Agentic AI adoption and identity security risks, IGA expands in mid-market, SOC-identity team collaboration, and identity platform consolidation—this 2026 predictions post previews identity trends.

Identity Security 2026: Four Predictions &amp; Recommendations

Concerns about an economic bubble bursting, along with doubts regarding return on investment, suggest the tide may be turning for the artificial intelligence industry.

Contrarians No More: AI Skepticism Is on the Rise

IBM has disclosed details of a critical security flaw in API Connect that could allow attackers to gain remote access to the application.
The vulnerability, tracked as CVE-2025-13915, is rated 9.8 out of a maximum of 10.0 on the CVSS scoring system. It has been described as an authentication bypass flaw.
"IBM API Connect could allow a remote attacker to bypass authentication mechanisms and gain

API Security / Vulnerability

IBM has disclosed details of a critical security flaw in API Connect that could allow attackers to gain remote access to the application.

The vulnerability, tracked as **CVE-2025-13915**, is rated 9.8 out of a maximum of 10.0 on the CVSS scoring system. It has been described as an authentication bypass flaw.

"IBM API Connect could allow a remote attacker to bypass authentication mechanisms and gain unauthorized access to the application," the tech giant said in a bulletin.

The shortcoming affects the following versions of IBM API Connect -

*   10.0.8.0 through 10.0.8.5
*   10.0.11.0

Customers are advised to follow the steps outlined below -

*   Download the fix from Fix Central
*   Extract the files: Readme.md and ibm-apiconnect-<version>-ifix.13195.tar.gz
*   Apply the fix based on the appropriate API Connect version

"Customers unable to install the interim fix should disable self-service sign-up on their Developer Portal if enabled, which will help minimise their exposure to this vulnerability," the company added.

API Connect is an end-to-end application programming interface (API) solution that allows organizations to create, test, manage, and secure APIs located on cloud and on-premises. It's used by companies like Axis Bank, Bankart, Etihad Airways, Finologee, IBS Bulgaria, State Bank of India, Tata Consultancy Services, and TINE.

While there is no evidence of the vulnerability being exploited in the wild, users are advised to apply the fixes as soon as possible for optimal protection.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

IBM Warns of Critical API Connect Bug Allowing Remote Authentication Bypass

Cybersecurity researchers have disclosed details of what appears to be a new strain of Shai Hulud on the npm registry with slight modifications from the previous wave observed last month.
The npm package that embeds the novel Shai Hulud strain is "@vietmoney/react-big-calendar," which was uploaded to npm back in March 2021 by a user named "hoquocdat." It was updated for the first time on

Cybersecurity researchers have disclosed details of what appears to be a new strain of Shai Hulud on the npm registry with slight modifications from the previous wave observed last month.

The npm package that embeds the novel Shai Hulud strain is "@vietmoney/react-big-calendar," which was uploaded to npm back in March 2021 by a user named "hoquocdat." It was updated for the first time on December 28, 2025, to version 0.26.2. The package has been downloaded 698 times since its initial publication. The latest version has been downloaded 197 times.

Aikido, which spotted the package, said it has not spotted any major spread or infections following the release of the package.

"This suggests we may have caught the attackers testing their payload," security researcher Charlie Eriksen said. "The differences in the code suggests that this was obfuscated again from the original source, not modified in place. This makes it highly unlikely to be a copy-cat, but was made by somebody who had access to the original source code for the worm."

The Shai-Hulud attack first came to light in September 2025, when trojanized npm packages were found stealing sensitive data like API keys, cloud credentials, and npm and GitHub tokens, and exfiltrating them to GitHub repositories using the pilfered tokens. In the second wave spotted in November 2025, the repositories contained the description "Sha1-Hulud: The Second Coming."

But the most important aspect of the campaign is its ability to weaponize the npm tokens to fetch 100 other most-downloaded packages associated with the developer, introduce the same malicious changes, and push them to npm, thereby expanding the scale of the supply chain compromise in a worm-like manner.

