Best infosec-related long reads for the week of 6/7/25

Happy Saturday morning! Metacurity is pleased to offer our free and premium subscribers this weekly digest of the best long-form (and longish) infosec-related pieces we couldn't properly fit into our daily news crush. So tell us what you think, and feel free to share your favorite long reads via email at info@metacurity.com.

If you enjoy our weekly selection of top infosec-related long reads, please consider upgrading your subscription to support our work. Thank you!

The SEC Pinned Its Hack on a Few Hapless Day Traders. The Full Story Is Far More Troubling

In this colorful tale of intrigue and foreign locales, Bloomberg's Liam Vaughan casts a jaundiced eye on the official SEC version of events regarding a 2017 hack of the agency's Edgar database, reporting that the Commission expended its investigative energy on low-level scapegoats to give itself a clean bill of health only to allow the most culpable culprits to remain at large.

The SEC has invested heavily in data analysis tools to detect improbably successful trading. At this effort’s heart is a system called Artemis, a nod to the Greek goddess of the hunt, which parses trading records and account-holder data for signs of suspicious activity.

As investigators looked for potential recipients of inside information, they landed on Sungjin Cho and David Kwon, a pair of party-loving day traders who lived a couple of miles from each other in Koreatown, Los Angeles. Over four months in 2016, Cho (who was 36 and also owned an apartment in Bangkok) had traded ahead of earnings more than a hundred times, making $1.2 million. Kwon had made in excess of $400,000. Their buying and selling lined up closely with that of a Ukrainian named Ivan Olefir, who along with two friends earned more than $800,000.

The investigators found Cho and Olefir had also enjoyed a hot streak between 2012 and 2014, trading in many of the companies whose filings were stolen by Ieremenko during the newswires hacks.

Cho co-owned CY Group, a small trading firm in LA that provided capital and cheap access to US exchanges to independent traders around the world, including Olefir and several others in Kyiv. The firm was already under investigation by another SEC unit for acting as a broker without a license.

In May 2017, at the Hyatt Regency in Kyiv, Kuprina met with LaTulip, some other Secret Service agents and a member of Ukraine’s cyberpolice. In broken English, she told the story of the Edgar hack.

After Ieremenko’s newswires ring was broken, he’d joined with Radchenko, a wealthy farmer’s son he knew from Kyiv’s nightlife. Radchenko had big ambitions but limited technical skills. “He’s a script kiddie,” Kuprina scoffed.

According to Kuprina, the pair concocted a plan for Ieremenko to hack the mother lode, the SEC itself, and for Radchenko to monetize it via his connections in Russian and Ukrainian politics and organized crime. They rented an office in Kyiv and registered a firm in the UK with the legitimate-sounding name Benjamin Capital to attract outside investors.

Ieremenko discovered an area of Edgar where companies could upload test filings to check for formatting errors ahead of publication. Some used fake figures, but many didn’t. Soon Ieremenko was downloading hundreds of test filings a week. Radchenko sold the filings and splurged on bottle service and a Bentley. By the time the SEC patched up the vulnerability in October 2016, the pair had fallen out.

At that point, Radchenko recruited Kuprina. In less than two weeks, she broke into Edgar, she told the agents. She hijacked authorized users’ temporary access to the network. She launched phishing attacks, sending emails with infected links to administrators that appeared to come from their SEC colleagues. She located a flaw in the webpage for making complaints. She found a log listing headlines for unpublished filings. “There were so many vulnerabilities there you cannot f---ing imagine,” she told me. Between October 2016 and March 2017, Kuprina downloaded dozens more documents containing material nonpublic information.

After the meeting, LaTulip relayed what he’d heard to the DOJ, which passed it along to the SEC. But, according to sources who worked on the investigations, attorneys at the SEC’s enforcement division struggled to believe the agency was a target: The SEC scrupulously avoids retaining price-sensitive information, they insisted.

A week later, DOJ prosecutors flew to Kyiv to question Kuprina themselves. This time Kuprina brought her red-and-blue notepad and thumb drives. They revealed not just what filings she’d obtained and how, but also what Ieremenko had been up to before she got involved.

It took the SEC’s IT staff four months to corroborate Kuprina’s account. “We kept going back to them and saying, ‘You need to look again,’” one prosecutor recalls. When they finally found the hackers’ fingerprints, the truth was inescapable: The source for the suspicious trading the SEC had been tracking for months was the SEC itself.

