Allegedly responsible for the theft of $1.5 billion in cryptocurrency from a single exchange, North Korea’s TraderTraitor is one of the most sophisticated cybercrime groups in the world.

On February 21, the largest crypto heist ever started to unfold. Hackers gained control of a crypto wallet belonging to the world’s second-largest cryptocurrency exchange, Bybit, and stole almost $1.5 billion of digital tokens. They quickly shunted the money between dozens of cryptocurrency wallets and services to try and obscure the activity, before starting to cash the stolen funds out.

The eye-popping digital raid had all the hallmarks of being conducted by one of North Korea’s elite subgroups of hackers. While Bybit remained solvent by borrowing cryptocurrency and launched a bounty scheme to track down the stolen funds, the FBI quickly pinned the blame on the North Korean hackers known as TraderTraitor.

Before the Bybit heist, TraderTraitor had already been linked to other high-profile cryptocurrency thefts and compromises of supply chain software.

“We were waiting for the next big thing,” says Michael Barnhart, a longtime cybersecurity researcher focused on North Korea and investigator at security firm DTEX Systems. “They didn't go away. They didn’t try to stop. They were clearly plotting and planning—and they’re doing that now,” he says.

North Korea’s hackers—alongside those from China, Russia, and Iran—are consistently considered to be one of the most sophisticated and most dangerous cyber threats to Western democracies. While all of these countries engage in espionage and theft of sensitive data, North Korea’s cyber operations come with their own set of distinct goals: helping to fund the hermit kingdom’s nuclear programs. Increasingly, that means stealing cryptocurrency.

Over at least the past five years, the totalitarian regime of Kim Jong-un has deployed technically skilled IT workers to infiltrate companies around the world and earn wages that can be sent back to the motherland. In some cases, after being fired, those workers extort their former employers by threatening to release sensitive data. At the same time, North Korean hackers, as part of the broad umbrella Lazarus Group, have stolen billions in cryptocurrency from exchanges and companies around the world. TraderTraitor makes up one part of the wider Lazarus group, which is run out of the Reconnaissance General Bureau, the North Korean intelligence agency.

TraderTraitor—which is also referred to as Jade Sleet, Slow Pisces, and UNC4899 by security companies—is primarily interested in cryptocurrency.

“They use a variety of creative techniques to get into blockchain, cryptocurrency, anything that has to do with platforms, trading forums, all of those different things that are around cryptocurrency and decentralized finance,” says Sherrod DeGrippo, the director of threat intelligence strategy at Microsoft. “The Jade Sleet group \[TraderTraitor\] is one of the most sophisticated groups within that echelon,” she says.

TraderTraitor first emerged around the start of 2022, multiple cybersecurity researchers say, and is likely an offshoot of the North Korean APT38 group that hacked the SWIFT financial system and attempted to steal $1 billion from the Central Bank of Bangladesh at the start of 2016. “They walked off with very little money,” says DTEX Systems’s Barnhart. “In that moment you had a real, significant shift.”

Barnhart says North Korea realized that relying on other people—such as money mules—could make their operations less effective. Instead, they could steal cryptocurrency. Two groups emerged from that tactical shift, Barnhart says, CryptoCore and TraderTraitor. “TraderTraitor is the most sophisticated of all,” he says. “And why? Because APT38 was the A team.”

Since then, TraderTraitor has been linked to multiple large-scale cryptocurrency thefts in recent years. For instance, the March 2024 theft of $308 million from Japan-based cryptocurrency company DMM has been linked to TraderTraitor by the FBI, Department of Defense, and police in Japan.

TraderTraitor typically targets people working at Web3 firms using spear-phishing messages—most often, people working on software development. “They know the individuals that work at these companies, they track them, they have profiles on them, they know which trading platforms are doing the most volume. They’re focused on that entire industry, understanding it backwards and forwards,” says Microsoft’s DeGrippo.

GitHub, which is owned by Microsoft, highlighted in July 2023 how TraderTraitor created fake accounts on the coding platform, plus LinkedIn, Slack, and Telegram. The TraderTraitor criminals can create fake personas that they use to message their targets or use real accounts that have been hacked, GitHub’s research says. In that instance, TraderTraitor invited developers to collaborate on GitHub, before ultimately infecting them with malware using malicious code. Recently, security researchers at Palo Alto Networks’ Unit 42 threat intelligence team found 50 North Korean recruiter profiles on LinkedIn and linked them back to TraderTraitor.

The group has been seen using “custom backdoors,” such as PLOTTWIST and TIEDYE, that target macOS, says Adrian Hernandez, a senior threat analyst at Google’s Threat Intelligence Group. “These are typically heavily obfuscated to prevent detection and thwart analysis,” Hernandez says. “Once UNC4899 \[TraderTraitor\] has gained access to valid credentials, we’ve observed this threat actor moving laterally and accessing other accounts to access hosts and systems, keeping a low profile and aiming to evade detection.”

