Cybersecurity

Trump ends US participation in organizations devoted to stronger cybersecurity

Prisoner swap sends alleged ransomware payment negotiator back to Russia, CISA retires ten emergency directives at once, Cambodian cybercrime kingpin extradited to China, Fugitive wanted for Desjardins breach arrested in Spain, Trans activists hacked Free Speech Union, much more

Cynthia B Brumfield

09 Jan 2026 — 14 min read

Help Metacurity continue to survive and thrive in 2026!

Metacurity depends on our paid subscribers to cover our not insignificant expenses. Please consider helping us to continue to not only survive but thrive during 2026 with more features and original content.

Upgrade your subscription today or donate what you can to support Metacurity. Thank you!

Upgrade my subscription

I want to donate what I can!

The Trump administration is withdrawing the United States from a handful of international organizations that work to strengthen cybersecurity.

As part of a broader pullback from 66 international organizations, the administration is leaving the Global Forum on Cyber Expertise, the Online Freedom Coalition, and the European Centre of Excellence for Countering Hybrid Threats.

Trump’s decision is in line with a president who has expressed hostility toward the existing international order, an approach critics fear creates a leadership power vacuum for US adversaries to fill.

“The Trump Administration has found these institutions to be redundant in their scope, mismanaged, unnecessary, wasteful, poorly run, captured by the interests of actors advancing their own agendas contrary to our own, or a threat to our nation’s sovereignty, freedoms, and general prosperity,” Secretary of State Marco Rubio said.

Rubio criticized the international organizations over “DEI mandates,” “‘gender equity’ campaigns,” and activities that “constrain American sovereignty.”

The Global Forum on Cyber Expertise works on issues such as critical infrastructure protection, cybercrime, cyber skills, policy, and emerging technology. Its members include nations and government organizations like Interpol, but also tech companies like Hewlett Packard, Mastercard, and Palo Alto Networks.

The forum says it supports gender inclusivity, asserting that “gender is a cross cutting issue with direct relevance to achieving international peace and security.”

A former president of the Global Forum on Cyber Expertise Foundation, Chris Painter, said he was “ surprised” by the withdrawal.

“It’s a non-political capacity-building platform that the U.S. helped establish and that has done good work in the Western Balkans and Asian Pacific, among other places, that I think advances U.S. interests,” said Painter, also the former top cyber diplomat at the State Department.

The European Centre of Excellence for Countering Hybrid Threats works to protect its members, which include members of the North Atlantic Treaty Organization, from an array of threats, among them those that manifest in cyberspace.

The Trump administration also withdrew from other organizations whose work more tangentially touches on cybersecurity, such as the International Law Commission. (Tim Starks / CyberScoop)

A French researcher detained in Russia since 2024 was freed on Thursday in exchange for the release of a Russian professional basketball player held in France, Daniil Kasatkin, who had been detained in France on suspicion of negotiating payments for a ransomware ring that hacked around 900 companies and two US government entities.

American officials had sought his extradition to the United States, French law enforcement officials have said.

The researcher, Laurent Vinatier, had worked as a consultant at a Switzerland-based nonprofit called the Centre for Humanitarian Dialogue, and was arrested on spying charges in June 2024. A Russian court had sentenced him to three years in prison in 2024 for collecting information about the Russian military as an unregistered foreign agent.

The swap was an example of rare bilateral relations between France and Russia since the Kremlin’s full-scale invasion of Ukraine in 2022. (Ségolène Le Stradic and Nataliya Vasilyeva / The New York Times)

The US Cybersecurity and Infrastructure Security Agency (CISA) has retired 10 Emergency Directives issued between 2019 and 2024, saying that the required actions have been completed or are now covered by Binding Operational Directive 22-01.

CISA said this is the largest number of Emergency Directives it has closed at one time.

"By statute, CISA issues Emergency Directives to mitigate emerging threats rapidly and to minimize the impact by limiting directives to the shortest time possible," explains CISA.

"Following a comprehensive review of all active directives, CISA determined that required actions have been successfully implemented or are now encompassed through Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities. "

Binding Operational Directive 22-01 uses the agency's Known Exploited Vulnerabilities (KEV) catalog to alert federal civilian agencies of actively exploited flaws and when systems must be patched against them. (Lawrence Abrams / Bleeping Computer)

Cambodian authorities announced that Chen Zhi, a man who US federal prosecutors said ran one of the largest criminal networks in the world, relying on thousands of enslaved workers in Southeast Asia to bilk victims out of billions of dollars, has been arrested and extradited to China.