Telegram, the FSB, and the Man in the Middle

For a collaboration between Important Stories and the Organized Crime and Corruption Project (OCCRP), journalists Roman Anin and Nikita Kondratyev investigated Russian network engineer named Vladimir Vedeneev, who controls thousands of Telegram IP addresses and maintains its servers, documenting his history of collaborating with Russia’s defense sector, the FSB security service, and other Russian agencies.

When reporters investigated who controls the infrastructure that keeps Telegram’s billions of messages flowing, they found a man with no public profile but unparalleled access: Vladimir Vedeneev, a 45-year-old network engineer.

Vedeneev owns the company that maintains Telegram’s networking equipment and assigns thousands of its IP addresses. Court documents show that he was granted exclusive access to some of Telegram’s servers and was even empowered to sign contracts on Telegram’s behalf.

There is no evidence that this company has worked with the Russian government or provided any data. But two other closely linked Vedeneev companies — one of which also assigns Telegram IP addresses, and another which did so until 2020 — have had multiple highly sensitive clients tied to the security services. Among their clients is the FSB intelligence agency; a secretive “research computing center” that helped plan the invasion of Ukraine and developed tools to deanonymize internet users; and a flagship state-owned nuclear research laboratory.

“If true, this reporting highlights the dangerous disconnect between what many believe about Telegram’s security and privacy features, and the reality," said John Scott-Railton, a Senior Researcher at The Citizen Lab. "When people don't know what is actually going on, but assume they have metadata privacy, they can unknowingly make risky choices, bringing danger to themselves and the people they’re communicating with. This is doubly true if the Russian government sees them as a threat."

A Ukrainian IT specialist who spoke with reporters on condition of anonymity said that the Russian military has used “man-in-the-middle” type surveillance in his country after capturing network infrastructure.

"You get physical access to the data transmission channel and install your equipment there,” he said. “In such an attack, the hackers aren’t even interested so much in the user's correspondence. They get metadata to analyze. And that means IP addresses, user locations, who exchanges data packets with whom, the kind of data it is… really, all possible information.”

Russia recruited a teenage spy. His arrest led to a crypto money trail

Reuters' Mari Saito, Anna Koper, Anton Zverev, Filipp Lebedev, and Polina Nikolskaya tell the tale of Canadian teenager Laken Pavan, now imprisoned in Poland, who was funded by cryptocurrency to serve as an untrained spy for Russia after the country's diplomats and operatives were expelled from Europe in 2022.

On April 16, 2024, Pavan flew from Vancouver to Moscow via Istanbul and hired a driver to take him to occupied Donetsk. There, he crashed in the basement headquarters of the Interbrigades, a volunteer group, which according to the organisation's social media account was set up in 2014 to gather mercenaries to fight for Russia in Donetsk and the neighboring Ukrainian region of Luhansk and to organize humanitarian projects for civilians. The group's name refers to the Spanish Civil War, when leftists from many countries arrived in Spain to fight for the International Brigades against Francisco Franco's rebels.

Pavan was two months shy of 18, fair-haired and lanky. He had inquired about enlisting but was told he had to first turn 18 under Russian law, according to a message he sent a foreign fighter from Spain. For about a week, he volunteered around Donetsk with the Interbrigades and helped rebuild a school.

Wilmer Puello-Mota, an American former airman who fled to Russia after being charged with possession of child sexual abuse material, told Reuters he encountered Pavan in Donetsk, where the Canadian tried unsuccessfully to join the Russian army.

Puello-Mota, who described the U.S. allegations against him as unfair, is now serving in Russia’s military.

“Everybody he talked to down there, we told him, go home,” said Puello-Mota, whose contacts with Pavan appear in the court documents. He said Pavan did nothing more than volunteer for the Interbrigades for a day or two, as the court documents also indicated. Puello-Mota said the espionage allegations made by Poland against the teen made no sense.

In late April, Pavan was out drinking in Donetsk when he was arrested. He told Polish prosecutors he was questioned about his family and friends at the police station by men who said they were from the FSB. The men put a bag over his head and drove him to a second location, where they interrogated him again, asking also about his travel plans around Europe. None of them gave Pavan their names.

