05 16:35:10 UTC hebeatsme#0 thanks  
> 2025-02-05 16:35:15 UTC hebeatsme#0 and in 2021  
> 2025-02-05 16:35:17 UTC hebeatsme#0 thanks  
> 2025-02-05 16:35:19 UTC chainofcommand#0 i dont think they’ll care tbh

Given the speed with which Musk’s DOGE team was allowed access to such critical government databases, it strains credulity that Coristine could have been properly cleared beforehand. After all, he’d recently been dismissed from a job _for allegedly leaking internal company information to outsiders_.

According to the national security adjudication guidelines (PDF) released by the **Director of National Intelligence** (DNI), eligibility determinations take into account a person’s stability, trustworthiness, reliability, discretion, character, honesty, judgement, and ability to protect classified information.

The DNI policy further states that “eligibility for covered individuals shall be granted only when facts and circumstances indicate that eligibility is clearly consistent with the national security interests of the United States, and any doubt shall be resolved in favor of national security.”

On Thursday, 25-year-old DOGE staff member **Marko Elez** resigned after being linked to a deleted social media account that advocated racism and eugenics. Elez resigned after _The Wall Street Journal_ asked the White House about his connection to the account.

“Just for the record, I was racist before it was cool,” the account posted in July. “You could not pay me to marry outside of my ethnicity,” the account wrote on X in September. “Normalize Indian hate,” the account wrote the same month, in reference to a post noting the prevalence of people from India in Silicon Valley.

Elez’s resignation came a day after the Department of Justice agreed to limit the number of DOGE employees who have access to federal payment systems. The DOJ said access would be limited to two people, Elez and **Tom Krause**, the CEO of a company called Cloud Software Group.

Earlier today, Musk said he planned to rehire Elez after **President Trump** and **Vice President JD Vance** reportedly endorsed the idea. Speaking at The White House today, Trump said he wasn’t concerned about the security of personal information and other data accessed by DOGE, adding that he was “very proud of the job that this group of young people” are doing.

A White House official told _Reuters_ on Wednesday that Musk and his engineers have appropriate security clearances and are operating in “full compliance with federal law, appropriate security clearances, and as employees of the relevant agencies, not as outside advisors or entities.”

_NPR_ reports Trump added that his administration’s cost-cutting efforts would soon turn to the Education Department and the Pentagon, “where he suggested without evidence that there could be ‘trillions’ of dollars in wasted spending within the $6.75 trillion the federal government spent in fiscal year 2024.”

GOP leaders in the Republican-controlled House and Senate have largely shrugged about Musk’s ongoing efforts to seize control over federal databases, dismantle agencies mandated by Congress, freeze federal spending on a range of already-appropriated government programs, and threaten workers with layoffs.

Meanwhile, multiple parties have sued to stop DOGE’s activities. ABC News says a federal judge was to rule today on whether DOGE should be blocked from accessing Department of Labor records, following a lawsuit alleging Musk’s team sought to illegally access highly sensitive data, including medical information, from the federal government.

At least 13 state attorney general say they plan to file a lawsuit to stop DOGE from accessing federal payment systems containing Americans’ sensitive personal information, reports _The Associated Press_.

Reuters reported Thursday that the U.S. Treasury Department had agreed not to give Musk’s team access to its payment systems while a judge is hearing arguments in a lawsuit by employee unions and retirees alleging Musk illegally searched those records.

_Ars Technica_ writes that The Department of Education (DoE) was sued Friday by a California student association demanding an “immediate stop” to DOGE’s “unlawfully” digging through student loan data to potentially dismantle the DoE.

Tag

#sap