Cybersecurity

Hackers stole millions from Bitcoin Depot wallets

OpenAI readies its own vulnerability hunting system, Handala breached the devices of former IDF chief, Hackers published data from China's supercomputer, Hundreds of unprotected and unencrypted Modbus devices are exposed on the internet, Hack-for-hire attacks are targeting journalists, much more

Cynthia B Brumfield

09 Apr 2026 — 12 min read

Source: Ajay Suresh from New York, NY, USA

Metacurity is the only daily cybersecurity briefing built for clarity, not agendas—no vendor spin, no echo chamber, just sharp, original aggregation and analysis of what actually matters to security leaders.

If you rely on Metacurity to cut through the noise on policy, industry shifts, and security research, consider supporting us with a paid subscription. Independent coverage like this only exists because readers decide it’s worth it.

Upgrade my subscription now

Bitcoin Depot, which operates one of the largest Bitcoin ATM networks, said in an SEC filing that attackers stole $3.665 million worth of Bitcoin from its crypto wallets after breaching its systems last month.

The company discovered the attack on March 23 after detecting suspicious activity on some of its IT systems.

While it took immediate measures to contain the breach, the attackers had time to steal credentials to digital asset settlement accounts and transfer over 50 Bitcoin from Bitcoin Depot's wallets before their access was blocked.

While it has insurance coverage for cyber-attacks, Bitcoin Depot says that this might not cover all losses directly resulting from the attack. (Sergiu Gatlan / Bleeping Computer)

According to a source, OpenAI is finalizing a model with advanced cybersecurity capabilities that it plans to release only to a small set of companies, similar to Anthropic's limited rollout of Mythos.

Anthropic announced plans to limit access to its new Mythos Preview model to a handpicked group of technology and cybersecurity companies over fears of its advanced hacking capabilities.

OpenAI introduced its "Trusted Access for Cyber" pilot program in February after rolling out GPT-5.3-Codex, the company's most cyber-capable reasoning model.

Organizations in the invite-only program are given access to "even more cyber capable or permissive models to accelerate legitimate defensive work," according to a blog post. (Sam Sabin / Axios)

The Iran-linked Handala hacking group claimed to have breached devices belonging to former Israel Defense Forces chief of staff Herzi Halevi, publishing a trove of footage of the ex-general, who stepped down last year.

On its website, Handala claimed that it had “for years… silently and invisibly been right inside the system” of Halevi, and during that time collected “more than 19,000 confidential images and videos from the most secret meetings.”

“All your top-secret facilities, crisis rooms, maps, and even the tiniest details of your command centers have long been like an open book to us,” the group claimed.

The hacker group published dozens of photos and videos showing Halevi touring military bases, meeting with pilots, holding briefings and meetings, and working out in his office.

Several photos of the former army chief’s family life were also published, along with the ID cards of Halevi and his wife. The footage also revealed several meetings and visits that had previously not been disclosed to the public. (Emanuel Fabian / The Times of Israel)

A hacker allegedly stole a massive trove of sensitive data – including highly classified defense documents and missile schematics – from a state-run Chinese supercomputer in what could potentially constitute the largest known heist of data from China.

The dataset, which allegedly contains more than 10 petabytes of sensitive information, is believed by experts to have been obtained from the National Supercomputing Center (NSCC) in Tianjin – a centralized hub that provides infrastructure services for more than 6,000 clients across China, including advanced science and defense agencies.

Cyber experts who have spoken to the alleged hacker and reviewed samples of the stolen data they posted online say they appeared to gain entry to the massive computer with comparative ease and were able to siphon out huge amounts of data over the course of multiple months without being detected.

An account calling itself FlamingChina posted a sample of the alleged dataset on an anonymous Telegram channel on February 6, claiming it contained “research across various fields including aerospace engineering, military research, bioinformatics, fusion simulation and more.” (Isaac Yee / CNN)

Researchers at Comparitech conducted a scan for internet-facing unprotected and unencrypted Modbus devices, which enable the sensors and controllers used in power grids, factories, and other industrial systems, and identified 179 suspected industrial control devices responding on port 502, the default port used by the Modbus protocol.

One ICS device was identified as being part of a national railway network. Railways use ICS devices to help with everything from train routing to signaling. The exposure of such devices could present a serious operational and safety risk.

Two other devices (one in Asia and one in Europe) formed part of their respective country’s national power grid infrastructure. In the energy supply sector, ICS devices can be used to monitor consumption and control electrical distribution.

The United States had the most (57) exposed industrial control devices, followed by Sweden (22) and Turkey (19). (Justin Schamotta / Comparitech)

Location of the exposed devices. Source: Comparitech.

Researchers from the digital rights organization Access Now documented three instances of hack-for-hire attacks over 2023 through 2025 against two Egyptian journalists and a journalist in Lebanon whose case was also documented by the digital rights organization SMEX.

Mobile cybersecurity company Lookout also investigated these attacks. The three organizations collaborated with each other and published separate reports on Wednesday.