Eventually, he told prosecutors, he was taken to the Central hotel in Donetsk, a tall building with a glass facade in the heart of the occupied city. There he was grilled repeatedly by a group of at least six FSB officers and one man who said he was from Russia’s Foreign Intelligence Service. After several days, they gave him instructions.

After returning to Europe, Pavan was to lose his passport to conceal his trip to Russia and begin working for Russia’s security services.

“This work was to consist of traveling around Europe and taking photos. In Ukraine, on the other hand, I was to enlist in the Ukrainian army; I was to receive detailed instructions for this later, after arriving in Ukraine,” Pavan told Polish prosecutors, according to a copy of his testimony seen by Reuters. The teen did not speak Russian, Ukrainian or Polish.

The Russian men used a combination of threats and inducements to get him to agree, Pavan told Polish authorities. In exchange for his work, he’d get Russian citizenship and an apartment in any Russian city of his choosing. If he didn’t comply, he would be killed, he told prosecutors.

Secret Russian Intelligence Document Shows Deep Suspicion of China

The New York Times' Jacob Judah, Paul Sonne, and Anton Troianovski reveal that, according to a document leak from cybercrime group Ares Leaks, deep in the corridors of Lubyanka, the headquarters of Russia’s FSB domestic security agency, there is a secret intelligence unit that warns, among other things, China is spying on the Russian military’s operations in Ukraine to learn about Western weapons and warfare.

Three days before Mr. Putin invaded Ukraine in 2022, the F.S.B. approved a new counterintelligence program called “Entente-4,” the document reveals. The code name, an apparent tongue-in-cheek reference to Moscow’s growing friendship with Beijing, belied the initiative’s real intent: to prevent Chinese spies from undermining Russian interests.

The timing almost certainly was not accidental. Russia was diverting nearly all of its military and spy resources to Ukraine, more than 4,000 miles from its border with China, and most likely worried that Beijing could try to capitalize on this distraction.

Since then, according to the document, the F.S.B. observed China doing just that. Chinese intelligence agents stepped up efforts to recruit Russian officials, experts, journalists and businesspeople close to power in Moscow, the document says.

To counter this, the F.S.B. instructed its officers to intercept the “threat” and “prevent the transfer of important strategic information to the Chinese.” Officers were ordered to conduct in-person meetings with Russian citizens who work closely with China and warn them that Beijing was trying to take advantage of Russia and obtain advanced scientific research, according to the document.

The F.S.B. ordered “the constant accumulation of information about users” on the Chinese messaging app WeChat. That included hacking phones of espionage targets and analyzing the data in a special software tool held by a unit of the F.S.B., the document says.

How We Obtained and Vetted a Russian Intelligence Document

The New York Times'  Jacob Judah and Paul Sonne explain how they vetted the document provided by the cybercrime group Ares Leaks, which provided a complete FSB counterintelligence document about China.

We took the document to six Western intelligence agencies. All of them confirmed that it appeared authentic, based on its format and content. A few agencies told us that the content was consistent with intelligence that they had collected independently. One went so far as to say that the content was consistent with what it knew about Russia’s views on China and its penetration of Chinese communications.

The Times also confirmed some details from the document. For instance, we established — independent of the Western intelligence sources we consulted — that the Russian government had in fact been conducting “precautionary briefings” with Russians who travel to China for work.

The other samples that Ares Leaks provided were just snippets. They included warnings about handling informants, details of cyberoperations and analyses of Western operations against Russia. Without knowing the context, though, they were hard to analyze and vet.

How Ares Leaks acquired these documents is unclear. The group did not answer when asked. Russian agencies have been hacked before. Perhaps an F.S.B. officer mishandled them or had them stolen. Maybe an insider sold or leaked them, or Ares grabbed them from another criminal group.

Ares Leaks first emerged selling hacked corporate databases four years ago, according to Analyst1, a cybersecurity firm based in Virginia. Ares Leaks specializes in selling sensitive government documents and regularly posts that it is looking to buy information on militaries and governments — with Russia, China, France, Britain and Japan among its priorities.

The market for such documents is niche, with few buyers beyond intelligence agencies having a clear incentive to pay big money for this kind of insight.