Once the North Korean hackers have their hands on cryptocurrency or digital wallets, the money laundering often follows a similar pattern, as cryptocurrency tracing firm Elliptic outlined in a blog post breaking down the Bybit hack. To avoid having cryptocurrency wallets frozen, they quickly swap stolen tokens—which are often issued by centralized entities and can have restrictions placed upon them—for more mainstream cryptocurrency assets like ether and bitcoin that are harder to limit.

“The second step of the laundering process is to ‘layer’ the stolen funds in order to attempt to conceal the transaction trail,” Elliptic writes. This means splitting the funds into smaller amounts and sending them to multiple wallets. With Bybit, Elliptic writes, money was sent to 50 different wallets that were then emptied in the coming days. This cryptocurrency is then moved through various cryptocurrency exchanges, converted into bitcoin, and passed through crypto mixers that aim to obscure crypto transactions.

“North Korea is the most sophisticated and well-resourced launderer of crypto assets in existence, continually adapting its techniques to evade identification and seizure of stolen assets,” Elliptic says in its blog post.

In addition to cryptocurrency heists, TraderTraitor has been linked to hacks at software supply chain companies, most prominently JumpCloud in June 2023. Compromising software used by multiple companies may provide the hackers a stealthier way into their intended targets. “That could impact any tech industry, any organization that uses that software,” says Andy Piazza, senior director for threat research at Unit 42.

As TraderTraitor has increasingly garnered attention over the past couple of years, Piazza says he has seen the group improve their operations and attempt to evade detection. For example, Unit 42’s recent research noted that TraderTraitor had been using malware the researchers called RN Loader that installs an information stealer and then deletes itself, making it harder to detect.

“You can definitely tell that they’re stepping up,” Piazza says.

Piazza says that unlike haphazard Russian hacking groups—which were both in the networks of the DNC simultaneously around 2016—there appears to be more organization with the North Korean groups. “It seems more coordinated that they're not bumping into each other out in the battle space,” Piazza says. “They’re really showing that they have the capability to be focused on that OPSEC, to be focused on that persistence capability.”

North Korea’s hacking operations may be even more complex than many realize. According to Piazza and other experts WIRED spoke to, the crypto hackers and the undercover IT workers may even coordinate. Their tactics show some “overlap,” Piazza says.

“If you right now went out onto some type of freelance website and said that you are a brand-new crypto startup and you’re looking for developers before the day is out, you would have North Koreans in your inbox,” Barnhart, the DTEX Systems researcher, says. He says some North Korean hackers can bounce between the country’s different groups, and there’s the possibility that they could also work with or alongside its IT workers. There may be more overlap than people thought, Barnhart says.

“Whenever we attribute this \[hacking\] back to TraderTraitor, was nobody else involved? Did somebody else have a hand in there?”

TraderTraitor: The Kings of the Crypto Heist

Though less well-known than groups like Volt Typhoon and Salt Typhoon, Brass Typhoon, or APT 41, is an infamous, longtime espionage actor that foreshadowed recent telecom hacks.

As China continues its digital gambit around the world, researchers are warning that hacking activity from long-tracked groups is evolving and blending together. On top of that, attackers are hiding their campaigns more effectively and blurring the lines between cybercriminals and state-backed hacking.

Last year, revelations rocked the United States federal government that the Chinese hacking group known as “Salt Typhoon” had breached at least nine major US telecoms. And the group’s rampage even continued into this year in the US and other countries around the world. Meanwhile, the Beijing-linked hacking group “Volt Typhoon” has continued to lurk in US critical infrastructure and utilities around the world. Meanwhile, the notoriously versatile syndicate known as Brass Typhoon—also called APT 41 or Barium—has been operating in the shadows.

The group, which researchers have been tracking since about 2012, has quietly continued its broad targeting around the world over the past year. Brass Typhoon has cast a wide net, leading researchers to view it as a sort of broad coalition that has attacked everything from a US livestock app to source code and chip designs from Taiwan’s semiconductor industry and even power grids. And over the last year, the group has compromised international institutions in the tech and automotive sectors, materials, shipping and logistics, media, and more, using new and refined malware in an array of sustained campaigns.

“They’re absolutely still active and still evolving,” says John Hultquist, who leads threat intelligence at the Google-owned cybersecurity firm Mandiant. “But it’s harder to attribute some of this activity than it was in the past, because it’s all part of a much bigger ecosystem of China’s activity which has been deliberately built to create a tremendous amount of capability.”

Brass Typhoon is known for having carried out a notable string of software supply chain attacks in the late 2010s and for brazen attacks on telecoms around the same time in which the group specifically targeted call record data. The gang is also known for its hybrid activity, carrying out hacks that align with Chinese state-sponsored espionage by the Chinese Ministry of State Security, but also moonlighting on seemingly cybercriminal projects, particularly focused on the video game industry and in-game currency scams.

Research indicates that Brass Typhoon has continued to be active in recent months with financial crimes targeting online gambling platforms as well as espionage targeting manufacturing and energy firms. Its sustained activity has run in parallel to Salt and Volt Typhoon’s recent, attention-grabbing campaigns, and analysis increasingly shows that China’s state-backed hacking operations must be viewed comprehensively, not just in terms of individual actors.