According to Lookout, the attacks go beyond members of Egyptian and Lebanese civil society, and include targets in the Bahraini and Egyptian governments, as well as targets in the United Arab Emirates, Saudi Arabia, the United Kingdom, and potentially the United States or alums of American universities.

Lookout concluded that the hackers behind this espionage campaign work for a hack-for-hire vendor with connections to BITTER APT, a hacking group that cybersecurity companies suspect has ties to the Indian government. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Ukraine's National Police’s Main Investigative Department reports that the police uncovered an organized group that, with the help of malicious software, seized cryptocurrency worth one million hryvnias (around $23,000).

According to law enforcement, group members identified potential victims in thematic Telegram communities and offered “support” in cryptocurrency trading. Later, they sent links to specially created web resources that imitate legitimate trading platforms, but contained malicious software, the so-called crypto-drainers.

In only one documented case, the suspects seized over 95 thousand USDT, equivalent to nearly 4 million hryvnias; in another, more than a thousand USDT.

The obtained virtual assets, according to law enforcement, were laundered by the criminals: they conducted financial operations, transferred between crypto wallets, converted into cash, and masked their origin.

The police conducted 20 simultaneous searches at the suspects’ places of residence and in an office. They seized computer equipment, mobile phones, funds, drafts, and printed records that confirm illicit activity. (Mezha)

Related: Prosecutor's General Office

European train travel company Eurail B.V. notified US regulators this week about a data breach impacting 308,777 people.

The company filed breach notices in several states, warning about an incident that occurred in December.

Eurail B.V. is based in the Netherlands and is owned by over 35 European railway and ferry companies, offering travelers specific passes that can be used to traverse Europe’s rail system.

The letters, sent to victims in Oregon, Texas, California, and other states, say names and passport numbers were stolen during the attack.

In February, a hacker claimed the attack and said they stole 1.3 TB of data that included source code, database backups, and Zendesk support tickets. The hacker claimed Eurail declined to negotiate with them, prompting them to go public with the theft. (Jonathan Greig / The Record)

Researchers from RSAC Research report that Apple Intelligence's on-device AI can be manipulated by attackers using prompt injection techniques with a high success rate and potential access to sensitive user data.

They unveiled a method to circumvent Apple's security measures. They achieved a 76% success rate in 100 tests by employing adversarial prompts and Unicode obfuscation.

These findings were shared with Apple on October 15, 2025. The focus was on the on-device large language model embedded in Apple's operating systems, which is accessible to third-party applications.

They successfully bypassed Apple's security measures by employing a combination of two innovative techniques. The first method, known as "Neural Exec," involves crafting adversarial inputs that seem nonsensical to humans but consistently elicit specific actions from language models.

Attackers are leveraging Unicode's right-to-left override feature to conceal malicious instructions by reversing text, which still renders correctly to the model. The method, combined with other techniques, enables them to circumvent both internal guardrails and external filters.

As a result, the model is compelled to produce output controlled by the attackers.

There's no evidence of active exploitation in the wild, so the vulnerability is still theoretical. (Andrew Orr / Apple Insider)

Related: RSA Conference

Prompt that allows bypassing the LLM’s internal guardrails and the input and output filters, with the response the user sees. Source: RSAC.

A Washington, DC federal appeals court declined to block the Pentagon's national security ban of AI ‌company Anthropic for now, a win for the Trump administration that comes after another appeals court came to the opposite conclusion in a separate legal challenge by Anthropic.

A panel of judges of the US Court of Appeals for the District of Columbia Circuit denied Anthropic's bid to pause the designation while the case plays out. The decision is not a final ruling.

An Anthropic spokeswoman said in a statement following Wednesday's ruling that the company is confident the court will ultimately agree the supply-chain risk designation is unlawful.

The lawsuit is one of two Anthropic filed over Hegseth’s unprecedented move, which came after Anthropic refused to allow the military to use AI chatbot Claude for US surveillance or autonomous weapons due to safety and ‌ethics ⁠concerns. (Jack Queen / Reuters)

WireGuard, the major software project and VPN that underpins popular security software, including Mullvad and other developer accounts have found themselves locked out of a key part of its Microsoft developer account and unable to ship software updates to Windows users for failing to comply with mandatory account verification updates.

Jason Donenfeld, the creator of the open source WireGuard VPN software, said that he has been locked out of his Microsoft developer account, and as a result, cannot sign drivers or ship updates for WireGuard for Windows users, which are critical for its software to run. Donenfeld said in a post on X on Wednesday that the account termination stopped a WireGuard update from shipping.

It’s the second such incident of a high-profile and widely used open source project being shut out from its customers due to a seemingly abrupt account termination from Microsoft, with popular encryption software VeraCrypt facing a similar circumstance. Both developers said Microsoft locked them out of their accounts without first alerting them.

