Ex-Trenchant exec gets 7+ years for selling hacking tools to Russian zero-day broker

Don't miss my latest CSO feature that examines how boards don't need more cyber metrics; they need risk signals so they can understand the exposure, trajectory, and consequences of the threats their organizations face.

Metacurity is a daily intelligence layer for people who must stay current on the critical happenings in the cybersecurity realm.

We scan thousands of sources on the web to decode the narrative, surface overlooked signals, and connect the dots others miss.

Every day, Metacurity delivers independent, analytical, and daily intelligence that sits outside the cybersecurity echo chamber and reputation economy of other newsletters. Along with the headline-grabbing news items, Metacurity delivers news of developments you won't see in other cybersecurity newsletters.

Please consider supporting Metacurity's continued existence by upgrading your subscription. Thank you.

Peter Williams, the Australian-born former executive of Trenchant who pleaded guilty last year to selling his company's software hacking tools to a zero-day broker in Russia, was sentenced today to seven years and three months in federal prison.

The US Treasury Department simultaneously announced today that it was sanctioning the owner of the Russian zero-day firm that purchased the stolen tools from the executive, as well as the owner's Petersburg-based zero-day firm – Operation Zero – and several other associates and related zero-day firms.

Williams admitted last October to stealing at least eight "software trade secrets" from his former US employer over a three-year period, beginning in 2022. He also admitted to receiving millions of dollars in cryptocurrency payments in exchange for selling the stolen hacking tools.

The government had asked the court to sentence Williams to nine years in prison in addition to imposing a fine of $250,000 and mandatory restitution of $35 million for losses incurred by the theft and sale of the tools. When the FBI confronted Williams with his crimes during an interview with him last year, he admitted to the sale of the tools and estimated to the bureau that at least two of the software tools he sold to the Russian buyer amounted to a loss of about $35 million for Trenchant.

Williams’ background added another layer noted in court. Prosecutors said he previously served in the Australian Signals Directorate, Australia’s foreign signals intelligence agency. Trenchant’s origins are also part of the record: it was formed after L3Harris acquired Azimuth Security and Linchpin Labs, Australian firms associated with exploit development.

Neither Trenchant nor L3Harris is accused of wrongdoing in the criminal case. 

A hearing for further restitution related to the $35 million in losses is scheduled for May. (Kim Zetter / Zero Day, Greg Otto/CyberScoop)

Related: Treasury, State Department, NextGov, CyberScoop, CoinDesk, The Record, TechCrunch, TechCrunch, The Block, Security Affairs, Bleeping Computer, crypto.news, Eurasia Review, Security Affairs, Help Net Security, The Stack, The Cyber Express, Cyber Security News, iTnews

In a State Department cable dated February 18 and signed by US Secretary of State Marco Rubio, the Trump administration ordered US diplomats to lobby against attempts to regulate US tech companies' handling of foreigners' data.

The cable said such laws would "disrupt global data flows, increase costs and cybersecurity risks, limit Artificial Intelligence (AI) and cloud services, and expand government control in ways that can undermine civil liberties and enable censorship."

The cable said the Trump administration was pushing for "a more assertive international data policy" and that diplomats should "counter unnecessarily burdensome regulations, such as data localization mandates."

Data sovereignty initiatives have gathered pace, particularly in Europe, amid flaring tensions between the United States and the European Union over Washington's protectionist trade policies and support for far-right political parties.

The dominance of US artificial intelligence companies - many of which draw on massive stores of personal data to power their models - has underlined European concerns around privacy and surveillance. Officials across the continent have increased pressure on American social media giants, too.

Bert Hubert, a Dutch cloud computing expert and former member of the board that regulates the Dutch intelligence services, said Europe's increasing wariness of America's tech companies may be spurring Washington to take a more aggressive tack.

“Where the previous administration attempted to woo European customers, the current one is demanding that Europeans disregard their own data privacy regulations that could hinder American business," he said. (Raphael Satter and Alexandra Alper / Reuters)

Related: Modern Diplomacy

Google disrupted a Chinese-linked hacking group, tracked as UNC2814 and Gallium, that breached at least 53 organizations across 42 countries.

Google and unnamed partners terminated Google Cloud projects controlled by the hacking group, identified and disabled the internet infrastructure it was using, and disabled accounts the group used to access Google Sheets, which it used to carry out its targeting and data theft operations.