“I think we should not get too down the rabbit hole of is it Salt? Is it Flax? Is it Volt?” former US Cybersecurity and Infrastructure Security Agency director Jen Easterly told WIRED during her last days in that role in January, referring to an array of Beijing-linked hacking groups. “At the end of the day, China, as we've seen in assessments from the Intelligence Community, is the most formidable, persistent cyber threat that we are dealing with.”

Hultquist agrees, emphasizing that while tracking the activity of individual groups is still vital, it is increasingly important for defenders to factor in the advantages that state espionage and offensive hacking operations gain from broad collaboration.

“There was a time when there were very simple indicators that told us who each actor was, and they were operating incredibly loudly, so it was easy to spot the smash-and-grab nature of the activity,” he says. “APT 41 is still doing some loud activity, but so much of its activity now has gotten better and they’ve made an effort to really avoid our controls.”

Ultimately, though, researchers say that the most significant takeaway about Brass Typhoon’s current activity is that it continues apace.

Brass Typhoon: The Chinese Hacking Group Lurking in the Shadows

For the past decade, this group of FSB hackers—including “traitor” Ukrainian intelligence officers—has used a grinding barrage of intrusion campaigns to make life hell for their former countrymen and cybersecurity defenders.

Russian state hackers, perhaps more than those of any other nation, tend to show off. The notorious Sandworm unit within Russia's GRU military intelligence agency, for instance, has triggered unprecedented blackouts and released destructive, self-replicating code. The FSB's ingenious Turla group has hijacked satellite internet connections to steal victims' data from space. But one team of less-flashy cyberspies working on behalf of the Kremlin rarely earns the same notice: Armageddon, or Gamaredon.

The hackers, believed to work in the service of Russia's FSB intelligence agency, aren't known for their sophistication. Yet they have strung together a decade-plus record of nearly constant espionage-focused breaches, grinding away with simple, repetitive intrusion methods, year after year. Thanks to that sheer overwhelming quantity of hacking attempts, they represent by some measures the top espionage threat facing Ukraine in the midst of its war with Russia, according to cybersecurity defenders who track the group.

“They are the most active state-aligned hacker group attacking Ukrainian organizations, by far,” says Robert Lipovsky, a malware researcher at Slovakian cybersecurity firm ESET.

ESET has tracked Gamaredon as it's breached the networks of hundreds of victims in Ukraine, stealing thousands of files on a daily basis, Lipovsky says. “Their operation is highly effective," says Robert Lipovsky, a malware researcher at ESEThe adds. "Volume is their big differentiator, and that's what makes them dangerous.”

If Gamaredon doesn't behave like other Russian hacking groups, that's in part because some of them aren't Russian nationals—or weren't, technically, until 2014.

According to the Ukrainian government, Gamaredon's hackers are based in Crimea, the peninsula of Ukraine that was seized by Russia following Ukraine's Maidan revolution. Some of them previously worked on behalf of Ukraine's own security services before switching sides when Russia's Crimean occupation began.

“They are officers of the ‘Crimean’ FSB and traitors who defected to the enemy,” reads one 2021 statement from the Ukrainian SBU intelligence agency, which alleges the group carried out more than 5,000 attacks on Ukrainian systems including critical infrastructure like “power plants, heat and water supply systems.”

The group's initial access techniques, ESET’s Lipovsky says, consist almost entirely of simple spearphishing attacks—sending victims spoofed messages with malware-laced attachments—as well as malicious code that can infect USB drives and spread from machine to machine. Those relatively basic tactics have hardly evolved since the group first appeared as a threat aimed at Ukraine in late 2013. Yet by tirelessly cranking away at those simple forms of hacking and targeting practically every Ukrainian government and military organization—as well as Ukrainian allies in Eastern Europe—on a daily basis, Gamaredon has proven to be a serious and often underestimated adversary.

“People sometimes don’t realize how big a part ‘persistence’ plays in the phrase APT,” says John Hultquist, chief analyst for Google's Threat Intelligence Group. "They’re just relentless. And that itself can be kind of a superpower.”

In October 2024, the Ukrainian government went as far as to sentence two of Gamaredon's hackers in absentia for not only hacking crimes but treason. A statement from the SBU at the time accused the two men—neither of whom are named—of having “betrayed their oath” by voluntarily joining the FSB.

For Gamaredon's former SBU hackers, turning on their former countrymen may not have resulted in the perks they hoped. Aside from the apparent slog of their nonstop phishing campaigns, intercepted phone communications between members of the group published by the SBU appear to show them complaining about their low pay and lack of recognition. “They should have given you a medal,” one team member says to another in the Russian-language conversation. “Screwed one more time.”

Given how mind-numbingly workaday their hacking campaigns are, it's no wonder they complained about their working conditions, says Google's Hultquist.

"Drudgery is so core to their operations,” he says. "This group grinds out wins."

