Anthropic watch: Congress scrambles, Europe recoils, and Anthropic's halo grows brighter

Metacurity is the only daily cybersecurity briefing built for clarity, not agendas—no vendor spin, no echo chamber, just sharp, original aggregation and analysis of what actually matters to security leaders.

Each day, Metacurity is read by thousands of cyber leaders, including some of the industry's top CISOs, security architects, practitioners, vendors, analysts, and journalists.

If you rely on Metacurity to cut through the noise on policy, industry shifts, and security research, consider supporting us with a paid subscription. Independent coverage like this only exists because readers decide it’s worth it.

In the ongoing saga surrounding the administration's abrupt shutdown of Anthropic's latest Mythos and Fable models, the political, business, and cybersecurity fallout continues to spread.

First, Congress is still trying to figure out exactly what happened. Several lawmakers said this week they have yet to receive a full explanation for the administration's decision, with some openly questioning whether national security concerns alone drove the move. Others warned that restricting access to advanced American AI systems could ultimately weaken the very cyber defenses the government says it is trying to protect.

Meanwhile, some observers think the controversy may prove beneficial for Anthropic. Despite losing access to its newest models, the company continues to gain market share among businesses, according to new data. Anthropic has reportedly overtaken OpenAI in business AI subscriptions, according to the latest Ramp AI Index, and economists following the company say previous government clashes did little to slow adoption. If anything, being branded as the company whose models are considered too powerful may be strengthening its reputation among enterprise buyers.

The international reaction has remained unfavorable to the tech industry. Anthropic restrictions have become a fresh rallying cry for European advocates of "tech sovereignty," who argue that dependence on American AI providers leaves Europe vulnerable to abrupt policy decisions made in Washington. The episode is expected to feature prominently in discussions at both the G7 and the VivaTech conference in Paris, where officials are already debating how to reduce reliance on US technology infrastructure.

Back in the United States, the Wall Street Journal delivered what may be the most sympathetic portrayal yet of Anthropic's position, publishing an extensive profile of the company's researcher Nicholas Carlini. Accompanied by a photograph that practically places a halo behind his head, the story casts Carlini as both the messenger who warned that AI-assisted vulnerability discovery had become frighteningly powerful and the reluctant ambassador dispatched to Washington to calm officials after the administration panicked over those same capabilities.

The Journal profile highlights the central contradiction at the heart of the dispute. Carlini was among the first researchers to publicly argue that models such as Mythos dramatically change the economics of vulnerability discovery, allowing researchers to uncover software flaws at a scale that would have been impossible only a few years ago. Yet Carlini and Anthropic now find themselves arguing that the existence of powerful cyber capabilities is not, by itself, a reason to keep such models locked away.

That position aligns neatly with the Wall Street Journal editorial board, which accused the administration of overreacting to reported jailbreaks and effectively kneecapping a leading American AI company. The editorial argued that restricting Anthropic's models may ultimately hurt US innovation and cybersecurity while encouraging allies to seek alternatives outside the American technology ecosystem. (Tim Starks / CyberScoop, Robert McMillan and Amrith Ramkumar / Wall Street Journal, Editorial Board / Wall Street Journal, Supantha Mukherjee and Leo Marchandon / Reuters)

Related: Politico, Scientific American

A trove of internal records from a secret society for powerful figures in US politics, finance, and tech was left exposed online, naming participants in its events and revealing sensitive personal details they were assured would stay private.

The group, called Dialog, is a private, invitation-only organization cofounded in 2006 by the billionaire tech investor Peter Thiel. It convenes US officials, foreign government figures, and Silicon Valley executives at off-the-record annual retreats. Dialog has spent two decades declining to disclose its members.

The Swiss hacktivist maia arson crimew first revealed a directory in the website's code. Known for exposing the US government’s No Fly List and breaching the surveillance-camera company Verkada, crimew tells WIRED the directory surfaced via an anonymous tip.