The new strain comes with noticeable changes -

*   The initial file is now called "bun\_installer.js" and the main payload is referred to as "environment\_source.js"
*   The GitHub repositories to which the secrets are leaked feature the description "Goldox-T3chs: Only Happy Girl."
*   The names of files that contain the secrets are: 3nvir0nm3nt.json, cl0vd.json, c9nt3nts.json, pigS3cr3ts.json, and actionsSecrets.json
*   The removal of "dead man switch" that resulted in the execution of a wiper if no GitHub or npm tokens were found to abuse for data exfiltration and self-replication

Other important modifications include better error handling when TruffleHog's credential scanner times out, improved operating system-based package publishing, and tweaks to the order in which data is collected and saved.

**Fake Jackson JSON Maven Package Drops Cobalt Strike Beacon**

The development comes as the supply chain security company said it identified a malicious package ("org.fasterxml.jackson.core/jackson-databind") on Maven Central that poses as a legitimate Jackson JSON library extension ("com.fasterxml.jackson.core"), but incorporates a multi-stage attack chain that delivers platform-specific executables. The package has since been taken down.

Present within the Java Archive (JAR) file is heavily obfuscated code that kicks into action once an unsuspecting developer adds the malicious dependency to their "pom.xml" file.

"When the Spring Boot application starts, Spring scans for @Configuration classes and finds JacksonSpringAutoConfiguration," Eriksen said. "The @ConditionalOnClass({ApplicationRunner.class}) check passes (ApplicationRunner is always present in Spring Boot), so Spring registers the class as a bean. The malware's ApplicationRunner is invoked automatically after the application context loads. No explicit calls required."

The malware then looks for a file named ".idea.pid" in the working directory. The choice of the file name is intentional and is designed to blend in with IntelliJ IDEA project files. Should such a file exist, it's a signal to the malware that an instance of itself is already running, causing it to silently exit.

In the next step, the malware proceeds to check the operating system and contact an external server ("m.fasterxml\[.\]org:51211") to fetch an encrypted response containing URLs to a payload to be downloaded based on the operating system. The payload is a Cobalt Strike beacon, a legitimate adversary simulation tool that can be abused for post-exploitation and command-and-control.

On Windows, it's configured to download and execute a file called "svchosts.exe" from "103.127.243\[.\]82:8000," while a payload referred to as "update" is downloaded from the same server for Apple macOS systems.

Further analysis has revealed that the typosquatted domain fasterxml\[.\]org was registered via GoDaddy on December 17, 2025, merely a week before the malicious Maven package was detected.

"This attack exploited a specific blind spot: TLD-style prefix swaps in Java's reverse-domain namespace convention," Eriksen said. "The legitimate Jackson library uses com.fasterxml.jackson.core, while the malicious package used org.fasterxml.jackson.core."

The problem, Aikido said, stems from Maven Central's inability to detect copycat packages that employ similar prefixes as their legitimate counterparts to deceive developers into downloading them. It's recommending that the package repository maintainers consider flagging such packages for review, and maintaining a list of high-value namespaces and subject any package published under similar-looking namespaces to additional verification to ensure they are legitimate.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Researchers Spot Modified Shai-Hulud Worm Testing Payload on npm Registry

Can you trust your cybersecurity team? A recent federal case reveals how two US-based cybersecurity experts turned into affiliates for the BlackCat ransomware group, extorting over $1.2M in Bitcoin. Read the full story on their 2023 crime spree.

Two Americans who built their careers protecting companies from online threats have admitted to doing the exact opposite. Ryan Goldberg, 40, of Georgia, and Kevin Martin, 36, of Texas, pleaded guilty in a Florida federal court this week after they were caught using their professional skills to carry out a string of extortion attacks for the ALPHV (aka BlackCat) ransomware gang throughout 2023.