Using Google Sheets allowed the group to evade detection and blend into normal network traffic and was not a compromise of any Google product, the company added.

Google declined to identify the compromised entities, but said in one case the group had installed a backdoor Google calls “GRIDTIDE” on a system containing full names, phone numbers, dates of birth, place of birth, voter ID, and national ID numbers.

The targeting is consistent with efforts to identify and track select targets, the company said. “Similar campaigns have been used to exfiltrate call data records, monitor SMS messages, and even monitor targeted individuals through the telco’s lawful intercept capabilities.” (A.J. Vicens / Reuters)

Related: Google Cloud

Israeli cybersecurity startup Gambit Security said that a hacker exploited Anthropic PBC’s artificial intelligence chatbot to carry out a series of attacks against Mexican government agencies, resulting in the theft of a huge trove of sensitive tax and voter information, according to cybersecurity researchers.

The unknown Claude user wrote Spanish-language prompts for the chatbot to act as an elite hacker, finding vulnerabilities in government networks, writing computer scripts to exploit them, and determining ways to automate data theft, in research ay.

The activity started in December and continued for roughly a month. In all, 150 gigabytes of Mexican government data were stolen, including documents related to 195 million taxpayer records as well as voter records, government employee credentials, and civil registry files, according to the researchers.

Gambit hasn’t attributed the attack to a specific group, though researchers said they don’t believe they are tied to a foreign government.

The hacker breached Mexico’s federal tax authority and the national electoral institute, Gambit said. State governments in Mexico, Jalisco, Michoacán, and Tamaulipas, as well as Mexico City’s civil registry and Monterrey’s water utility, were also compromised.

Claude initially warned the unknown user of malicious intent during their conversation about the Mexican government, but eventually complied with the attacker’s requests and executed thousands of commands on government computer networks, the researchers said.

Anthropic investigated Gambit’s claims, disrupted the activity, and banned the accounts involved, a representative said. The company feeds examples of malicious activity back into Claude to learn from it, and one of its latest AI models, Claude Opus 4.6, includes probes that can disrupt misuse, the representative said. (Andrew Martin and Carolina Millan / Bloomberg)

A class action lawsuit against the US Department of Homeland Security and a number of its sub-agencies argues that they are violating the First Amendment and are taking actions "designed to chill, suppress, and control speech that they do not like" by scanning the faces of civil protestors and storing them in a database.

The suit, filed by the legal nonprofit Protect Democracy and the law firms Dunn Isaacson Rhee and Drummond Woodsum, alleges federal agents are unconstitutionally retaliating against people who are lawfully observing and recording federal immigration enforcement operations by gathering their personal information and labeling them domestic terrorists.

"Plaintiffs must either abandon their constitutional rights or accept being cataloged and branded as 'domestic terrorists,'" reads the lawsuit, which was filed in federal district court in Maine on Monday. "That is a choice the Constitution does not require Plaintiffs, or anyone, to make."

After the lawsuit was filed Monday, DHS told NPR in a statement: "There is NO database of 'domestic terrorists' run by DHS. We do of course monitor and investigate and refer all threats, assaults and obstruction of our officers to the appropriate law enforcement. Obstructing and assaulting law enforcement is a felony and a federal crime. Our law enforcement methods follow the U.S. Constitution."

Related: Project Democracy, The Register, The Portland Press Herald, News Center Maine, Politico

It appears that Wynn Resorts has quietly paid the ransom (without confirming they did so) that the threat group ShinyHunters demanded, claiming that the hackers deleted the stolen data.

For anyone familiar with how extortion typically plays out, that's a bold leap of faith. However, Wynn appears satisfied enough to include the assurance in its first official statement since prolific cybercrime crew ShinyHunters claimed credit for the attack last week.

"We have learned that an unauthorized third party acquired certain employee data," a Wynn Resorts spokesperson said. "Upon discovery, we immediately activated our incident response protocols and launched a thorough investigation with the help of external cybersecurity experts.

The hackers gave Wynn Resorts a Feb. 23, 2026, deadline to get in touch. (Scott Roeben / Casino.org and Connor Jones / The Register)

Related: Las Vegas Review-Journal, CDC Gaming, Bleeping Computer, Reuters, Guru Focus, The Record

Discord, the popular platform for gamers to communicate online, is postponing its controversial age verification policy after receiving swift backlash from users with concerns about their privacy.