As disgruntled as Gamaredon's hackers may be, defending against their constant barrage of spying attempts is at least as difficult and boring, say some of the defenders tasked with tracking them. The group writes its malware in relatively unsophisticated scripting languages like VBScript and Powershell rather than the C++ used by savvier hackers. But Gamaredon tweaks its humdrum code constantly, sometimes with automated changes to create endlessly differentiated versions designed to defy antivirus, according to ESET, whose anti-malware products are used widely across Ukraine.

In some cases, the hackers infect the same machine with numerous malware specimens, and hit so many targets that ESET hasn't even been able to identify all of the group's victims, despite closely tracking Gamaredon's campaigns.

“It's exhausting work,” says Anton Cherepanov, an ESET malware researcher. “People overdose and get burnt out.”

Since the start of Russia's full-scale war in Ukraine in 2022, Gamaredon has evolved to broaden its intelligence collection to messaging tools like Signal, WhatsApp, and Telegram, as well as the Delta software used by the Ukrainian military on tablet computers. A 2023 report by CERT-UA, the Computer Emergency Response Team of Ukraine, warned that Gamaredon has on at least one occasion launched a data-destroying attack against a victim facility, though it usually confines itself to mere intelligence gathering on behalf of the Russian military effort.

The same report notes that once Gamaredon infects a machine, it often starts stealing files in as little as 30 minutes. By the end of a week, if the machine remains infected, the hackers will have installed 80 to 120 variants of its malware on the computer. If defenders fail to delete even one, the hackers keep their foothold and can maintain access to that device.

All of that means Gamaredon represents a challenge that's painfully dull for cybersecurity defenders, but with dauntingly high stakes in the context of a war where stolen secrets can mean the difference between life and death.

“They're not interesting,” ESET malware researcher Zoltán Rusnák says. “Just dangerous.”

Gamaredon: The Turncoat Spies Relentlessly Hacking Ukraine

From crypto kingpins to sophisticated scammers, these are the lesser-known hacking groups that should be on your radar.

Read More

_The Last of Us_ Creator Didn’t Want to Sweep ‘Upsetting’ Moments Under the Rug

During _The Last of Us_’ second-season premiere, Ellie gets called a homophobic slur. Craig Mazin tells WIRED it highlights what happens when humanity stops moving forward.

FTC v. Meta Trial: The Future of Instagram and WhatsApp Is at Stake

The blockbuster antitrust case begins Monday. Its outcome could impact how Big Tech companies grow—but the government has a long way to go to prove its case.

The Best Laptops to Work and Play Wherever You Are

These are our favorite Windows laptops, MacBooks, Chromebooks, and Linux portables.

The Best Backpacking Water Filters

We’ve tested filter from Sawyer, Katadyn, LifeStraw, MSR and more to find the best option for every adventure.

The Best Way to Roast a Chicken Is on a Stick

This simple gadget is a fun and inexpensive way to tinker.

Small Language Models Are the New Rage, Researchers Say

Larger models can pull off a wider variety of feats, but the reduced footprint of smaller models makes them attractive tools.

Homeland Security Email Tells a US Citizen to 'Immediately' Self-Deport

An email sent by the Department of Homeland Security instructs people in the US on a temporary legal status to leave the country. But who the email actually applies to—and who actually received it—is far from clear.

The Best Google Pixel 9 Cases and Accessories

Whether you saved some cash with the Pixel 9a or went big with the Pixel 9 Pro XL, we’ve got a selection of cases—MagSafe included—to kit out your new Android phone.

Am I the Asshole if I Don’t Put My Phone on Airplane Mode?

If you don’t, your flight won’t crash, but ignoring airplane mode uses up your battery and annoys the pilot.

The 24 Best Shows on Amazon Prime Right Now

_The Wheel of Time, Reacher_, and _The Bondsman_ are just a few of the shows you should be watching on Amazon Prime Video this week.

China Secretly (and Weirdly) Admits It Hacked US Infrastructure

Plus: The Department of Homeland Security begins surveilling immigrants' social media, President Donald Trump targets former CISA director who refuted his claims of 2020 election fraud, and more.

The Most Dangerous Hackers You’ve Never Heard Of

Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. (Chromium security severity: High)

https://nvd.nist.gov/vuln/detail/CVE-2025-2783
https://chromereleases.googleblog.com/2025/03/stable-channel-update-for-desktop_25.html
https://issues.chromium.org/issues/405143032

Skip to content

**Navigation Menu**

*   *   GitHub Copilot
        
        Write better code with AI
        
    *   GitHub Advanced Security
        
        Find and fix vulnerabilities
        
    *   Actions
        
        Automate any workflow
        
    *   Codespaces
        
        Instant dev environments
        
    *   Issues
        
        Plan and track work
        
    *   Code Review
        
        Manage code changes
        
    *   Discussions
        
        Collaborate outside of code
        
    *   Code Search
        
        Find more, search less
        
    

*   Explore
    
    *   Learning Pathways
    *   Events & Webinars
    *   Ebooks & Whitepapers
    *   Customer Stories
    *   Partners
    *   Executive Insights
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   *   Enterprise platform
        
        AI-powered developer platform
        
    
*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  GHSA-f87w-3j5w-v58p

**CefSharp affected by incorrect handle provided in unspecified circumstances in Mojo on Windows**

High severity GitHub Reviewed Published Apr 11, 2025 in cefsharp/CefSharp • Updated Apr 12, 2025