****Millions in Ransom Collected****

In December 2023, the FBI disrupted the ALPHV ransomware gang. Investigations revealed that Goldberg and Martin operated as “affiliates” for the group. This group uses a ransomware-as-a-service (RaaS) model, where the BlackCat developers provided the malicious software and the platform, while the affiliates (in this case, Goldberg and Martin) identified and attacked the victims.

In exchange, they paid the BlackCat administrators a 20% cut of any money they stole. While these two men focused on targets within the US, the ALPHV BlackCat group was a global menace, hitting over 1,000 victims worldwide, the US Department of Justice’s press release noted.

The scheme proved to be highly lucrative; the group successfully attacked multiple victims across the US. In one of their most profitable hits, the men successfully extorted approximately $1.2 million in Bitcoin from a single company.

After paying the 20% fee to the software creators, the men split the remaining 80% and used various methods to launder the money to hide their tracks. According to court records, the total losses caused by their crimes exceeded $9.5 million.

The seized dark web leak site of the ALPHV Ransomware gang (Screenshot credit: Hackread.com)

****A Betrayal of Trust****

What makes this story hard to believe is that while the pair was attacking businesses, they were also working day jobs at elite firms dedicated to stopping cybercrime. Goldberg was a manager at Sygnia, a firm that helps companies recover after hacking, and Martin worked as a negotiator at DigitalMint, helping victims talk down extortionists.

This means they had insider knowledge of how companies defend themselves, which they used to bypass security. As Assistant Attorney General A. Tysen Duva pointed out that the pair used their experience to carry out crimes “they should have been working to stop.”

The FBI’s Miami Field Office led the probe that eventually brought the operation to an end, and Goldberg and Martin are now facing the long-term reality of their choices. Each has pleaded guilty to conspiracy to affect commerce by extortion. They are currently scheduled for sentencing on March 12, 2026, and face a maximum penalty of 20 years in prison.

2 US Cybersecurity Experts Guilty of Extortion Scheme for ALPHV Ransomware

Korean Air confirms a major data leak affecting 30,000 staff members after the Cl0p gang targeted a catering partner. Learn what data was stolen and the airline’s response to secure its data.

In a worrying turn of events for the aviation industry, Korean Air has confirmed that the personal details of roughly 30,000 current and former employees have been stolen. This news, shared on December 29, 2025, follows a similar security problem at South Korea’s Asiana Airlines earlier this month, where 10,000 staff records were compromised.

****How did the breach happen?****

Korea JoongAng Daily reports that the data was not taken directly from Korean Air’s main systems. Instead, the hackers targeted a company called KC&D Service (Korean Air Catering & Duty-Free).

This company used to be a division of Korean Air but was sold to a private investment group named Hahn & Company in 2020. Despite the sale, KC&D still handles in-flight meals and duty-free goods for the airline, and Korean Air still holds a 20% stake in the business.

“KC&D Service (KC&D)\*, an in-flight meal and in-flight sales company that was spun off from our company in 2020 and operates as a separate entity, was recently attacked by an external hacker group. It is understood that during this process, the personal information (names, account numbers) of our employees stored on that company’s ERP server was leaked,” the notice reads.

Official breach notice from Korean Air (source: Korea JoongAng Daily)

The attackers, reportedly, broke into KC&D’s ERP server (the main system used to manage company resources), likely by exploiting a vulnerability in a popular business software called Oracle E-Business Suite (EBS).

This specific vulnerability, tracked as CVE-2025-61882, may have allowed hackers to bypass security checks and take control of the server without needing a username or password. The same vulnerability had previously allowed attackers to breach Envoy Air, the largest carrier operating under American Airlines.

****Who is Responsible?****

This suspicion arises because the infamous digital extortionist group known as the Cl0p gang has claimed responsibility for this data breach. Hackread.com’s recent reporting reveals that Cl0p, a Russian-speaking gang famous for targeting high-value organisations, has been exploiting this Oracle software flaw since early August.