He is a citizen of several countries, including China and Cambodia, though the Cambodian government said his passport has been revoked. He was arrested in Cambodia, where his company is based, and extradited to China on Tuesday, according to a news release from Cambodia’s Ministry of the Interior.

Chen was the founder and chairman of the Prince Group, a Cambodian holding company that seemingly focused on luxury real estate. But in reality, federal prosecutors said, he used the company to mastermind an operation in which scammers persuaded unwitting victims to fork over their money, often via cryptocurrency.

Federal prosecutors in the Eastern District of New York announced Chen’s indictment in October, while he was still at large, and said that they had seized Bitcoin worth about $15 billion — proceeds from his scheme, they said. One of the networks that worked with Mr. Chen, prosecutors said, targeted more than 250 victims in Brooklyn and Queens, who lost more than $18 million. Other victims were in Russia, Taiwan, Vietnam, and other countries.

His extradition to China, which Cambodian authorities said followed months of cooperation between the two governments, complicates the chances that Chen will ever face justice in an American courtroom. The United States does not have an extradition agreement with China, an economic and geopolitical archrival. (Santul Nerkar / New York Times)

According to the Quebec provincial police, Juan Pablo Serrano, wanted since June 2024 in connection with a massive Desjardins data breach, was arrested in Spain.

Serrano was arrested on the evening of Nov. 6, 2025, thanks to a joint operation between Spanish authorities, provincial police, and Interpol, according to the release.

He was among the most wanted fugitives in Quebec and is wanted by the financial crimes and cybercrime investigation division as part of Project Portier, a large investigation into the Desjardins data breach.

The investigation began after it was revealed that the personal information of millions of Desjardins Group members had been shared with individuals outside the financial institution.

To locate Serrano abroad, provincial police say Interpol issued a red notice — a request to law enforcement worldwide to locate and arrest someone pending extradition.

Serrano is currently detained in Spain, and upon his extradition to Canada, he will face three charges: identity theft, fraud exceeding $5,000, and trafficking in identity information. (Rachel Watts / CNBC)

Trans activists have hacked into the website of the Uk-based Free Speech Union (FSU) and published a list of its donors online.

A direct action group calling itself Bash Back said it had breached the FSU’s online security and was revealing the names of all those who had donated more than £50 over the past two years.

Hours after the list of names appeared online, the FSU obtained an emergency injunction from the High Court, forcing the group to remove the donor details.

Bash Back said it had hacked into the website of the FSU, which recently supported Graham Linehan, the comedy writer turned gender-critical campaigner.

In a post on its website, it wrote: “The Free Speech Union is a membership-based organisation which purports to protect free speech. In reality, they work to protect transphobes, racists, and anti-choice activists.” (Martin Evans / The Telegraph)

Related: them, Pink News, Hong Kong Free Press

Researchers at Chainalysis report that total value received by illicit cryptocurrency addresses climbed to $154 billion in 2025, representing a 162% increase over the previous year's revised total, a shift the blockchain intelligence firm said was mainly driven by a surge in activity linked to sanctioned entities, including state-level sanctions evasion.

Notably, Chainalysis emphasized that the $154 billion figure is a lower-bound estimate.

“A year from now, these totals will be higher as we continue to identify more illicit addresses and incorporate their historical activity into our estimates. For perspective, when we published last year's Crypto Crime Report, we reported $40.9 billion for 2024. One year later, our updated estimate for 2024 is substantially higher at $57.2 billion, with much of that growth coming from various types of illicit actor organizations providing on-chain infrastructure and laundering services for high-risk and illicit actors,” the Chainalysis team wrote.

Despite the record nominal value, the illicit share of all cryptocurrency transaction volume remains below 1%. Chainalysis noted its methodology generally excludes revenues from non-crypto-native crimes, such as traditional drug trafficking, where crypto is used only as a payment method, because such transactions are indistinguishable from legitimate activity using on-chain data alone. (Brian Danga / The Block)

The US Federal Bureau of Investigation warned that the North Korean state-sponsored hacker group Kimsuky is using malicious QR codes in spearphishing campaigns that target U.S. organizations.

The observed activity targets organizations involved in North Korea-related policy, research, and analysis, including non-governmental organizations, think tanks, academic institutions, strategic advisory firms, and government entities in the U.S.

The use of QR codes in phishing, a technique also known as "quishing," isn’t new; the FBI warned about it when cybercriminals used it to steal money, but it remains an effective security bypass.

Kimsuky (APT43) is a state-backed North Korean threat group that has been linked to multiple attacks where hackers posed as journalists, exploited known vulnerabilities, relied on supply-chain attacks, and used ClickFix tactics.

