White House opens backchannel to Anthropic as Pentagon fight simmers

Metacurity is the only daily cybersecurity briefing built for clarity, not agendas—no vendor spin, no echo chamber, just sharp, original aggregation and analysis of what actually matters to security leaders.

If you rely on Metacurity to cut through the noise on policy, industry shifts, and security research, consider supporting us with a paid subscription. Independent coverage like this only exists because readers decide it’s worth it.

According to sources, Treasury Secretary Scott Bessent joined a meeting on Friday between White House chief of staff Susie Wiles and Anthropic CEO Dario Amodei.

Anthropic is building tools that could have enormous implications for the federal government. But that same government is currently fighting Anthropic in court after the Pentagon declared it a "supply chain risk." The meeting points to a potential thaw.

In the meeting, Wiles was circumspect about the Pentagon aspect, saying, "It's in court." But she made clear that the government needs a relationship with Anthropic, and she wants an open line of communication, one source said.

The discussion covered how Anthropic is safeguarding its code and how the company makes decisions around things like when and how to release new models. (Maria Curi, Marc Caputo, Dave Lawler / Axios)

Related: New York Times, The Information, TechCrunch, Fox News, The Next Web, Washington Post, Politico, Implicator.ai, Benzinga, BBC, Reuters, Tech in Asia, The Hill, Bloomberg Law, CNBC, UPI, New York Post, Quartz, NewsMax.com, Blockonomi, KDFX-TV, Washington Examiner, Gizmodo, The Verge, Bloomberg, MarketWatch, Reuters, Wall Street Journal, Crypto Briefing, Breitbart, Politico, The Decoder, New York Times, The Japan Times, Benzinga, International Business Times, DataBreaches.Net, CyberPress

Sources say the National Security Agency is using Anthropic's most powerful model yet, Mythos Preview, despite top officials at the Department of Defense — which oversees the NSA — insisting the company is a "supply chain risk.

It's unclear how the NSA is currently using Mythos, but other organizations with access to the model are using it predominantly to scan their own environments for exploitable security vulnerabilities.

Anthropic restricted access to Mythos to around 40 organizations, contending that its offensive cyber capabilities were too dangerous to allow for a wider release. Anthropic only announced 12 of those organizations. One source said the NSA was among the unnamed agencies with access.

The NSA's counterparts in the U.K. have said they have access to the model through the country's AI Security Institute. (Maria Curi, Sam Sabin / Axios)

Related:  Reuters, The Information, The Decoder, Business Today, crypto.news, DigiTimes, Implicator.ai, NewsMax.com, Engadget, Tech in Asia, Yahoo News, Bloomberg, Hacker News. r/politics, r/ArtificialInteligence, r/Anthropic, r/technology, r/Intelligence

Anthropic's donation of $4 million to help open source software developers scan their projects for vulnerabilities using its Mythos model underscored that the sector’s current sky-high valuations depend, at least in part, on open-source software maintained by small, under-resourced teams.

As code is maintained and bugs are fixed, it accrues what software maintainers call “cruft” — remnants of legacy code left within software that can break things or be exploited, and keeping track of things can get tricky.

The problem is that while the number of AI eyes looking for problems has increased, the number of people fixing those problems when they arise hasn’t. And — so far — humans are still the final link in the chain, even as AI’s autonomous code-writing capabilities increase exponentially.

Mythos may eventually alleviate the stress on maintainers, securing code for millions of users who rely on it. (Chris Stokel-Walker / Bloomberg)

Related: CTech, The Register, GovTech, HotAir, DevOps.com

Regulators across Asia are stepping up scrutiny of cybersecurity risks in their financial systems, as concerns over Anthropic PBC’s latest AI model, Mythos, spread.

Singapore’s financial regulator is urging banks to plug holes, while South Korea’s government agencies have met to review and discuss how to respond to the risks. In Australia, authorities expect lenders to be vigilant to ensure clients aren’t put at risk by inadequate controls.

The actions around the region reflect rising global concern over Mythos as regulators discuss with financial firms how they are handling the cybersecurity risks raised by the model, which has so far been given only a limited release. Anthropic held back a wider release after finding the model was capable of discovering security holes that have gone undetected for years, fueling alarm about a potential new era of cybersecurity attacks. (Rthvika Suvarna, Richard Henderson, and Haram Lim / Bloomberg)

On April 18, the LayerZero-powered cross-chain bridge Kelp DAO lost 116,500 rsETH tokens valued at around $292 million, making it the largest DeFi exploit so far this year.