Korean Air is just one of its many victims as Cl0p has used this same method to target organisations worldwide, including Envoy Air (an American Airlines subsidiary), Harvard University, the University of Pennsylvania, The Washington Post, and Logitech.

In this instance, the group has already started posting nearly 500 GB of stolen files on the dark web because the affected companies refused to pay a ransom.

Cl0p ransomware has leaked ALMOST 456 GB of the Korean Air data (Image credit: Hackread.com)

****What information was taken?****

The stolen data, reportedly, includes very sensitive details like employee names and bank account numbers stored in the company’s resource planning system. While this is a major concern for the staff, the airline has been quick to reassure the public that customer data, such as flight bookings or credit card details, was not affected in this specific incident.

Woo Kee-hong, the vice chairman of Korean Air, sent a personal message to his team explaining that the company is taking the matter “very seriously.”

“Korean Air takes this incident very seriously, especially since it involves employee data, even if it originated from a third-party vendor that was sold off. We are currently focusing all our efforts on identifying the full scope of the breach and who was affected.”

The airline has already finished emergency security updates and cut off digital links with KC&D to stop any more data from leaking. They have also reported the situation to the Korea Internet and Security Agency (KISA), and is now warning employees to be extremely careful about suspicious text messages or emails that might be part of a follow-up scam.

****South Korea and Recent Data Breaches****

South Korea has been the epicentre of large-scale data breaches and cyber attacks. Earlier in December 2025, Coupang, the country’s alternative shopping giant to Amazon, suffered a data breach in which all of its 33.7 million users had their data stolen. Days later, the company’s offices were raided, and its CEO, Park Dae-jun, had to resign.

In May 2025, South Korean telecommunications giant SK Telecom revealed a malware attack that remained hidden for nearly two years, leading to the leaking of 26.69 million IMSI units and 9.82 GB of USIM data.

30,000 Korean Air Employee Records Stolen as Cl0p Leaks Data Online

Government staffing cuts and instability, including this year’s prolonged shutdown, could be hindering US digital defense and creating vulnerabilities.

As the first year of the Trump administration approaches its end, government cybersecurity experts and even some United States government officials are warning that recent White House initiatives—including downsizing and restructuring of the US federal workforce—risk setting the government back on improving and expanding its digital defenses.

For years, the federal government was playing catch-up on cybersecurity, scrambling to replace ancient software, apply security patches to newer systems, and deploy other baseline protections across a massive and disparate population of PCs and other gadgets. With so many agencies and offices that needed upgrading, it was slow going. But as repeated government data breaches drew urgent attention to the issue, and as the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency—founded in 2018—established itself during the early 2020s, minimum standards seemed to be rising. Now, with major staffing cuts at CISA and in other key departments across the government, that incremental progress could quickly erode.

“We’ve spent a lot of time trying to encourage the government to do more, and CISA was doing, you know, a better job,” retiring comptroller general Gene Dodaro told the US Senate Committee on Homeland Security and Governmental Affairs on December 16. He added that the Government Accountability Office has “a lot of open recommendations still for them to do. But I’m concerned that we’re taking our foot off the gas at CISA, and I think we’ll live to regret it.”

CISA lost about 1,000 people, more than a third of its staff, as a result of cuts that seemed to be motivated by the Trump administration’s anger about the agency’s election security work. Cybersecurity Dive reported in mid-November that the agency is planning to rebuild in 2026.

“The recent reduction in personnel has limited CISA’s ability to fully support national security imperatives and administration priorities,” acting CISA director Madhu Gottumukkala wrote in a memo to staff at the beginning of November. He added that that agency has “reached a pivotal moment” but is “hampered by an approximately 40 percent vacancy rate across key mission areas.”

When asked for comment about staffing cuts at CISA and the administration’s plans for maintaining and improving federal cybersecurity and critical infrastructure defenses, the White House referred WIRED to the Department of Homeland Security.