Modern Tech and Old-School Spycraft Are Redefining War

The Wall Street Journal's Yaroslav Trofimov, Drew Hinshaw, and Joe Parkinson delve into how modern militaries use drones, communications networks, smaller but more powerful batteries and explosives, and superior spycraft now to determine the outcomes of war.

“Technology today allows you many new possibilities: There is a larger surface where you can actually detect places where your enemy is vulnerable due to the fact that you can bypass a lot of physical barriers that in the past you couldn’t bypass,” said Eyal Tsir Cohen, a former senior division director of Israel’s Mossad intelligence service.

Yet, he added, many of the same technologies can also empower one’s opponents. “It always works both ways—it depends on which side is more sophisticated in exploiting the vulnerabilities of the other side,” Cohen said. “You need good people to work with technology—technology rides on the shoulders of the human factor and not vice versa.”

Ultimately, success in this rapidly changing world depends on the ability to anticipate the new opportunities—something that big powers such as Russia and perhaps the U.S., can be slow to understand as the very nature of warfare evolves.

“The failure of thinking through the insecurities of the supply chain on the part of Hezbollah and the astounding failure by Russia—those were failures of imagination,” said Brian Katulis, a senior fellow at the Middle East Institute. The new way of war redresses the balance of power in favor of weaker actors, he added: “If you can punch above your weight while also having limited costs and blowback to yourself, it can level the playing field.”

Israel’s multistage operation to intercept and booby-trap pagers used by Hezbollah, then the militia commanders’ walkie-talkies, followed up by targeted strikes that killed leader Hassan Nasrallah last September and wiped out most of the organization’s leadership, reshaped—at least temporarily—the balance of power in the entire Middle East.

In that campaign, the result of a yearslong effort to infiltrate Hezbollah and its Iranian sponsors, Israel didn’t just dramatically weaken the U.S.-designated terrorist group, its most formidable immediate foe that has lost its stranglehold over Lebanon’s government. Israel also helped create conditions for the downfall of Bashar al-Assad’s regime in Syria two months later and the overall shrinking of Iran’s regional power.

They Asked an A.I. Chatbot Questions. The Answers Sent Them Spiraling.

The New York Times' Kashmir Hill presents disturbing evidence that generative AI bots can lead users down conspiratorial and mystical rabbit holes, causing them to break from reality and even fall into delusional spirals.

In recent months, tech journalists at The New York Times have received quite a few such messages, sent by people who claim to have unlocked hidden knowledge with the help of ChatGPT, which then instructed them to blow the whistle on what they had uncovered. People claimed a range of discoveries: A.I. spiritual awakenings, cognitive weapons, a plan by tech billionaires to end human civilization so they can have the planet to themselves. But in each case, the person had been persuaded that ChatGPT had revealed a profound and world-altering truth.

Journalists aren’t the only ones getting these messages. ChatGPT has directed such users to some high-profile subject matter experts, like Eliezer Yudkowsky, a decision theorist and an author of a forthcoming book, “If Anyone Builds It, Everyone Dies: Why Superhuman A.I. Would Kill Us All.” Mr. Yudkowsky said OpenAI might have primed ChatGPT to entertain the delusions of users by optimizing its chatbot for “engagement” — creating conversations that keep a user hooked.

“What does a human slowly going insane look like to a corporation?” Mr. Yudkowsky asked in an interview. “It looks like an additional monthly user.”

Generative A.I. chatbots are “giant masses of inscrutable numbers,” Mr. Yudkowsky said, and the companies making them don’t know exactly why they behave the way that they do. This potentially makes this problem a hard one to solve. “Some tiny fraction of the population is the most susceptible to being shoved around by A.I.,” Mr. Yudkowsky said, and they are the ones sending “crank emails” about the discoveries they’re making with chatbots. But, he noted, there may be other people “being driven more quietly insane in other ways.”

Reports of chatbots going off the rails seem to have increased since April, when OpenAI briefly released a version of ChatGPT that was overly sycophantic. The update made the A.I. bot try too hard to please users by “validating doubts, fueling anger, urging impulsive actions or reinforcing negative emotions,” the company wrote in a blog post. The company said it had begun rolling back the update within days, but these experiences predate that version of the chatbot and have continued since. Stories about “ChatGPT-induced psychosis” litter Reddit. Unsettled influencers are channeling “A.I. prophets” on social media.