The FBI warns that in campaigns last year, Kimsuki-associated actors sent emails containing QR codes that redirected victims to malicious locations disguised as questionnaires, secure drives, or fake login pages.

The agency provided a set of four examples where Kimsuki relied on quishing to redirect targets to an attacker-controlled location. (Bill Toulas / Bleeping Computer)

Related: IC3, Infosecurity Magazine, Computing

Notorious spyware company NSO Group released a new transparency report as the company enters what it described as “a new phase of accountability.”

But the report, unlike NSO’s previous annual disclosures, lacks details about how many customers the company rejected, investigated, suspended, or terminated due to human rights abuses involving its surveillance tools. While the report contains promises to respect human rights and have controls to demand its customers do the same, the report provides no concrete evidence supporting either.

Experts and critics who have followed NSO and the spyware market for years believe the report is part of an effort and campaign by the company to get the U.S. government to remove the company from a blocklist — technically called the Entity List — as it hopes to enter the U.S. market with new financial backers and executives at the helm.

NSO’s newest transparency report does not include the total number of customers NSO has, a statistic that has been consistently present in previous reports. (Lorenzo Franceschi-Bicchierai / TechCrunch)

Related: NSO Group, Mezha, NewsBytes

Group-IB researchers report that a new wave of Android malware has been enabling cybercriminals to carry out unauthorized tap-to-pay transactions without physical access to victims’ bank cards.

The activity involves NFC-enabled applications sold and promoted within Chinese-language cybercrime communities on Telegram.

More than 54 malicious APK samples have been identified, many disguised as legitimate financial or payment apps. Once installed, the malware allows attackers to relay near-field communication (NFC) data remotely, making fraudulent transactions appear as legitimate in-person payments.

Victims are typically targeted through smishing and vishing campaigns. They are persuaded to install the malicious app and tap their payment card against their phone. From there, card data is transmitted via a command-and-control (C2) server to a criminal-controlled device, which completes transactions using illicitly obtained point-of-sale (POS) terminals.

The firm advised financial institutions to raise awareness around smishing and vishing campaigns, monitor for rapid card enrolments in mobile wallets, and watch for transactions occurring in quick succession across broad geographic areas.

Group-IB also urged stronger merchant vetting and improved know-your-customer (KYC) checks, alongside the use of threat intelligence and fraud protection tools to detect malicious applications and abnormal behavior on user devices. (Alessandro Mascellino / Infosecurity Magazine)

Related: Group-IB, GBHackers, SC Media

How tap-to-pay malware exploits NFC technology. Source: Group-IB.

Researchers at Cisco Talos report that a sophisticated threat actor that uses Linux-based malware to target telecommunications providers, which they call UAT-7290, has recently broadened its operations to include organizations in Southeastern Europe.

The actor shows strong China nexus indicators and typically focuses on telcos in South Asia in cyber-espionage operations.

Active since at least 2022, the UAT-7290 group also serves as an initial access group by establishing an Operational Relay Box (ORB) infrastructure during the attacks, which is then utilized by other China-aligned threat actors.

According to the researchers, the hackers conduct extensive reconnaissance before a breach and deploy a mix of custom and open-source malware and public exploits for known flaws in edge network devices.

"UAT-7290 leverages one-day exploits and target-specific SSH brute force to compromise public-facing edge devices to gain initial access and escalate privileges on compromised systems," Cisco Talos says. (Bill Toulas / Bleeping Computer)

Researchers at Huntress report that Chinese-speaking threat actors used a compromised SonicWall VPN appliance to deliver a VMware ESXi exploit toolkit that seems to have been developed more than a year before the targeted vulnerabilities became publicly known.

The hackers used a sophisticated virtual machine (VM) escape that likely exploited three VMware vulnerabilities disclosed as zero-days in March 2025, only one of which was deemed critical.

Huntress assesses that initial access likely came through a compromised SonicWall VPN. The attacker used a compromised Domain Admin account to pivot via RDP to domain controllers, stage data for exfiltration, and run an exploit chain that breaks out of a guest VM into the ESXi hypervisor.

The researchers believe that the threat actor may have a modular approach, where they separate the post-exploitation tools from the exploits. This would allow them to use the same infrastructure and switch to new vulnerabilities.

They are moderately confident that the exploit toolkit leverages three vulnerabilities that Broadcom disclosed last March. Their assessment is based on the exploit's behavior, including the use of HGFS for information leak, VMCI for memory corruption, and shellcode escaping to the kernel.

However, they could not confirm with 100% certainty that it's the same exploitation Broadcom disclosed in its original bulletin on the three zero-days.