**Package**

nuget CefSharp.OffScreen (NuGet)

**Affected versions**

< 134.3.90

**Patched versions**

134.3.90

nuget CefSharp.OffScreen.NetCore (NuGet)

nuget CefSharp.WinForms (NuGet)

nuget CefSharp.WinForms.NetCore (NuGet)

nuget CefSharp.Wpf (NuGet)

nuget CefSharp.Wpf.HwndHost (NuGet)

nuget CefSharp.Wpf.NetCore (NuGet)

**Description**

Published to the GitHub Advisory Database

Apr 12, 2025

Last updated

Apr 12, 2025

**EPSS score**

GHSA-f87w-3j5w-v58p: CefSharp affected by incorrect handle provided in unspecified circumstances in Mojo on Windows

As organizations increasingly rely on SaaS applications to run their operations, securing them has become a necessity. Without…

As organizations increasingly rely on SaaS applications to run their operations, securing them has become a necessity. Without strong protection, sensitive data, user access, and cloud infrastructure are left vulnerable to breaches. SaaS security is not a single-layer fix; it demands multiple approaches to address cybersecurity threats across identity, data, and applications.

****Key Components of a Secure SaaS Architecture****

Creating a secure SaaS architecture involves prioritizing the most important security factors. Each factor serves to mitigate certain threats that may endanger your application or customer information.

****Identity and Access Management (IAM)****

A strong IAM solution enforces secure access using multi-factor authentication (MFA), single sign-on (SSO), and user provisioning to minimize identity-based threats. Integrate identity providers like Azure AD, Okta, or Google Workspace to gain centralized control over user authentication and authorization.

****Data Protection****

Encrypt sensitive data, implement data loss prevention (DLP) policies, and control data sharing to prevent leaks or breaches. Implement encryption at rest and in transit to protect data at multiple levels.

****Secure Development Practices****

Adopt secure coding principles, perform code reviews, and implement automated security scanning tools to identify vulnerabilities in the initial phases of the development life cycle. Use tools like SonarQube, Snyk, or Checkmarx to scan code and identify vulnerabilities.

****Network Security****

You must implement firewalls, Virtual Private Clouds (VPCs), and network segmentation so that sensitive workloads are placed within secure boundaries. It will also minimize the attack surface. Implement IP whitelisting, VPN access, and network-level monitoring to secure data flow.

****Incident Response Plan****

Establish a good incident response plan that provides detection, containment, and recovery procedures in the case of security incidents. Regular practice drills are necessary to educate your staff to respond to an incident properly.

Bridging these building blocks contributes to developing a good foundation for your SaaS architecture.

****Essential SaaS Security Practices****

Effective SaaS security requires a layered approach. These essential strategies help protect your SaaS applications from unauthorized access, misconfigurations, and third-party vulnerabilities:

1.  **Data Encryption**: You must encrypt data at rest and in transit to prevent unauthorized access. Ensure encryption keys are managed securely to prevent compromise.
2.  **Access Controls**: Use role-based access controls (RBAC) and implement the principle of least privilege. It is necessary to regularly review and audit permissions to minimize over-privileged accounts.
3.  **Secure Configuration**: Regularly review and harden cloud configurations to minimize exposure. Tools like AWS Config, Azure Security Center, and GCP Security Command Center help maintain consistent security configurations.
4.  **Monitoring and Logging**: Enable detailed logs and use tools to detect suspicious behavior. Solutions like AWS CloudTrail, Azure Monitor, and Google Cloud Operations provide insights for incident response.
5.  **Third-Party Risk Management**: Assess the security posture of third-party integrations. Regularly conduct vendor assessments to evaluate risks posed by external services.

Combining these strategies ensures a stronger security posture for your SaaS applications.

****Implementing Identity First Security for Stronger Access Control****

Identity-first security shifts the security focus from the network perimeter to individual user identities. This approach strengthens access control by ensuring that identity is the core factor in securing resources.

****1\. Centralized Identity Management****

You must use centralized identity providers (IdPs) like Azure AD, Okta, or Google Workspace to simplify user management and ensure consistent security policies. Centralized identity management reduces identity sprawl and makes it easier to enforce MFA, password policies, and session control.

****2\. Multi-Factor Authentication (MFA)****

MFA across critical applications is important so you can prevent unauthorized access even if credentials are compromised. Enable adaptive MFA to assess risk signals, such as user behavior or device location, before prompting additional verification.

****3\. Role-Based Access Control (RBAC)****

Implement RBAC to ensure users only have access to resources relevant to their roles, reducing excessive permissions. Continuously review and audit roles to prevent privilege creep.

****4\. Just-in-Time (JIT) Access****

Grant temporary elevated access only when required, minimizing the risk of long-term privileged accounts. This reduces the risk of attackers exploiting excessive or dormant privileges.

By focusing on identity as the foundation for security, organizations can better control access and reduce exposure to breaches.