"Preliminary indicators suggest attribution to a highly sophisticated state actor, likely DPRK’s Lazarus Group, more specifically TraderTraitor," LayerZero wrote in its latest statement.

LayerZero explained that the attacker gained access to the list of RPC nodes used by LayerZero Labs' decentralized verified network (DVN), which are independent entities that verify the cross-chain messages.

The attacker then poisoned two of those RPC nodes, causing them to deliver a fake cross-chain message to the DVN. The attacker launched a DDoS attack against the clean nodes to lead the DVN to rely on the poisoned nodes. (Danny Park / The Block)

Related: The Block, CoinDesk, CryptoNinjas, CoinGape, Blockchain.News, Blockonomi, crypto.news, Crypto Briefing, Tech in Asia, Cointelegraph, CoinGape, Coinpedia Fintech News, Bloomberg, Mezha, Blockhead, NullTX, DL News, Decrypt, CoinDesk, crypto.news, CryptoSlate, Blockonomi, Yahoo Finance, Blockchain.News, Bitcoin News, Cointelegraph, Crypto Briefing, Bitcoinist.com, The Defiant

Ethereum Name Service gateway eth.limo was briefly hijacked at its domain registrar on Friday evening via a social engineering attack, the project said.

At 7:07 p.m. EDT on April 17, an attacker impersonated an eth.limo team member to trick registrar EasyDNS into running an account recovery process, according to the post-mortem and a separate blog post from EasyDNS CEO Mark Jeftovic.

The attacker flipped eth.limo's nameservers to Cloudflare at 2:23 a.m. EDT on April 18, triggering automated downtime alerts that woke the eth.limo team. The nameservers were then switched again to Namecheap at 3:57 a.m. EDT before EasyDNS restored the team's account access at 7:49 a.m. EDT, per the timeline.

eth.limo is a free, open-source reverse proxy that lets users reach ENS-linked content hosted on IPFS, Arweave, or Swarm through a standard browser by appending ".limo" to any .eth name. Its wildcard DNS record at *.eth.limo covers roughly 2 million .eth domains registered through ENS, per figures cited by EasyDNS. (Zack Abrams / The Block)

Related: cryptonews.net, Crypto News, Cryptorank, Yellow, BeInCrypto, Blockonomi, Coinpaper

Cloud development platform Vercel disclosed a security incident after threat actors claimed to have breached its systems and are attempting to sell stolen data.

Vercel is a cloud platform that provides hosting and deployment infrastructure for developers, with a strong focus on JavaScript frameworks.

The company is known for developing Next.js, a widely used React framework, and for offering services such as serverless functions, edge computing, and CI/CD pipelines that enable developers to build, preview, and deploy applications.

The company said a limited subset of customers was affected by a security breach.

The company says its services have not been impacted and that it is working with impacted customers.

Vercel says it is taking steps to protect its customers, advising them to review environment variables, use its sensitive environment variable feature, and to rotate secrets if needed.

Vercel said that the breach stemmed from the compromise of a third-party AI tool's Google Workspace OAuth application.

Vercel is advising Google Workspace administrators and Google account owners to check for the following application:

OAuth App: 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com

Vercel CEO Guillermo Rauch later shared additional details on X, stating that the initial access occurred after a Vercel employee's Google Workspace account was compromised via a breach at the AI platform Context.ai. (Lawrence Abrams / Bleeping Computer)

Related: Vercel, Hacker News, The Register, TechRadar, Decipher, The Hans India, Ace of Spades HQ, The Indian Express, The Coin Republic, Cointelegraph, PiunikaWeb, Cyber Security News, CoinDesk, Blockhead, Blockonomi, The Cyber Express, Peridot Blog, The Information, crypto.news, Livemint, The Block, iTnews, CyberInsider, The Verge, XDA Developers, r/webdev, WebProNews, r/cybersecurity, BeInCrypto, India Today, Crypto News, IT News

Nicholas Moore, a Tennessee man who pleaded guilty to repeatedly hacking into the Supreme Court’s electronic filing system, was sentenced to one year of probation.

admitted he hacked the high court more than two dozen times, in addition to hacking accounts at AmeriCorps and the Veterans Administration Health System. He boasted about his access on social media, using the handle @ihackedthegovernment.

He faced up to a year in prison and a fine of up to $100,000 for pleading guilty to a single misdemeanor count of fraud activity in connection with computers.