CISA director of public affairs Marci McCarthy told WIRED in a statement that the agency is focused on executing its statutory mission. “Claims that staffing adjustments are weakening cybersecurity miss the truth,” she said in the statement. “We are accelerating innovation, deepening operational collaboration, and directing resources where they yield the greatest return.”

This fall’s weekslong government shutdown only added to concerns about the state of federal cybersecurity—creating the possibility of blind spots or gaps in monitoring while so many workers were furloughed and contributing in general to the already extensive IT backlog at agencies across the government.

“Federal IT workers, they are good jobs, there’s not enough resources for the issues that they have to deal with,” one former national security official, who requested anonymity because they are not authorized to speak to the press, told WIRED. “It’s always underfunded. They always have to catch up.”

Amélie Koran, a cybersecurity consultant and former chief enterprise security architect for the Department of Interior, notes that one of the most significant impacts of the shutdown likely involved disrupting, or in some cases potentially ending, relationships with specialized government contractors who may have needed to take other jobs in order to get paid but whose institutional knowledge is difficult to replace.

Koran adds, too, that given the limited scope of the continuing resolution Congress passed to reopen the government, “no new contracts and extensions or options are probably being done, which will cascade to next year and beyond.”

While it is unclear if the shutdown was a contributing factor, the United States Congressional Budget Office said more than five weeks into the ordeal that it had suffered a hack and had taken steps to contain the breach. The Washington Post reported at the time that the agency was infiltrated by a “suspected foreign actor.” And after years of incredibly consequential US government data breaches—including the 2015 Office of Personnel Management hack perpetrated by China and the sprawling, multi-agency breach launched by Russia in 2020 that is often called the SolarWinds hack—experts warn that inconsistent staffing and reduced hiring at key agencies like CISA could have disastrous consequences.

“When, not if, we have a major cybersecurity incident within the federal government, we can’t simply staff up with additional cybersecurity resources after the fact and expect the same outcomes we would get from long-tenured staff,” says Jake Williams, a former NSA hacker and current vice president of research and development at Hunter Strategy.

Brain drain, Williams says, and any loss of momentum on digital defense, is a serious concern for the US.

“On a daily basis I’m worrying that federal cybersecurity and critical infrastructure protection may be backsliding,” Williams says. “We must stay ahead of the curve.”

Fears Mount That US Federal Cybersecurity Is Stagnating—or Worse

Lawmakers enforced age checks, websites blocked entire countries, and users turned to VPNs to get around them.

If 2024 was the year lawmakers talked about online age verification, 2025 was the year they actually flipped the switch.​

In 2025, across parts of Europe and the US, age checks for certain websites (especially pornography) turned long‑running child‑protection debates into real‑world access controls. Overnight, users found entire categories of sites locked behind ID checks, platforms geo‑blocking whole countries, and VPN traffic surging as people tried to get around the new walls.​

From France’s hardline stance on adult sites to the UK’s Online Safety Act, to a patchwork of new rules across multiple US states, these “show me your ID before you browse” systems are reshaping the web. The stated goal is to “protect the children,” but in practice the outcome is frequently a blunt national block, followed by users voting with their VPN buttons.​

**The core tension: safety vs privacy**

The fundamental challenge for websites and services is not checking age in principle, but how to do it without turning everyday browsing into an identity check. Almost every viable method asks users to hand over sensitive data, raising the stakes if (or more likely when) that data leaks in a breach.​

For ordinary users, the result is a confusing mess of blocks, prompts, and workarounds. On paper, countries want better protection for minors. In practice, adults discover that entire platforms are unavailable unless they are prepared to disclose personal information or disguise where they connect from. No website wants to be the one blamed after an age‑verification database is compromised, yet regulators continue to push for stronger identity links.​

**How age checks actually work**

Regulators such as Ofcom publish lists of acceptable age‑verification methods, each with its own privacy and usability trade‑offs. None are perfect, and many shift risk from governments and platforms onto users’ most sensitive personal data.​