A source separately provided WIRED with the registration list for Dialog's 2026 retreat, which names 222 people and records what the list describes as each registrant's membership status and attendee type, including “active member” and “guest.” The retreat is scheduled for August 12-16 at a venue near Dublin, Ireland.

The same data lays out a program of off-the-record sessions, including: “Money (Does?) Buy Happiness,” “Bring Back Nuclear,” “Navigating WWIII,” “Battlefield Technologies,” and “How’s Your Sex Life?” Other talks include “Build-a-Cult,” moderated by the founder of the Christian networking site Pray.com, and “Build-a-Party,” run by a former White House national security official.

Together, alongside the mundane fare of a typical thought leadership conference, the documents show an extraordinary convergence of power

The registration records list General Alexus Grynkewich, NATO's Supreme Allied Commander Europe and the head of US European Command, who took the post in July 2025 and is recorded on the leaked list as having attended Dialog gatherings since 2021. The website directory names sitting Trump administration officials, two US senators, six members of the PayPal Mafia, a former Middle East chief of intelligence, and a sitting ambassador to the United States, along with the founders and directors of many of the country's largest surveillance, data-broker, and advertising-data companies. (Dell Cameron and Yulia Almazova / Wired)

Related: SAN, Attendee List on GitHub

According to Interpol, illegal cyber activities accounted for around a third of all crimes recorded in some Asian countries, with scams the most widespread and financially damaging.

Interpol's latest cyber threat assessment cited the increasing dominance of online crimes compared to traditional illicit activity, describing the activities as “persistent, large-scale challenges affecting multiple jurisdictions” linked to the rapid adoption of digital infrastructure.

Of the 18 Interpol member states in Asia and the South Pacific that responded to a survey, more than half reported that cybercrime made up 30% of all crimes recorded nationally. Around a third reported more than 10,000 cases of online scams using techniques such as phishing. (Rosalind Mathieson / Bloomberg)

Related: Interpol, South China Morning Post

France's domestic intelligence agency DGSI ​will replace tools from US tech firm Palantir in favor of a French ‌rival, ChapsVision, the French Prime Minister's office said, although the process is likely to take several years.

In a video post on X, Prime Minister Sebastien Lecornu said ChapsVision had on Tuesday "been retained ​by the DGSI ... to substitute the American giant Palantir."

However, after Palantir said its ​long-term contract with the DGSI, which was renewed at the end of ⁠2025 for several more years, "remains fully in force," Lecornu's office clarified that Palantir's tools ​would continue to be used until ChapsVision's could be integrated "to avoid a capability gap." (Inti Landauro / Reuters)

Related: The Guardian, France24, AFP

The US Federal Trade Commission (FTC) warned that Americans lost $3.5 billion to imposter scams in 2025, with reported losses nearly tripling since 2020.

Imposter scams were also the most reported fraud category last year, accounting for nearly one in three fraud reports filed with the FTC. In these scams, the fraudsters reach victims through text messages, phone calls, emails, social media, and search engine results. The costliest schemes typically involve a fake bank security alert that prompts targets to transfer funds to "protect" their accounts.

According to the FTC, victims lost nearly $1 billion to business impersonators (with bank impersonators being behind the most lucrative scams) and approximately $920 million to government impersonators. Social media was the most cost-effective attack vector for impersonators, with more than $2.1 billion in 2025 losses traced to social platforms (an eightfold increase since 2020).

Nearly one in three Americans who lost money in such scams were first contacted through social media, with Facebook losses alone exceeding those from text and email combined, while WhatsApp and Instagram ranked second and third.

"The FTC will use every tool available to combat one of the most pernicious forms of fraud—government and business impersonation—and to protect the integrity of the digital economy," said Christopher Mufarrige, director of the FTC's Bureau of Consumer Protection. (Sergiu Gatlan / Bleeping Computer)

Related: FTC, Techlicious, WGAL

Hackers are taking over Roblox developer accounts and stealing ownership of entire video games and digital worlds.

Multiple Roblox developers say this is happening to them. In multiple cases, the developers said Roblox support did not help them get their games back until 404 Media contacted Roblox for comment.