But the Justice Department sought only probation, a recommendation on the lower end of federal sentencing guidelines for Moore.

Prosecutors cited his admission and commitment to taking responsibility for his conduct as reasons for a lighter sentence. His attorney, Eugene Ohm, said that Moore immediately admitted guilt and accepted a plea deal when confronted by federal law enforcement. (Ella Lee / The Hill)

Related: TechCrunch, Bloomberg Law

The European Union’s unveiling of a mobile app to check people’s age online has quickly turned sour, as cybersecurity experts found glaring privacy and security problems with the code.

European Commission President Ursula von der Leyen presented the age-verification tool in Brussels on Wednesday, saying it was "technically ready" and will soon be available to use as countries move to ban kids from social media.

Cyber and privacy experts immediately dove into the source code on the GitHub software platform and reported several issues with the app's design.

The saga is turning into a PR disaster for Brussels. But underneath the controversy over the code lie deeper divisions between privacy campaigners, child rights groups, tech firms, and politicians over how to protect minors online — as leaders promise to shield kids from social media and porn sites.

Within hours of the EU’s app release, security consultant Paul Moore found it would store sensitive data on a user’s phone and leave it unprotected, he wrote in a widely shared post on X. Moore claimed to have hacked the app in under 2 minutes. 

Baptiste Robert, a prominent French white hat hacker, confirmed many of the issues and told POLITICO it was possible to bypass the app’s biometric authentication features, meaning someone would be able to forgo entering a PIN code or using Touch ID to access the app.

Olivier Blazy, a cryptographic researcher who is part of a French task force on digital identity, said: "Let’s say I downloaded the app, proved that I am over 18, then my nephew can take my phone, unlock my app and use it to prove he is over 18." (Émile Marzolf, Ellen O'Regan and Eliza Gkritsi / Politico EU)

Related: GitHub, RTÉ, Biometric Update, Wired, Blaze Media, MediaNama, Cointelegraph, RTÉ, Biometric Update, /neoliberal, r/europe, r/privacy, r/eutech, Sofx

Researchers at Sophos report that the Payouts King ransomware is using the QEMU emulator as a reverse SSH backdoor to run hidden virtual machines on compromised systems and bypass endpoint security.

The researchers documented two campaigns where attackers deployed QEMU as part of their arsenal to collect domain credentials.

One campaign that Sophos tracks as STAC4713 was first observed in November 2025 and has been linked to the Payouts King ransomware operation.

The other, tracked as STAC3725, was spotted in February this year and exploits the CitrixBleed 2 (CVE‑2025‑5777) vulnerability in NetScaler ADC and Gateway instances.

According to Zscaler, Payouts King is likely tied to former BlackBasta affiliates, based on its use of similar initial access methods like spam bombing, Microsoft Teams phishing, and Quick Assist abuse.

Sophos recommends that organizations look for unauthorized QEMU installations, suspicious scheduled tasks running with SYSTEM privileges, unusual SSH port forwarding, and outbound SSH tunnels on non-standard ports. (Bill Toulas / Bleeping Computer)

Related: Sophos, Security Affairs

According to a survey by the Japan Institute for Promotion of Digital Economy and Community, at least 222 Japanese companies have paid ransomware attackers in the past, yet about 60 percent of them still failed to recover their data.

Of the 1,107 firms that responded to the survey, 507 reported being hit by ransomware attacks, in which hackers block access to data and demand payment to restore it.

Of the companies that paid the attackers, 83 were able to restore their systems and data, while 139 were not. Conversely, 141 firms reported being hit by ransomware attacks but restoring their systems and data without paying.

Experts say ransoms should not be paid because they fund criminal organizations. The institute noted that the survey results underscore the reality that "paying a ransom does not guarantee data recovery."

About half of the companies that experienced ransomware attacks said that their financial losses, including ransom payments and system recovery costs, ranged from 1 million yen to less than 50 million yen. Meanwhile, 16 percent reported little to no damage, while 4.3 percent of the firms experienced losses of 1 billion yen or more.

The survey also showed that restoration usually took between one week and a month, as reported by 176 of the affected companies. In contrast, some companies said their data was not restored even after three months. (Japan Today)

Related: Caliber, The Mainichi, Kyodo News

A sophisticated wave of ransomware attacks has remained a threat to Nigerian government agencies and tier-1 financial institutions over the last three weeks, exposing deep-seated systemic fragilities in the nation’s rapidly digitizing economy.