*   **Facial age estimation**: Users upload a selfie or short video so an algorithm can guess whether they look over 18, which avoids storing documents but relies on sensitive biometrics and imperfect accuracy.​
*   **Open banking:** An age‑check service queries your bank for a simple “adult or not” answer. It may be convenient on paper but it’s a hard sell when the relying site is an adult platform.​
*   **Digital identity services:** Digital ID wallets can assert “over 18” without exposing full credentials, but they add yet another app and infrastructure layer that must be trusted and widely adopted.​
*   **Credit card checks:** Using a valid payment card as a proxy for adulthood is simple and familiar, but it excludes adults without cards and does not cover lower age thresholds like “over 13.”​
*   **Email‑based estimation:** Systems infer age from where an email address has been used (such as banks or utilities), effectively encouraging cross‑service profiling and “digital snooping.”​
*   **Mobile network checks:** Providers indicate whether an account has age‑related restrictions. This can be fast, but is unreliable for pay‑as‑you‑go accounts, burner SIMs, or poorly maintained records.​
*   **Photo‑ID matching:** Users upload an ID document plus a selfie so systems can match faces and ages. This is effective, but concentrates highly sensitive identity data in yet another attractive target for attackers.​

My personal preference would be **double‑blind verification**: a third‑party provider verifies your age, then issues a simple token like “18+” to sites without revealing your identity or learning which site you visit, offering stronger privacy than most current approaches.​

In almost every case, users must surrender personal information or documents to prove their age, increasing the risk that identity data ends up in the wrong hands. This turns age gates into long‑lived security liabilities rather than temporary access checks.​

**Geoblocking, VPNs, and cross‑border frictions**

Right now, most platforms comply by detecting user location via IP address and then either demanding age checks or denying access entirely to users in specific regions. France’s enforcement actions, for example, led several major adult sites to geo-block the entire country in 2025, while the UK’s Online Safety Act coincided with a sharp rise in VPN use rather than widespread cross-border blocking.

European regulators generally focus on domestic ISPs, Digital Services Act reporting, and large platform fines rather than on filtering traffic from other countries, partly because broad traffic blocking raises net‑neutrality and technical complexity concerns. In the US, some state proposals have explicitly targeted VPN circumventions, signalling a willingness to attack the workarounds rather than the underlying incentives.​

Meanwhile, network‑level filtering vendors advertise “cross‑border” controls and VPN detection for governments, hinting at future scenarios where unregulated inbound flows or anonymity tools are aggressively throttled. If enforcement pressure grows, these capabilities could evolve from niche offerings into standard state infrastructure.​

**A future of less anonymity?**

A common argument is that eroding online anonymity will also curb toxic behavior and abuse on social media, since people act differently when their real‑world identity is at stake. But tying everyday browsing to identity checks risks chilling legitimate speech and exploration long before it delivers any proven civility benefits.​

A world where every connection requires ID is unlikely to arrive overnight. Still, the direction of travel is clear: more countries are normalizing age gates that double as identity checks, and more users are learning to route around them. Unless privacy‑preserving systems like robust double‑blind verification become the norm, age‑verification policies intended to protect children may end up undermining both privacy and open access to information.​

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

**About the author**

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.

 In 2025, age checks started locking people out of the internet 

The United States’ plan for dealing with Putin’s Russia and Xi’s China remains ill-defined among a shifting global order. That must change.

In 2025, American and world leaders were preoccupied with wars in the Middle East. Most dramatically, first Israel and the United States bombed Iran’s nuclear facilities. Some commentators feared that President Trump’s decision to bomb Iran would drag the United States into the “forever wars” in the Middle East that presidential candidate Trump had pledged to avoid. The tragic war in Gaza had become a humanitarian disaster. After years of promising to reduce engagement with the region from Democratic and Republican presidents alike, it appeared that the US was being dragged back into Middle East once again.

