Vetting the Gaps: Vendor Risk Grows, Vacancies Rise and Security Talent Waits Outside

This week’s news shows cyber risk entering a more dangerous phase. In France, the Waltio breach demonstrated how leaked crypto data can place individuals at physical risk, prompting officials to warn that such exposure could enable wrench attacks that target people.

The Treasury’s decision to cut ties with Booz Allen showed how weak safeguards that leave data exposed can ultimately lead to contract termination.

Hackers Leak Data of 50,000 Waltio Crypto Users in France

A cyberattack on cryptocurrency tax platform Waltio in France exposed data of about 50,000 users, primarily based in France and involved information used for crypto tax reporting. Shiny Hunters claimed responsibility and contacted Waltio after the intrusion. Officials warned that leaked names and wallet details could enable “wrench attacks”and cautioned against fake security checks designed to steal digital assets. A wrench attack is a form of cryptocurrency extortion where criminals use physical force in the form of assault, kidnapping, or threats against family members to force victims to transfer cryptocurrency from their wallets.

U.S. Treasury Cancels Booz Allen Contracts Over Taxpayer Data Access

The U.S. Department of the Treasury canceled all 31 active contracts with government contractor Booz Allen Hamilton on January 26, 2026. The move stems from an insider breach involving a former Booz Allen contractor. Between 2018 and 2020, Charles Edward Littlejohn unlawfully accessed and disclosed IRS tax return information. Treasury said the decision followed failures to implement adequate safeguards to protect sensitive taxpayer data accessed through IRS contracts. The IRS later determined the breach affected approximately 406,000 taxpayers. 

Fortinet Temporarily Disables FortiCloud SSO After Active Exploitation

Fortinet disclosed a critical FortiCloud SSO authentication bypass vulnerability that was actively exploited in the wild. The flaw allowed attackers with FortiCloud accounts to access devices registered to other customer environments. Fortinet said two malicious FortiCloud accounts were used and were locked after detection. Attackers were observed downloading configuration files and creating local admin accounts for persistence. The company temporarily disabled FortiCloud SSO before re-enabling it with restrictions blocking vulnerable versions.

CISA Acting Director’s ChatGPT Uploads Again Draw Internal Anonymous Claims as DHS Pushes to Clarify

CISA’s acting director uploaded restricted documents to ChatGPT, triggering security alerts, anonymous internal claims, and a DHS response amid leadership uncertainty. The documents were marked for official use only, though they were not classified. The uploads prompted a DHS-led review to assess potential security impact. CISA said the acting director had temporary, approved access to the AI tool with controls in place. Anonymous officials criticized the decision, while DHS disputed internal claims.

Firewall Backup Exposure Tied to Fintech Ransomware Breach

A U.S.-based fintech has linked its ransomware breach to compromised firewall configuration data. The firm said attackers used credentials obtained through a vendor’s cloud backup service. The access enabled ransomware deployment and the theft of sensitive consumer banking data. The breach affected customers of hundreds of banks and credit unions nationwide. The firewall provider has disputed a confirmed link between the two incidents. The case highlights growing supply-chain risks tied to security infrastructure vendors.

Network Disruption Forces New Britain City Hall Systems Offline

A network disruption forced parts of New Britain City Hall offline early Wednesday. City officials said internal systems were disconnected while police and fire services continued operating. The incident was detected around 5:00 a.m., triggering response protocols. Officials have not confirmed data theft but the city said describing the incident as a cyberattack is reasonable.

Proxy Network Disrupted, Swatting Arrests, Darknet Guilty Pleas, Resilience Campaign

A coordinated set of cybersecurity and law enforcement actions unfolded this week, marked by the disruption of the IPIDEA residential proxy network, arrests linked to swatting incidents, and guilty pleas in major darknet marketplace cases. Industry partners said the proxy disruption reduced the pool of devices used to mask malicious activity, affecting hundreds of tracked threat groups. Separately, authorities in Hungary and Romania arrested suspects linked to false emergency threats impacting public and residential sites. In the United States, operators connected to the Empire and Kingdom darknet markets admitted to running platforms used for illicit trade. The developments coincided with the launch of a federal cyber resilience campaign urging stronger authentication, patching, and backup practices, highlighting an intensified focus on coordinated cyber defense and enforcement.

Researchers Trace First Monetized LLMjacking Campaign Targeting Exposed AI Systems

Security researchers have identified an ongoing campaign exploiting publicly exposed AI systems to hijack large language models. The activity targets misconfigured LLM inference services and Model Context Protocol servers that lack proper access controls. Investigators recorded 35,000 attack sessions over several weeks, indicating systematic scanning. Stolen access is used to generate unauthorized AI requests, resell discounted API usage, and explore connected internal systems. Beyond compute costs, compromised endpoints can expose sensitive data stored in AI context windows. 

Aisuru Botnet Sets New DDoS Record at 31.4 Tbps

The Aisuru botnet carried out a DDoS attack that peaked at 31.4 Tbps and 200 million requests per second, marking the largest publicly disclosed attack to date. The campaign targeted multiple organizations, mainly in the telecommunications sector, and was detected and mitigated in December. The botnet relies on compromised consumer devices, including Android TVs, and has previously been linked to attacks reaching 29.7 Tbps. 

U.S. and Bulgarian Authorities Seize Three Major Piracy Domains

U.S. and Bulgarian law enforcement seized three U.S.-registered domains allegedly distributing pirated movies, TV shows, software, and games across the European Union. Authorities said the sites received tens of millions of annual visits, generated millions of downloads, and earned substantial advertising revenue. The domains, zamunda.net, arenabg.com, and zelka.org, are now under U.S. government custody and display federal seizure notices warning that willful copyright infringement is a crime.

Present Everywhere, Yet Invisible: A Fragmented Global Hacker Talent Pool

Bugcrowd’s report, based on over 2,000 ethical security researchers, reveals a global hacking community that is capable but not connected to organizations. The largest concentrations of ethical hackers are in India, followed by Bangladesh, Egypt, the United States, Pakistan, Nigeria, Nepal, Kenya, Indonesia, and Turkey. Despite this scale, 65% of researchers said they have withheld vulnerability disclosures because organizations lacked clear reporting pathways.

Vendor Exposure, AI Abuse, and Enforcement Pressure

The cyber ecosystem is under constant pressure, where disruption is frequent but institutional response seems uneven. Internal lapses continued to expose weaknesses across the supply chain, as incidents traced back to vendors and shared infrastructure. Threat actors shifted targets across sectors, disrupting services but failing to halt essential operations. 

All this occurred alongside coordinated law enforcement actions targeting criminal networks. Proxy network disruptions, darknet marketplace guilty pleas across Europe, and joint U.S.–Bulgarian seizures of major piracy infrastructure reflected sustained enforcement activity.

AI-driven abuse continued to evolve in parallel. LLMjacking campaigns targeted AI systems, while the Aisuru botnet’s record-scale DDoS activity demonstrated the growing capacity of distributed infrastructure.

As staffing gaps persist, global ethical hacking capacity continues to grow, but access remains uneven, leaving many skilled researchers outside formal roles. Perhaps it is time to consider the missed opportunities to better integrate independent talent into defensive efforts.