****Building Secure SaaS Workflows****

Implementing secure workflows helps reduce the risk of human errors and potential security gaps. Structured workflows ensure consistent handling of data, identity, and application behavior.

*   **Secure Onboarding and Offboarding**: Create well-defined onboarding and offboarding processes to manage user access efficiently. Automated provisioning and deprovisioning tools help ensure that no orphaned accounts remain active. Integrate these processes with your IAM provider to streamline access management.

*   **Secure API Management**: Ensure all SaaS APIs are authenticated, encrypted, and properly documented. Implement API gateways and limit exposure to only essential endpoints. Use OAuth 2.0, OpenID Connect, and API rate limiting to enhance API security.

*   **Data Backup and Recovery**: Establish backup routines with strict data recovery objectives. Regularly test recovery processes to minimize downtime in case of an incident. Adopt services like AWS Backup, Azure Backup, or Google Cloud Backup for automated backup management.

By following these practices, organizations can maintain secure and efficient workflows.

****Why Identity Security is the Backbone of Modern Cybersecurity****

Identity security plays an important role in protecting cloud applications, services, and data. Since compromised identities are often the starting point for cyberattacks, securing identities is key to preventing major security incidents.

****Preventing Credential-Based Attacks****

Attackers frequently exploit weak passwords or stolen credentials. Strong identity security with MFA, password policies, and behavior-based monitoring can reduce this risk. Use tools like Microsoft Defender for Identity, Google Cloud Identity Protection, or Okta ThreatInsight to detect suspicious identity-related behavior.

****Enabling Zero Trust Architecture****

Identity security aligns with Zero Trust principles, ensuring that no user or device is trusted by default. Every access request is verified based on identity, device health, and location before access is granted.

****Enhancing User Accountability****

With proper identity tracking and auditing, organizations can monitor user actions and quickly detect suspicious behavior. Solutions like AWS CloudTrail, Azure AD Logs, and Google Cloud Audit Logs provide visibility into identity-related events.

****Improving Compliance****

Identity security helps meet compliance standards by enforcing access controls, maintaining audit trails, and ensuring data protection. Frameworks such as ISO 27001, SOC 2, and HIPAA emphasize strong identity security as part of compliance best practices.

Organizations can build a resilient defense against evolving cyber threats by prioritising identity security.

****Conclusion****

SaaS security is not a one-time effort but a continuous strategy combining proactive threat defense, identity-centric access control, and scalable automation. By implementing strong data encryption, enforcing least-privilege access, and managing identities with precision, businesses can significantly reduce their exposure to threats.

Prioritizing identity security lays the groundwork for Zero Trust and helps meet growing compliance demands. Investing in these security measures not only protects your SaaS stack but also builds long-term customer trust and operational resilience as your business scales.

Top/Featured Image by Vicki Hamilton from Pixabay

SaaS Security Essentials: Reducing Risks in Cloud Applications

The US indicated they will sign the Pall Mall Pact, an international treaty to regulate commercial spyware and surveillance tools.

The US State Department reportedly plans to sign an international agreement designed to govern the use of commercial spyware known as the Pall Mall Pact.

The Pall Mall Pact, formally known as the Pall Mall Process, was initiated by France and the United Kingdom in February 2024. The goal of the Pall Mall Pact is to regulate Commercial Cyber Intrusion Capabilities (CCICs), or what we usually refer to as spyware and surveillance tools.

Signed by France, the UK, Japan, and 18 other EU member states, the Code of Practice is a voluntary non-binding agreement establishing “best practices” among governments in relation to the development, facilitation, purchase, transfer, and use of commercial cyber intrusion tools and services.

Primarily, it aims to tackle the misuse of powerful cybertools sold on the open market. These tools, often developed by private companies like the NSO Group and Paragon Solutions, have been exploited by state and non-state actors to surveil journalists, human rights defenders, activists, and even government officials. The misuse of spyware has raised concerns about its impact on democracy, human rights, and national security.

By promoting international collaboration among governments, combined with industry players like Google and Microsoft, civil society organizations, and academics, the pact represents a collective effort to regulate an industry that has operated almost without reins.

The ongoing proliferation of spyware poses existential risks to privacy and civil liberties. Commercial hacking tools have enabled intrusive surveillance practices that undermine fundamental freedom and human rights. For example, spyware can infiltrate smartphones and computers, granting unauthorized access to sensitive data such as messages, emails, and location information.

Initially, countries like the United States opted not to sign the Pall Mall Pact but to pursue similar initiatives independently. However, this fragmentation could dilute global efforts to regulate spyware effectively. Not ideal, since its voluntary nature already raises questions about its effectiveness.

While not legally binding, the Code offers building blocks for the future and builds momentum for further development. It also offers the participating states a framework for further discussion and national implementation into laws.

In an increasingly digital world, privacy is a growing concern. As our recent research showed, a majority of people feel isolated in securing their sensitive information from companies, governments, AI models, and scammers.