I hope that’s not the case. Instead, in 2026, President Trump, his administration, the US Congress, and the American people more generally must realize that the real challenges to the American national interests, the free world, and global order more generally come not from the Middle East but from the autocratic China and Russia. The three-decade honeymoon from great power politics after the collapse of the Soviet Union and the end of the Cold War is over. For the United States to succeed in this new era of great power competition, US strategists must first accurately diagnose the threat and then devise and implement effective prescriptions.

The oversimplified assessment is that we have entered a new Cold War with Xi’s China and his sidekick, Russian leader Vladimir Putin. To be sure, there are some parallels between our current era of great power competition and the Cold War. The balance of power in the world today is dominated by two great powers, the United States and China, much like the United States and the Soviet Union dominated the world during the Cold War. Second, like the contest between communism and capitalism during the last century, there is an ideological conflict between the great powers today. The United States is a democracy. China and Russia are autocracies. Third, at least until the second Trump era, all three of these great powers have sought to propagate and expand their influence globally. That too was the case during the last Cold War.

At the same time, there are also some significant differences. Superimposing the Cold War metaphor to explain everything regarding the US-China rivalry today distorts as much as it illuminates.

First, while the world is dominated by two great powers, the United States remains more powerful than China on many dimensions of power—military, economic, ideological—and especially so when allies are added to the equation. Also different from the Cold War, several mid-level powers have emerged in the global system—Brazil, India, Indonesia, Saudi Arabia, and South Africa, among others—that are not willing to join exclusively the American bloc or the Chinese bloc.

Second, while the ideological dimension of great power competition is real, it is not as intense as the Cold War. The Soviets aimed to spread communism worldwide, including in Europe and the United States. They were willing to deploy the Red Army, provide military and economic assistance, overthrow regimes, and fight proxy wars with the United States to achieve that aim. So far, Xi Jinping and the Communist Party of China have not employed these same aggressive methods to export their model of governance or construct an alternative world order. Putin is much more aggressive in propagating his ideology of illiberal nationalism and seeking to destroy the liberal international order. Thankfully, however, Russia does not have the capabilities of China to succeed in these revisionist aims.

A third difference from the Cold War is the degree of economic connectivity between the United States and China and the global economy. Managing that interdependence prudently, rather than seeking to divide the global economy into red and blue teams again, is a new, unique challenge for American foreign policymakers.

A fourth difference is the degree of polarization among Americans, including on foreign policy issues. During the Cold War, American society did split on America’s role in the world, especially regarding the war in Vietnam. However, a consensus prevailed for most of the Cold War regarding the necessity of containment as a grand strategy for dealing with the Soviet Union. Such widespread agreement about how to deal with China and Russia today does not exist. Some Americans, including President Trump from time to time, even think that Russian dictator Putin should be courted as a friend, not contained as an adversary.

So far in the second Trump administration, American foreign policy thinkers, both inside and outside the government, have not engaged in a serious discussion about a new grand strategy for prevailing in this new era of great power competition with China and Russia. Tragically, the Trump administration hastily destroyed some of America’s most effective instruments of influence for competing with the Soviet Union last century and China this century, including the US Agency for International Development, Voice of America, Radio Free Asia, Radio Free Europe, and the multitudes of American nongovernmental organizations previously engaged in advancing democracy abroad. Trump also has shown no interest in strengthening the multilateral economic organizations—the IMF, the World Bank, the WTO—that proved so pivotal in supporting global capitalism during the Cold War and thereafter. His threats against enduring democratic allies, Canada and Denmark, are exacerbating tensions with our allies when we should be strengthening ties with them to address the autocratic axis of China and Russia. Trump has not even made clear whether he seeks to contain or join forces with Putin. His strategy for dealing with China is also very ill-defined. Some in his administration describe the Communist Party of China as an even greater threat to the United States than the Soviets or the Nazis. However, Trump himself never discusses the ideological or military dimensions of competition with Beijing, and instead talks mostly about striking a big economic deal with Xi. Trump has even authorized the export of sensitive technologies to China, rolling back export restrictions from the Biden era.