Ioannis Matziaris said his two 20-year-old sons spent five years building a game called “The Shadow Network” with more than 12,000 members. In April, someone approached Christos, one of the sons, with a job offer and convinced him to run a particular file. It was actually malware.

“Within hours, they had taken ownership of our entire Roblox group, transferred our main game to a new group they created, and stolen our Robux,” Matziaris said. He said the family contacted Roblox support and filed a DMCA takedown request with Roblox and got no response. 

It’s not entirely clear what the hackers planned to do with the games, be that steal the Robux or try to monetize their popularity. But you can see why a hacker might want to commandeer a game for themselves. Matziaris said that after the hack, Roblox denied the family’s claim over the game because “there is no indication that group ownership was transferred due to your account being compromised.”

When 404 Media contacted Roblox for comment, the company changed its stance. “We were troubled to hear of this specific incident and have restored the game to its owner,” the company said in a statement. (Joseph Cox / 404 Media)

Related: r/cybersecurity

The UK government's effort to make the internet safer for children is increasingly colliding with concerns about privacy, surveillance, and the collection of personal data.

The latest flashpoint is a proposal to ban social media use by children under 16. While supporters argue the measure could help protect young people from harmful content and addictive platform features, critics say enforcing such a ban would require a far broader system for verifying users' ages than many people realize.

That debate is unfolding against the backdrop of the Online Safety Act, which has already prompted many online services to deploy age-verification and age-assurance technologies. Depending on the platform, users may be asked to provide identification documents, submit photographs for age estimation, or otherwise prove they are old enough to access certain content.

Privacy advocates argue that these requirements are gradually normalizing identity checks for everyday internet use. They warn that systems designed to protect children could ultimately require large numbers of adults to disclose personal information to access online services.

Others have raised concerns about where that information ends up. As platforms turn to third-party providers to perform age checks, critics question whether users fully understand who is collecting their data, how it is being stored, and what safeguards exist to protect it from misuse or breaches. (Liv McMahon & Philippa Wain / BBC News, Heather Burns / The Nerve)

Related: Amnesty International, The New York Times, CBS News, NPR, Politico EU, Time, Axios, New Scientist, CNN, Reuters

Everyone is racing to adopt AI. But if your security foundation is weak, AI won’t save you — it will amplify the risk.

That’s the core message behind my just-published new book, The NIST 2.0 Cybersecurity Framework: Practical Risk Management Using Real-World Incidents. Rather than treating cybersecurity as a compliance exercise, the book shows how organizations can build resilient security programs grounded in real operational failures and lessons learned.

Wiley is currently offering Metacurity readers a 20% discount with code ENG20. Don't wait! Order your copy today! Email me to find out about bulk purchases for your organization or special customized print runs for your team.

Japanese technology giant SoftBank Group is launching a service using OpenAI technology to protect against the looming threat of cyberattacks, both companies said.

Chief Executive Masayoshi Son called Japan’s vulnerability to cyberattacks “a crisis,” comparing it to a potential assault by machine guns instead of the rifle shots of the past.

SoftBank will offer “a patching service,” targeting the nation’s top 3,000 companies behind crucial infrastructure like airports, power systems and transportation, Son said.

“I feel it is our duty,” Son said, repeatedly referring to the criminal attackers as “the bad guys.”

The service involves first diagnosing any weaknesses to attacks and then analyzing what needs to be done to patch up such “holes,” Son said.

Sam Altman, chief of OpenAI, was scheduled to attend the launch, but instead appeared only in a short video. He said he couldn’t make it because his baby daughter was born earlier than expected. Mark Chen, OpenAI’s chief researcher, was present in his place. (YURI KAGEYAMA / Associated Press)

Related: Dow Jones Newswires, The Next Web, Reuters, Nikkei Asia, SoftBank Group Corp., Blockonomi, Yahoo Finance

Researchers at Zimperium report that a new Android banking trojan named Rokarolla is targeting 217 banking and cryptocurrency applications using an extensive set of 137 commands.