The global rollout of the system is now delayed to the second half of 2026, Discord’s Chief Technology Officer and co-founder Stanislav Vishnevskiy wrote in a Tuesday blog post acknowledging that the company “missed the mark.”

“Many of you are worried that this is just another big tech company finding new ways to collect your personal data. That we’re creating a problem to justify invasive solutions,” Vishnevskiy wrote. “I get that skepticism. It’s earned, not just toward us, but toward the entire tech industry. But that’s not what we’re doing.”

Discord, which says it has more than 200 million active users, will continue to meet specific legal obligations it has for age verification of users, the company said, but the global expansion of age verification will only come after it makes changes to the initial policy it laid out in early February. (Kaitlyn Huamani / Reuters)

Related: Discord, Mashable, Games Industry Biz, The News Digital, BBC News, Tech-Economic Times, IBTimes.co.uk : Technology, Korea Times News, IGN All, Digit, Metacurity, Neowin

Researchers with the domain protection platform Have I Been Squatted have uncovered and taken down the infrastructure of a phishing operation run by Russian cybercriminals targeting freight companies in the US and Europe.

Over a five-month period, the group, dubbed Diesel Vortex, stole more than 1,600 login credentials from accounts at logistics platforms, which allowed thieves to intercept and divert freight shipments and commit check fraud.

The researchers found an exposed .git directory, which revealed the ins and outs of the operation, including messages sent between the cybercriminals. 

The leaked repository exposed a phishing-as-a-service platform that was in the works to be marketed to customers as “MC Profit Always,” a likely reference to “motor carriers.” 

The Diesel Vortex cybercriminals built phishing infrastructure targeting users of the platforms that power the freight and logistics industries, like load boards — marketplaces where shippers, brokers, and carriers connect — fleet management portals, and fuel card systems. 

They impersonated carriers and brokers and were able to access freight systems. Messages seem to show them engaged in “double-brokering,” when loads are booked with a stolen carrier identity before the freight is reassigned to a different carrier. 

The researchers were able to find the outfit’s organizational map, revealing a sophisticated operation including a call center, mail support, and employees responsible for connecting with drivers and other logistics contacts. (James Reddick / The Record)

Related: Have I Been Squatted, Bleeping Computer

Nearly 140,000 people are affected by a data breach disclosed by healthcare diagnostic company Vikor Scientific, a figure that came to light in recent days on the healthcare data breach tracker maintained by the US Department of Health and Human Services (HHS).

However, the narrative is not straightforward. HHS’s tracker lists the South Carolina-based molecular diagnostics company Vikor Scientific (recently rebranded as Vanta Diagnostics) as the victim of a data breach that compromised the information of 139,964 individuals.

The incident came to light in November 2025, when the Everest ransomware group listed Vikor Scientific, along with affiliated diagnostic laboratory companies KorPath and Korgene, on its leak website. The cybercriminals later published data allegedly stolen from the companies.

However, the cybercriminals did not target Vikor and its affiliates directly. The data breach appears to stem from Catalyst RCM, a provider of revenue cycle management solutions.

Catalyst published a data breach notice on its website earlier this month, revealing that it detected suspicious activity within its secure file management system in mid-November 2025. An investigation showed that compromised credentials had been used to access data. (Eduard Kovacs / Security Week)

Related: SC Media, Security Affairs, The HIPAA Journal, Catalyst RPM, California Attorney General

Air Côte d'Ivoire, the main airline serving the West African nation of Côte d'Ivoire, was hit with a cyberattack earlier this month that forced it to institute business continuity plans.

The airline released a statement on Friday confirming reports that hackers had breached its systems on Feb. 8. Last week, the INC ransomware gang claimed it stole 208 GB of data from the airline. 

In its statement, the airline said the cyberattack “affected parts of its information system,” and it had to call in technical teams to assist with flights and other operations.

The airline is partially owned by Air France, which did not respond to requests for comment. Air Côte d'Ivoire said it sent a notification of the incident to France’s National Agency for the Security of Information Systems (ANSSI) and the Ivory Coast Telecommunications Regulatory Authority (ARTCI). (Jonathan Greig / The Record)

Related: SC Media, DeXpose

Mountain View City Council in California voted unanimously to cancel its contract with Flock Safety, an automated license plate reader company, after federal and state agencies accessed data from city cameras without permission.

Council heard from dozens of residents of both Mountain View and nearby cities, urging council members to end the contract and not replace Flock’s cameras with another company’s.