In the case of VeraCrypt, which is used by hundreds of thousands of users to encrypt files and operating systems, its developer, Mounir Idrassi, said that being locked out of his account means he is unable to update the software in time for a crucial certificate authority expiry, which he said may prevent some users from booting up.

Donenfeld, the WireGuard developer, said: “If there were a critical vulnerability to fix right now — there isn’t! I just mean hypothetically — then users would be totally exposed.”

He also said that he found a page on Microsoft’s website saying that the company had been carrying out “mandatory account verification for all partners in the Windows Hardware Program who have not completed account verification since April 2024,” but that the verification program had since closed.

That account verification process meant that developers were required to upload their government-issued ID before they were allowed to publish potentially highly sensitive code to the broader Windows user base. (Zack Whittaker / TechCrunch)

Microsoft account suspension message (Jason A. Donenfeld).

eCommerce security company Sansec discovered a massive campaign impacting nearly 100 online stores using the Magento e-commerce platform that hides credit card-stealing code in a pixel-sized Scalable Vector Graphics (SVG) image.

When clicking the checkout button, the victim is shown a convincing overlay that can validate card details and billing data.

The researchers believe that the attacker likely gained access by exploiting the PolyShell vulnerability disclosed in mid-March. They warn that more than half of all vulnerable stores were targeted in PolyShell attacks, which, in some cases, deployed payment card skimmers using WebRTC for stealthy data exfiltration.

Website owners/admins are advised to apply all available mitigations and, if possible, upgrade Magento to the latest beta release. (Bill Toulas / Bleeping Computer)

Related: Sansec

South Korean financial services company Lotte Card has been notified by the country's financial watchdog that it is liable for around 5 billion won ($3.38 million) in financial penalties and a business suspension of over four months over a massive data leak, informed sources said.

The Financial Supervisory Service recently sent a notice to the credit card firm, with the penalties set to be finalized by the Financial Services Commission in the near future, according to the sources.

Lotte Card's online payment system was hacked last year, resulting in the leak of personal information of about 2.97 million customers.

It was also found that the company did not take sufficient encryption measures for the log files.

Earlier this month, the state data protection watchdog separately decided to impose a penalty of 9.62 billion won, or around $6.5 million, on Lotte Card. (Yonhap News)

British art auction house Christie, Manson & Woods, known as Christie's, faces a 280 million won ($189,000) penalty surcharge for leaking the personal information of 620 Korean clients after its system was hacked through a voice phishing scheme, the Personal Information Protection Commission said.

At a plenary meeting held the previous day, the commission imposed the fine along with an additional 7.2 million won (around $4,865) in fines for violations of Korea’s data protection law. It also ordered the company to disclose details of the sanctions on its website. (Lim Jae-seong / The Korea Herald)

According to Google Threat Intelligence Group, a threat actor tracked as UNC6783 is compromising business process outsourcing (BPO) providers to gain access to high-value companies across multiple sectors.

Google said dozens of corporate entities have been targeted through this method to exfiltrate sensitive data for extortion.

Austin Larsen, GTIG principal threat analyst, says that UNC6783 typically relies on social engineering and phishing campaigns to compromise BPOs working with targeted companies.

However, there have been instances where the hackers have also contacted support and helpdesk staff within targeted organizations, in an attempt to obtain direct access.

The researchers say that UNC6783 may be linked to Raccoon, a persona known to have targeted multiple BPOs that provide services to large companies.

One leading hacking group known as Handala said after the ceasefire announcement that it was temporarily postponing attacks on the US but would continue to target Israel.

It vowed to revive its efforts against America when the time was right — demonstrating again how digital warfare has become ingrained in military conflict.

Already, the two-week ceasefire appears at risk of fraying over significant disagreements between the parties, each of which is claiming victory in the war. (David Klepper / Associated Press)

Related: Dow Jones Risk Journal

CISA has given US government agencies four days to secure their systems against a critical-severity vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that has been exploited in attacks since January.

Tracked as CVE-2026-1340, this critical-severity code injection flaw enables threat actors without privileges to gain remote code execution on Internet-exposed and unpatched EPMM appliances.

Ivanti flagged this and a second security bug (CVE-2026-1281) as abused in zero-day attacks when it released security updates on January 29 to patch both vulnerabilities and "strongly" encouraged all customers to update their systems to block ongoing exploitation.

Internet security watchdog group Shadowserver is currently tracking nearly 950 IP addresses with Ivanti EPMM fingerprints still exposed online, most of them from Europe (569) and North America (206). However, there is no information on how many of them have already been patched.

Related: CISA, Security Affairs, CRN

Ivanti EPMM appliances exposed online . Source: Shadowserver.

Best Thing of the Day: A Shameful Chapter Closes

Department of Homeland Security employees who have gone unpaid through nearly two months of a partial government shutdown will start receiving paychecks this week.

Worst Thing of the Day: A Bald-Faced Lie and We Know It

Russian Foreign Ministry spokeswoman Maria ‌Zakharova said that Ukrainian intelligence assessments that Russian and Iranian hackers have joined forces are false.