Reports from the National Information Technology Development Agency (NITDA) and the Corporate Affairs Commission (CAC) confirmed that ‘coordinated and sophisticated’ threat actors have successfully breached critical infrastructure, leading to service outages and the suspected exfiltration of sensitive citizen data.

To show the severity of the breach, CAC suspended, albeit temporarily, the companies’ registration portal, even as the Nigeria Data Protection Commission (NDPC) has commenced a probe into the attacks. (Adeyemi Adepetun / The Guardian)

Related: Nigerian Mirror

Two years after a cybercrime cost the city of Tallahassee over $2 million, City Hall confirmed it was again the victim of an online attack early on April 17.

In an email obtained by the Tallahassee Democrat, Assistant City Manager Christian Doolin informed city commissioners of the incident and said staff "quickly responded and took action to isolate the threat."

"We want to make you aware that earlier this morning, our systems alerted staff to an attack affecting portions of our city's technology environment," the email states.

"There are no operational impacts to the system at this time," Doolin wrote. "Staff is validating containment, assessing registries and scheduled tasks, and analyzing access across environments."

However, an email sent by Leon County chief information officer Michelle Taylor at 1:35 p.m. added more gravity to the situation.

"COT is experiencing a confirmed cyber event on its IT network. They have disconnected from the internet while they investigate further. Additionally, we have temporarily paused our city/county network link to prevent any creep into the Leon County network," she wrote. (Elena Barrera / Tallahassee Democrat)

Related: WTXL

Sam Altman’s iris-scanning, humanity-verifying World project announced that Tinder users around the globe can now put a digital badge on their profiles signaling to potential suitors that they’re a real human, provided they’ve already stared into one of World’s glossy white Orbs and allowed their eyes to be scanned.

The announcement follows a pilot project for Tinder verification that World previously conducted in Japan.

The global Tinder expansion is one of the biggest tests yet for World, and the company’s bet that everyday consumers will be willing to sign up for biometric verification services to use internet applications.

In addition to the Tinder global expansion, Tools for Humanity, the company behind World, announced a number of other consumer and enterprise partnerships on Friday at its Lift Off event in San Francisco. The startup says Tinder users who verify with their World ID will receive five free "boosts," typically a paid feature that increases the number of users who see a profile by up to 10 times for 30 minutes.

The videoconferencing platform Zoom also says that users can now require other participants to verify their identity with World before joining a call. DocuSign, the contract signing software, will allow users to require World’s identity verification technology. (Maxwell Zeff / Wired)

Related: TechCrunch, Gizmodo, DL News, The Verge, Decrypt, CoinDesk, TechRadar, BBC, Axios, The Block, TheGrio, Implicator.ai, The Deep View, Slashdot

Last Thursday, social media app BlueSky confirmed that a “sophisticated Distributed Denial-of-Service (DDoS) attack” was to blame for the issues, which had originally started on April 15 at around 8:40 p.m. ET.

In a post on the Bluesky account, the company shared the cause of the problem and noted that the attack was “impacting our operations, with users experiencing intermittent interruptions in service for their feeds, notifications, threads, and search.”

Bluesky said that it has not seen any evidence of unauthorized access to private data, however. (Sarah Perez / TechCrunch)

Related: Mashable, Engadget, The Verge, heise online

Best Thing of the Day: A Step in the Right Direction

The European Commission is strengthening the European Union's digital sovereignty by awarding a tender that allows EU institutions, bodies, offices, and agencies (Union entities) to procure sovereign cloud services for up to €180 million (around $211 million) over 6 years.

Bonus Best Thing of the Day: Bring It On

Elon Musk and Linda Yaccarino, the former CEO of X, were summoned to Paris on Monday, where investigators are looking into allegations of misconduct related to the social media platform X, including the spread of child sexual abuse material and deepfake content, although as of press time, it was unclear if they would go.

Worst Thing of the Day: Karp's Kampf

Surveillance and analytics company Palantir recently posted what it called a “brief” 22-point summary of CEO Alex Karp’s book “The Technological Republic" that trashes pluralism, denounces “postwar neutering of Germany and Japan,” and otherwise pushes a generally hard-right agenda.

Bonus Worst Thing of the Day: European Digital Sovereignty Can't Come Fast Enough

Google says its AI can now scan everything to form its own views of you and everyone you know, including all your photos.

Closing Thought