Privacy is more than a personal concern. It’s a cornerstone of democracy and human rights. The Pall Mall Pact offers a roadmap for protecting these values against the misuse of powerful surveillance technologies. No one should be subject to arbitrary or unlawful interference with their privacy, as set out in the International Covenant on Civil and Political Rights and other applicable international and regional treaties.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 The Pall Mall Pact and why it matters 

Some misconfigured AI chatbots are pushing people’s chats to the open web—revealing sexual prompts and conversations that include descriptions of child sexual abuse.

Several AI chatbots designed for fantasy and sexual role-playing conversations are leaking user prompts to the web in almost real time, new research seen by WIRED shows. Some of the leaked data shows people creating conversations detailing child sexual abuse, according to the research.

Conversations with generative AI chatbots are near instantaneous—you type a prompt and the AI responds. If the systems are configured improperly, however, this can lead to chats being exposed. In March, researchers at the security firm UpGuard discovered around 400 exposed AI systems while scanning the web looking for misconfigurations. Of these, 117 IP addresses are leaking prompts. The vast majority of these appeared to be test setups, while others contained generic prompts relating to educational quizzes or nonsensitive information, says Greg Pollock, director of research and insights at UpGuard. “There were a handful that stood out as very different from the others,” Pollock says.

Three of these were running-role playing scenarios where people can talk to a variety of predefined AI “characters”—for instance, one personality called Neva is described as a 21-year-old woman who lives in a college dorm room with three other women and is “shy and often looks sad.” Two of the role-playing setups were overtly sexual. “It’s basically all being used for some sort of sexually explicit role play,” Pollock says of the exposed prompts. “Some of the scenarios involve sex with children.”

Over a period of 24 hours, UpGuard collected prompts exposed by the AI systems to analyze the data and try to pin down the source of the leak. Pollock says the company collected new data every minute, amassing around 1,000 leaked prompts, including those in English, Russia, French, German, and Spanish.

It was not possible to identify which websites or services are leaking the data, Pollock says, adding it is likely from small instances of AI models being used, possibly by individuals rather than companies. No usernames or personal information of people sending prompts were included in the data, Pollock says.

Across the 952 messages gathered by UpGuard—likely just a glimpse of how the models are being used—there were 108 narratives or role-play scenarios, UpGuard’s research says. Five of these scenarios involved children, Pollock adds, including those as young as 7.

“LLMs are being used to mass-produce and then lower the barrier to entry to interacting with fantasies of child sexual abuse,” Pollock says. “There's clearly absolutely no regulation happening for this, and it seems to be a huge mismatch between the realities of how this technology is being used very actively and what the regulation would be targeted at.”

WIRED last week reported that a South Korea–based image generator was being used to create AI-generated child abuse and exposed thousands of images in an open database. The company behind the website shut the generator down after being approached by WIRED. Child-protection groups around the world say AI-generated child sexual abuse material, which is illegal in many countries, is growing quickly and making it harder to do their jobs. The UK’s anti-child-abuse charity has also called for new laws against generative AI chatbots that “simulate the offence of sexual communication with a child.”

All of the 400 exposed AI systems found by UpGuard have one thing in common: They use the open source AI framework called llama.cpp. This software allows people to relatively easily deploy open source AI models on their own systems or servers. However, if it is not set up properly, it can inadvertently expose prompts that are being sent. As companies and organizations of all sizes deploy AI, properly configuring the systems and infrastructure being used is crucial to prevent leaks.

Rapid improvements to generative AI over the past three years have led to an explosion in AI companions and systems that appear more “human.” For instance, Meta has experimented with AI characters that people can chat with on WhatsApp, Instagram, and Messenger. Generally, companion websites and apps allow people to have free-flowing conversations with AI characters—portraying characters with customizable personalities or as public figures such as celebrities.

People have found friendship and support from their conversations with AI—and not all of them encourage romantic or sexual scenarios. Perhaps unsurprisingly, though, people have fallen in love with their AI characters, and dozens of AI girlfriend and boyfriend services have popped up in recent years.

Claire Boine, a postdoctoral research fellow at the Washington University School of Law and affiliate of the Cordell Institute, says millions of people, including adults and adolescents, are using general AI companion apps. “We do know that many people develop some emotional bond with the chatbots,” says Boine, who has published research on the subject. “People being emotionally bonded with their AI companions, for instance, make them more likely to disclose personal or intimate information.”

However, Boine says, there is often a power imbalance in becoming emotionally attached to an AI created by a corporate entity. “Sometimes people engage with those chats in the first place to develop that type of relationship,” Boine says. “But then I feel like once they've developed it, they can't really opt out that easily.”

As the AI companion industry has grown, some of these services lack content moderation and other controls. Character AI, which is backed by Google, is being sued after a teenager from Florida died by suicide after allegedly becoming obsessed with one of its chatbots. (Character AI has increased its safety tools over time.) Separately, users of the generative AI tool Replika were upended when the company made changes to its personalities.

Aside from individual companions, there are also role-playing and fantasy companion services—each with thousands of personas people can speak with—that place the user as a character in a scenario. Some of these can be highly sexualized and provide NSFW chats. They can use anime characters, some of which appear young, with some sites claiming they allow “uncensored” conversations.