Huntress thinks the toolkit was developed by a well-resourced developer operating in a Chinese-speaking region.

Although the researchers are highly confident that SonicWall VPN was the initial entry vector, they recommend that organizations apply the latest ESXi security updates and use the provided YARA and Sigma rules for early detection. (Bill Toulas / Bleeping Computer)

The complete exploitation flow. Source: Broadcom.

Ycombinator-backed decentralized wallet Kontigo was attacked for the second time thus far in 2026 when someone attempted to compromise its authentication processes for accessing user wallets.

Kontigo said it contained the situation and activated protection protocols, including temporarily disabling platform access while they rolled out a new update.

On Jan. 5, Kontigo reported an attack that resulted in the theft of approximately 340,000 USDC, affecting approximately 1,005 users. The company later announced that it would improve its security measures and reimburse all affected Kontigo users.

According to comments on X, the reimbursement was successfully executed, leaving only a few users with support issues unrelated to the hack. (José Rafael Peña Gholam / Coinspeaker)

Related: Ledger Insights, Bloomberg, PYMNTS

The National Security Agency has a new leadership roster for its cybersecurity directorate as the agency waits for its first Senate-confirmed chief in more than nine months.

David Imbordino, an NSA senior executive who is currently serving as the directorate’s deputy chief, will take the reins in an acting capacity at the end of the month, according to three people familiar with the matter.

Holly Baroody, a senior official at the agency in the United Kingdom, will return as planned from her assignment this summer to be the directorate’s acting No. 2, according to these people. All were granted anonymity to speak candidly about personnel matters.

“The National Security Agency cannot confirm or deny any potential personnel changes,” an agency spokesperson said in a statement.

The cybersecurity directorate has been without a permanent head since early last year, when its top leaders left the NSA. Greg Smithberger, the agency’s previous top man in the U.K., who has led the organization in an acting capacity, is retiring at the end of the month.

Established in 2019, the directorate marked a shift for a spy agency once known as “No Such Agency.”

At the time, there were widespread concerns that the U.S. was too reluctant to more broadly share intelligence about potential foreign digital threats, and better collaboration was needed with critical infrastructure providers and industry. (Martin Matishak / The Record)

Data security startup Cyera announced it had raised $400 million in a Series F venture funding round.

Funds managed by Blackstone led the round with participation of all inside investors, including Accel, Coatue, Cyberstarts, Georgian, Greenoaks, Lightspeed Venture Partners, Redpoint, Sapphire, Sequoia Capital, and Spark. (Julie Bort / TechCrunch)

Cybersecurity giant CrowdStrike announced that it is buying identity management startup SGNL in a deal valued at nearly $740 million as the cybersecurity provider beefs up defenses in the age of artificial intelligence cyberattacks.

The acquisition will help users of CrowdStrike’s Falcon cloud security platform better manage human and AI identity access requests and real-time risks, the company said. The deal is expected to close in the first quarter of the 2027 fiscal year.

“This is a massive opportunity for our customers to be able to protect themselves, and a massive opportunity for us to disrupt the identity market,” CEO George Kurtz said in an exclusive interview with CNBC.

He said the deal will help advance CrowdStrike’s foothold in the multibillion-dollar identity security business, which totaled $435 million at the end of the second quarter and has become one of the most significant attack vectors. (Samantha Subin / CNBC)

ThreatModeler, a cybersecurity company that helps developers identify vulnerabilities in their applications, announced it is acquiring its largest competitor to mitigate emerging threats rapidly, in a deal reportedly worth over $100 million.

ThreatModeler CEO Matt Jones said that his company’s goal is to “democratize” the practice of vulnerability detection at a time when many must rely on basic tools from larger platforms like Microsoft or turn to AI for threat modeling, which Jones argues is insufficient and can lead to massive risks.

Jones said the acquisition will let ThreatModeler keep pace as firms are scaling up their coding capacity like never before. “For us to be able to bring the two leaders together,” he said, “We can be much more aggressive on [our] roadmap.” (Leo Schwartz / Fortune)

Related: PR Newswire, Silicon Angle

Best Thing of the Day: Hackers to the Rescue of ICE Fighters

EFF has rounded up a list of enterprising hackers who have started projects to do counter-surveillance against ICE, and hopefully protect their communities through clever use of technology.

Worst Thing of the Day: And ICE Doesn't Need No Stinkin' Warrant for This

Penlink, a social media and phone surveillance system ICE bought access to, is designed to monitor a city neighborhood or block for mobile phones, track the movements of those devices and their owners over time, and follow them from their places of work to home or other locations.