The malware is distributed via malicious websites purporting to provide the Google Chrome or TikTok app and can take complete administrative control of a compromised device.

Its capabilities include stealing lock screen credentials, contact lists, and SMS data, as well as using keyloggers to record user input continuously.

During the installation process, the malicious app acts as a dropper and impersonates Google Play Protect, Android’s built-in anti-malware system, offering users the option to install Chrome or TikTok, which include the Rokarolla malware.

When launched on the device, Rokarolla requests Accessibility service permissions, as well as access to notifications, SMS, and calls. (Bill Toulas / Bleeping Computer)

Related: Zimperium, Infosecurity Magazine, Cyber Press, HackRead, GBHackers, Dark Reading, Security Affairs

A ransomware negotiation following a massive breach at education provider Global Schools Group appears to have collapsed after the company's representative took an unusually confrontational approach with the threat actors.

The negotiator repeatedly challenged the hackers' claims, questioned whether they possessed the stolen data, and appeared to dismiss evidence provided during discussions.

The incident stemmed from an April attack in which the Fulcrum Sec ransomware group claimed to have stolen roughly 4.8 terabytes of data, including personal and sensitive information belonging to students, parents and employees. Global Schools Group has acknowledged a cybersecurity incident and said it is assessing the impact while cooperating with authorities.

The negotiations deteriorated after the company's representative adopted what the publication described as a "bizarre" strategy, leading the threat actors to end discussions and proceed with publishing data. The episode serves as a reminder that ransomware negotiations can be as consequential as the technical response to an incident, particularly when attackers believe they are not being taken seriously.

The breach is now drawing regulatory scrutiny in Singapore, where authorities have confirmed they are investigating the incident. (Dissent Doe / Databreaches.net)

Related: Channel News Asia

Film and commercial print giant Kodak confirmed that it's working with external cybersecurity experts to investigate a security breach after hackers gained access to some of the company's data.

A company spokesperson said that attackers only accessed a "limited amount" of data in the incident, but didn't reply to a subsequent email asking if they breached Kodak's internal network.

"Kodak recently discovered that an unauthorized third party illegally gained temporary access to a limited amount of company data. We promptly engaged external cybersecurity experts to support an investigation of what data was accessed and copied," Kodak said.

While the company has yet to attribute this breach, the ShinyHunters extortion group has claimed responsibility on their dark web leak site.

The cybercrime gang said that they allegedly stole over 2.2 million records containing customer personally identifiable information (PII) and internal corporate data and threatened to leak the exfiltrated data on Thursday. (Sergiu Gatlan / Bleeping Computer)

Related: CyberInsiders, ARY News

A self-described “extortion as a service group” known as ShadowByt3$ (hereafter ShadowBytes) is threatening to leak “859.0MB” of Nintendo’s private employee data, which allegedly contains a list of employee emails, full names, bank statements, and private conversations, unless it’s provided with “a ransom payment of 2 million dollars.”

The ransomware group published the threat on its own website on June 12, alongside a blog post detailing the alleged contents of the employee data and a mega.io link (which is now inaccessible) containing “proof” of its hack. “You have 48 hours to contact us Nintendo or all data gets leaked,” reads the initial threat. “If you contact us we give you an extra day to think this through. We are demanding a ransom payment of 2 million dollars.”

As detailed in a post on the open-source intelligence platform RansomLook, a second threat was issued by the group on June 14, which stated that ShadowBytes had moved on to threatening TinyPulse, the employee feedback platform from which the alleged Nintendo data was seemingly sourced, after Nintendo “decided not to pay” the group its ransom.

“Tinypulse you have till june 16th 2026 to contact us via telegram or email that we have sent you,” reads the second threat. “Nintendo decided to not pay so we are demanding that Tinypulse pay or all data will be leaked including private messages of Nintendo employees and not all employees are happy we can tell you that. Private messages are about to not become private if Tinypulse doesn’t reach an agreement with us.”