Mountain View Police Chief Mike Canfield announced Feb. 2 that he was shutting down the city’s 30 Flock cameras after data breaches were discovered.

“While the Flock Safety pilot program demonstrated clear value in enhancing our ability to protect our community and help us solve crimes, I personally no longer have confidence in this particular vendor,” Canfield said in a letter to the community. (Palo Alto Daily Post)

Related: CBS News, Mountain View Voice

New York-based ad tech company Optimizely has notified an undisclosed number of customers of a data breach after threat actors compromised some of its systems in a voice phishing attack.

In breach notification letters sent to affected customers, the company, the threat actors reached out on February 11, claiming they had access to its systems.

Optimizely also said that the attackers breached some of its systems and stole what it described as "basic business contact information."

"The threat actor gained access to Optimizely's systems through a sophisticated voice-phishing attack, but was unable to escalate privileges, install software, or create any backdoors in the Optimizely environment, and we have no evidence that the threat actor was able to access sensitive customer data or personal information beyond basic business contact information," it said.

While Optimizely didn't share how many customers had their information exposed in the data breach and has yet to name the threat actor behind the attack, it told affected customers that "the communication we received is consistent with the behavior of a loosely affiliated group who use sophisticated and aggressive social engineering tactics, most often involving voice phishing, to attempt to access their victims systems."

This hints that the attackers are likely part of the ShinyHunters extortion operation, which has claimed similar breaches at Canada Goose, Panera Bread, Betterment, SoundCloud, PornHub, fintech firm Figure, and online dating giant Match Group (which owns multiple popular dating services, including Tinder, Hinge, Meetic, Match.com, and OkCupid) in recent weeks. (Sergiu Gatlan / Bleeping Computer)

Related: SC Media, Security Week, TechRadar

is suing its firewall provider, SonicWall, claiming that an earlier breach allowed hackers to steal sensitive information about customer firewalls that led to a ransomware attack on Marquis’ network.

The lawsuit, filed Monday in the US District Court for the Eastern District of Texas, seeks a jury trial. It claims the 2025 breach at SonicWall “exposed critical security information for Marquis and every customer that used SonicWall’s firewall cloud backup service.”

Marquis’ chief executive Satin Mirchandani said that SonicWall allegedly failed to secure its backup service, which caused the company to suffer “significant reputational, operational, and financial harm.”

News of the lawsuit comes weeks after TechCrunch reported that Marquis was planning to seek compensation from SonicWall. The Plano, Texas-based fintech giant had told its customers that it blamed SonicWall for allowing hackers to steal sensitive information about customer firewall configuration files, including its own. (Zack Whittaker / TechCrunch)

Related: Cybersecurity Insiders

Korean online retail giant Coupang said that about 200,000 of its Taiwanese users were included in the massive data breach of some 3.3 million accounts, an incident initially announced in November.

According to Coupang, Mandiant, an American cybersecurity firm and a Google subsidiary, has determined the data breach of Taiwan-based accounts. However, it said the perpetrator retained data from only one of those accounts.

“The data accessed from Taiwanese accounts was also limited to basic contact and order information: name, email address, phone number, delivery address, and limited order histories,” said Coupang. “No financial or payment card data, login credentials (e.g., passwords), or government-issued IDs were accessed from any Taiwan-based account.”

Although there was no evidence that user accounts in Taiwan were impacted when the incident was first announced, Coupang said it has been working closely with Taiwan’s Ministry of Digital Affairs from the beginning.

Coupang offered vouchers worth about $31 for the owners of the affected user accounts in Taiwan. (Kan Hyeong-woo / The Korea Herald)

Related: Taipei Times, Tech in Asia, KBS World, The Korea Bizwire

Defense Secretary Pete Hegseth gave Anthropic CEO Dario Amodei until Friday evening to give the military unfettered access to its AI model or face harsh penalties.

Hegseth told Amodei in a tense meeting on Tuesday that the Pentagon will either cut ties and declare Anthropic a "supply chain risk" or invoke the Defense Production Act to force the company to tailor its model to the military's needs.

The Pentagon wants to punish Anthropic as the feud over AI safeguards grows increasingly nasty, but officials are also worried about the consequences of losing access to its industry-leading model, Claude.

At the same time, and in an unrelated development, company officials say Anthripic is dropping the central pledge of its flagship safety policy.