The year 2026 should mark the end of this moment of strategic uncertainty regarding America’s foreign policy for competing with China and Russia. At the end of World War II, it took American leaders some time to realize the full dimensions of the new era of great competition—the Cold War. We are at a similar moment in history today. The sooner we engage in a serious debate about American grand strategy in the 21st century, the better.

Discovering the Dimensions of a New Cold War

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) on Tuesday removed three individuals linked to the Intellexa Consortium, the holding company behind a commercial spyware known as Predator, from the specially designated nationals list.
The names of the individuals are as follows -

Merom Harpaz
Andrea Nicola Constantino Hermes Gambazzi
Sara Aleksandra Fayssal Hamou

Spyware / Mobile Security

The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) on Tuesday removed three individuals linked to the Intellexa Consortium, the holding company behind a commercial spyware known as Predator, from the specially designated nationals list.

The names of the individuals are as follows -

*   Merom Harpaz
*   Andrea Nicola Constantino Hermes Gambazzi
*   Sara Aleksandra Fayssal Hamou

Hamou was sanctioned by OFAC in March 2024, and Harpaz and Gambazzi were targeted in September 2024 in connection with developing, operating, and distributing Predator. The Treasury's press release does not give any reason as to why they were removed from the list.

However, in a statement shared with Reuters, it said the removal "was done as part of the normal administrative process in response to a petition request for reconsideration." The department added that the individuals had "demonstrated measures to separate themselves from the Intellexa Consortium."

Harpaz is said to be working as a manager of Intellexa S.A., while Gambazzi was identified as the owner of Thalestris Limited and Intellexa Limited. Thalestris, Treasury Department said, held the distribution rights to the spyware, and processed transactions on behalf of other entities within the Intellexa Consortium. It's also the parent company to Intellexa S.A.

Hamou was listed by the Treasury as one of the key enablers of the Intellexa Consortium, working as a corporate off-shoring specialist in charge of providing managerial services, including renting office space in Greece on behalf of Intellexa S.A. It's not known if these individuals are still holding the same positions.

At that time, the agency said the proliferation of commercial spyware presents a growing security risk to the U.S. and its citizens. It called for the need to establish guardrails to ensure the responsible development and use of these technologies while balancing human rights and civil liberties of individuals.

"Any hasty decisions to remove sanctions from individuals involved in attacking U.S. persons and interests risk signaling to bad actors that this behavior may come with little consequences as long as you pay enough \[money\] for fancy lobbyists," said Natalia Krapiva, senior tech legal counsel at Access Now.

The development comes merely weeks after an Amnesty International report revealed that a human rights lawyer from Pakistan's Balochistan province was targeted by a Predator attack attempt via a WhatsApp message.

Active since at least 2019, Predator is designed for stealth, leaving little to no traces of compromise, while harvesting sensitive data from infected devices. It's typically delivered via 1-click or zero-click attack vectors.

Similar to NSO Group's Pegasus, the tool is officially marketed for counterterrorism and law enforcement use. But investigations have revealed a broader pattern of its deployment against civil society figures, including journalists, activists, and politicians.

A Recorded Future analysis of Intellexa's corporate web published this month found continued use of Predator despite increased public reporting and international measures.

"Several key trends are shaping the spyware ecosystem, including growing balkanization as companies split along geopolitical lines, with some sanctioned entities seeking renewed legitimacy through acquisitions while others shift toward regions with weaker oversight," the Mastercard-owned company said.

"Furthermore, rising competition and secrecy surrounding high-value exploit technologies are heightening risks of corruption, insider leaks, and attacks on spyware vendors themselves."

_(The story was updated after publication to include additional information from Reuters.)_

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Latest News