Nintendo confirmed that it was “aware of an issue involving TinyPulse” in a statement by Nintendo of America: “We are aware of an issue involving TinyPulse, a third-party service used for internal employee surveys at Nintendo of America. Nintendo’s systems have not been compromised, and no personal customer or financial data has been accessed. The data involved is limited to internal survey content comprising a small subset of our employees, and most of the information dates back several years.” (Lewis Parker / Kotaku)

Related: Nintendo Life, Instant Gaming Life, Computing UK, Nintendo Everything, Video Games Chronicle, GoNintendo, LevelUp, Nintendo Wire, Cybersecurity Insiders, Ransomlook

A security researcher who goes by the name of BobDaHacker said she was able to access several internal FIFA platforms due to a simple security flaw, which allowed her to watch and have full control of the TV stream of every World Cup game.

She said she registered as a player agent on FIFA’s official agent registration platform. Then, thanks to having that account and a flaw in FIFA’s back-end API, which didn’t check if a user actually had the proper authorization, she was able to access several internal FIFA platforms. 

This included the system that allows broadcasters to control what gets displayed on people’s TVs across the world and what gets displayed on commentators’ screens as they narrate the match, per the researcher.

“A single attacker could hijack every camera simultaneously. An attacker could have rickrolled the entire FIFA World Cup,” BobDaHacker wrote in a blog post.

BobDaHacker reported the flaw on Tuesday night Japan time, and FIFA fixed the issue a few hours later, without ever acknowledging the researcher’s report. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: BobDaHacker, IT News, Heise Online

Researchers at Symantec report that DragonForce ransomware used a custom malware named 'Backdoor.Turn' to hide command-and-control traffic inside Microsoft Teams relay infrastructure.

The backdoor abuses the Traversal Using Relays around NAT (TURN) protocol used by Microsoft Teams to distribute messages when a direct connection to the client is unavailable (e.g., clients on a private network).

DragonForce is a ransomware operation active since at least 2023 that adopted a cartel-style organizational structure and has been linked to the infamous Scattered Spider threat group.

According to Symantec, the hackers used custom Go-based malware in an attack against a major US services company.

Backdoor.Turn abuses Teams' TURN infrastructure by obtaining an anonymous Teams visitor token, using a legitimate Microsoft TURN relay during connection setup, and then connecting to the attacker's command-and-control (C2) server. (Bill Toulas / Bleeping Computer)

Related: SC Media, Broadcom, Security.com, HelpNetSecurity, Infosecurity Magazine, The Register

Researchers at Aikido report that at least 15 malicious plugins found on the JetBrains Marketplace were designed to steal AI API keys from developers.

The campaign includes plugins that act as AI coding assistants, code-review tools, and Git utilities powered by popular AI services such as OpenAI, DeepSeek, and SiliconFlow.

According to Aikido, the malicious plugins were first published in October 2025, with new plugins continuing to be published as recently as June 10, 2026.

The researchers say the plugins function as advertised, but secretly transmit AI API keys entered by users into the plugin settings back to the attackers. (Lawrence Abrams / Bleeping Computer)

Related: Aikido Security, Infosecurity Magazine, Techzine, HackRead, GBHackers

Cyber extortion group FulcrumSec claimed to have stolen more than a terabyte of data from pharmaceutical giant Novo Nordisk and said it is ‌exploring selling parts of the data after unsuccessfully demanding $25 million from the company.

The group said in a long message posted to its website that it spent more than two months in Novo Nordisk's networks stealing data. It said that data included company source code, proprietary information on ​released and unreleased drugs, trial data, employee, doctor and patient data, information related to company processing facilities, and internal AI model ​information.

A Novo Nordisk spokesperson said in an email that the company "is aware of claims that data allegedly copied ⁠externally without authorisation from our systems has been published online. We take this matter seriously and maintain continued operations of our main platforms. ​We are in contact with the relevant authorities."