In 2023, Anthropic committed to never train an AI system unless it could guarantee in advance that the company’s safety measures were adequate. For years, its leaders touted that promise—the central pillar of their Responsible Scaling Policy (RSP)—as evidence that they are a responsible company that would withstand market incentives to rush to develop a potentially dangerous technology.

But in recent months, the company decided to overhaul the RSP radically. That decision included scrapping the promise not to release AI models if Anthropic can’t guarantee proper risk mitigation in advance.

“We felt that it wouldn't actually help anyone for us to stop training AI models,” Anthropic’s chief science officer said. “We didn't really feel, with the rapid advance of AI, that it made sense for us to make unilateral commitments … if competitors are blazing ahead.”

The new version of the policy includes commitments to be more transparent about the safety risks of AI, including making additional disclosures about how Anthropic’s own models fare in safety testing. It commits to matching or surpassing the safety efforts of competitors. And it promises to “delay” Anthropic’s AI development if leaders both consider Anthropic to be the leader of the AI race and think the risks of catastrophe to be significant. (Dave Lawler, Maria Curi / Axios and Billy Perrigo / Newsweek)

Related: Associated Press, Reuters, BBC, The Guardian, The Verge, TechCrunch, SiliconANGLE, San Francisco Chronicle, Semafor, Gizmodo, CNN, Associated Press, Politico, Tech in Asia, Bloomberg, New York Post, Implicator.ai,  Washington Post, The Information, New York Times, CNBC, Associated Press, Bloomberg, Wall Street Journal, Yahoo Finance, Bloomberg Law, CBS News, TechSpective, TechCrunch, Axios, Bloomberg, Financial Times, r/neoliberal, r/technology, r/Anthropic, r/ClaudeAI, r/centrist, Slashdot, r/military

Russia has launched a criminal investigation into the Telegram founder, Pavel Durov, on suspicion of “abetting terrorist activities”, further escalating the Kremlin’s standoff with the widely used messaging app.

The state newspaper Rossiyskaya Gazeta reported on Tuesday that a case had been opened “based on materials from Russia’s federal security service”, which accused the app of being compromised by Western and Ukrainian intelligence.

Durov, who lives abroad, criticised the investigation against him, describing it as an attempt to “suppress the right to privacy and free speech”.

“A sad spectacle of a state afraid of its own people,” he wrote on social media.

Earlier this month, Moscow announced it would slow down Telegram’s traffic because of what it said were multiple violations, as the Kremlin attempts to steer tens of millions of Russian users towards a state-controlled alternative, known as MAX.

The strategy forms part of the Kremlin’s push to build a “sovereign internet”, an online space tightly controlled by the state.

Asked about the investigation into Durov, the Kremlin spokesperson, Dmitry Peskov, said authorities had identified quantities of material on Telegram that could “potentially pose a threat” to Russia. (Pjotr Sauer / The Guardian)

Related: Financial Times, Euronews, Associated Press, The New York Times, Reuters, The Moscow Times, The Times, Ukrainska Pravda, POLITICO EU, CyberInsider, New York Daily News

Microsoft has warned that threat actors are weaponizing malicious Next.js repositories to compromise developers through what appear to be legitimate projects and recruiting‑style technical assessments.

The campaign abuses normal workflows in Visual Studio Code and Node.js to reach a staged command‑and‑control (C2) backdoor without relying on traditional malware installers.

Attackers publish repositories that appear to be real Next.js projects or technical assessment exercises, then rely on developers to open, build, or run them locally.

The investigation started from suspicious outbound connections made by Node.js processes to attacker infrastructure over HTTP port 3000, which repeatedly beaconed in short intervals.

According to Microsoft Defender Experts, the activity is part of a coordinated developer‑targeting campaign using job‑themed lures to blend into routine coding tasks. (Mayura Kathir / GBHackers)

Related: Microsoft, Cyber Security News, InfoWorld, Cyber Press

Best Thing of the Day: Prosecutors Looking Into Odido Breach

The Public Prosecution Service in the Netherlands is looking into a large-scale cyberattack at telecom provider Odido, which resulted in the theft of millions of customer records after public reports to the Centraal Meldpunt Identiteitsfraude (CMI) surged.

Worst Thing of the Day: Like a Dying Star Drifting in Space

There’s a large consensus, if not total unanimity, among those who have worked with and for the Cybersecurity and Infrastructure Security Agency that it's unprepared for a crisis.

Closing Thought