“We stress test these things and continue to be very surprised by what these platforms are allowed to say and do with seemingly no regulation or limitation,” says Adam Dodge, the founder of Endtab (Ending Technology-Enabled Abuse). “This is not even remotely on people’s radar yet.” Dodge says these technologies are opening up a new era of online pornography, which can in turn introduce new societal problems as the technology continues to mature and improve. “Passive users are now active participants with unprecedented control over the digital bodies and likenesses of women and girls,” he says of some sites.

While UpGuard’s Pollock could not directly connect the leaked data from the role-playing chats to a single website, he did see signs that indicated character names or scenarios could have been uploaded to multiple companion websites that allow user input. Data seen by WIRED shows that the scenarios and characters in the leaked prompts are hundreds of words long, detailed, and complex.

“This is a never-ending, text-based role-play conversation between Josh and the described characters,” one of the system prompts says. It adds that all the characters are over 18 and that, in addition to “Josh,” there are two sisters who live next door to the character. The characters’ personalities, bodies, and sexual preferences are described in the prompt. The characters should “react naturally based on their personality, relationships, and the scene” while providing “engaging responses” and “maintain a slow-burn approach during intimate moments,” the prompt says.

“When you go to those sites, there are hundreds of thousands of these characters, most of which involve pretty intense sexual situations,” Pollock says, adding the text based communication mimics online and messaging group chats. “You can write whatever sexual scenarios you want, but this is truly a new thing where you have the appearance of interacting with them in almost exactly the same way you interact with a lot of people.” In other words, they’re designed to be engaging and to encourage more conversation.

That can lead to situations where people may overshare and create risks. “If people are disclosing things they’ve never told anyone to these platforms and it leaks, that is the Everest of privacy violations,” Dodge says. “That’s an order of magnitude we've never seen before and would make really good leverage to sextort someone.”

Sex-Fantasy Chatbots Are Leaking a Constant Stream of Explicit Messages

Cybersecurity researchers have found that threat actors are setting up deceptive websites hosted on newly registered domains to deliver a known Android malware called SpyNote.
These bogus websites masquerade as Google Play Store install pages for apps like the Chrome web browser, indicating an attempt to deceive unsuspecting users into installing the malware instead.
"The threat actor utilized a

SpyNote, BadBazaar, MOONSHINE Malware Target Android and iOS Users via Fake Apps

Tech giant Google may soon help users find content they've previously seen, not by searching the web but by scanning their own digital history.

**TL;DR** – Google has filed a patent for a system that lets users search their personal digital history, including web activity and emails, using natural language. While it promises convenience, it also raises concerns around data privacy and user control.

Google has filed a patent for a system titled **“Generating query answers from a user’s history”** that would allow users to retrieve previously viewed content using natural, conversational questions. The aim is to simplify how people locate things they’ve seen before without needing to remember exact keywords or scroll through browser logs.

Currently, if you want to revisit a webpage or document from last week, you’re left relying on your memory or search history. This system would change that by identifying when a user’s question refers to past activity, for example, questions like _“I remember reading about…”_ or _“What was that article on…”_

****How It Would Work****

The system analyzes the phrasing of spoken or typed queries to decide whether a user is asking about something they’ve seen before. If so, it shifts from searching the entire web to searching the user’s activity such as browser history or even email accounts.

“One or more servers classify the natural language query as a query that seeks information previously accessed by the user,” the patent states.

Sources for this search could include web browsing, emails, or other personal data stored on or accessible through the user’s device. However, it goes further than keyword matching. For example, if a user says, _“Find that gardening article I read on my tablet last month,”_ the system would break down “gardening” as the topic, “tablet” as the device, and “last month” as the timeframe, all used as filters to narrow the result.

The patent also describes showing cached versions of past webpages. If a site has changed since the last visit, users might still be able to view the version they saw originally.

“For example, the search result ‘World Chess Championship’ includes a ‘View Cached Result’ link,” the patent reads. “This link may direct the client device to a version of the webpage that was cached on or about 10 days ago.”

****Voice Assistants, Emails, and Everyday Search****

Source: Google

This feature could be integrated into voice assistants, allowing users to say things like, _“What was that turkey recipe I read on my phone?”_ It could also work within Gmail or search engines, pulling up old emails or documents based on vague or natural prompts like _“Grandma’s meatball recipe.”_

****Privacy Questions****

The patent mentions that users may be able to control whether their personal data is used and that anonymization could be applied “in one or more ways before it is stored or used.”

But as with any system that relies on indexing private activity, there are clear concerns. If implemented, this would require a high level of access to personal data browsing history, emails, and device usage, all linked together and searchable from a single query.

The question is whether users will trust a tool powerful enough to remember what they’ve forgotten.

It’s important to note that patents don’t always lead to real products. For example, **Google filed a patent in 2015** for a system that would store user memories in a searchable database, and in July 2021, a **Microsoft patent** described a chatbot that could simulate conversations with deceased individuals.

Although these ideas never became consumer features, they highlight the kinds of directions tech companies are exploring. In this case, Google appears to be pushing toward making personal memory itself searchable.

Tag

#google