The Danish company disclosed a cybersecurity incident on June 11 that it said involved unauthorized access to a limited ‌number of ⁠internal IT systems that included access to certain personal data. (A.J. Vicens / Reuters)

Related: Quartz, PharmaPhorum, Security Affairs, MedWatch, Security Week, Crypto Briefing, Heise Online

Researchers at Kaspersky report that threat actors are abusing Steam Workshop, Valve's community hub for downloading game-related content, to push various malware hidden in wallpaper packages.

Infected wallpapers can lead to hijacking Steam accounts, compromising the system with a backdoor, or running cryptomining processes.

Steam Workshop is a built-in content-sharing platform on Valve's Steam gaming service where users can upload and download community-created content for games and applications.

The content includes mods, maps, skins, save files, tools, and other user-generated content such as wallpapers.

The attacks abuse the Wallpaper Engine desktop customization application available on Steam, which has nearly a million reviews.

Wallpaper Engine supports four wallpaper types that render videos, interactive scenes, web pages that can play audio and video, and applications, which are active windows from software that Wallpaper Engine sets as the desktop background.

Application wallpapers are executable Windows applications that can include games, desktop widgets, and system monitoring tools. Kaspersky warns that the feature represents a built-in security risk and has been abused to deliver malware to Steam users.

According to the researchers, attackers have taken advantage of this security gap since at least late 2025, uploading malicious wallpaper files to the Steam Workshop and tricking users into installing them through Wallpaper Engine. (Bill Toulas / Bleeping Computer)

Related: Securelist, Kaspersky, Makeuseof, Tom's Guide, SC Media

Famed Hong Kong-headquartered Chinese bakery Kee Wah Bakery announced that its internal network system was hit by a malicious ransomware attack last week, potentially exposing the personal data of its employees, business partners, online customers, and loyalty program members.

The well-known local bakery chain discovered that its network system was failing to operate normally and subsequently received a ransom note.

In response, the company immediately engaged cybersecurity experts to implement emergency measures, which included blocking further intrusion, securing the system, performing maintenance, and launching an investigation into the breach.

While the affected database contains sensitive personal and corporate records, Kee Wah Bakery is still investigating and verifying the full extent of the incident. It has not yet been confirmed whether the data was successfully extracted by unauthorized parties or exactly what information was accessed.

However, taking a cautious approach, the company has begun proactively contacting individuals who might be affected, urging them to remain vigilant against potential security risks. (The Standard)

Related: South China Morning Post

Industrial code management and resiliency company Copia announced it had raised $26 million in a new funding round.

AE Ventures and Squadra Ventures co-led the round, joined by KAS Venture Partners, with continued support from existing investors Construct Capital, Lux Capital, Ironspring Ventures, and Renegade Partners. (Colin Campbell / Axios)

Related: PR Newswire, Pulse 2.0, citybiz

Databricks announced it had agreed to buy startup Panther Labs, as the US data analytics provider pushes deeper into ​the cybersecurity business.

The acquisition, Databricks' third in this area, furthers its ​aim to compete with security management incumbents like CrowdStrike and ⁠Cisco's Splunk. (Jeffrey ​Dastin / Reuters)

Related:  SiliconANGLE, Databricks, Benzinga

Best Thing of the Day: Someone's Got to Fight for CISA

Senator Mark Warner (D-VA), the vice chairman of the Senate Intelligence Committee, is pressing CISA to provide data on its staffing levels, warning that workforce cuts over the last year may have weakened the agency’s ability to support state and local governments facing cyber threats.

Bonus Best Thing of the Day: Smart Cyber Talk Is Always Good

North Country Public Radio devoted nearly 30 minutes to an interview with Juan Andres Guerrero Saade to discuss, among many things, the state-sponsored cyber group Fast16 that developed cyber "weapons" that predate Stuxnet.

Worst Thing of the Day: You Know This Thing Is Going to Be Filled With Bugs

An app that alerts to White House announcements and actions will soon be automatically installed on all mobile devices managed by the Department of Homeland Security.

Closing Thoughts