2025 - Discerning Data

Wintermute Arrives: AI-Orchestrated Cyber Espionage Becomes Reality

On November 13, 2025, Anthropic, the developer of an artificial intelligence model (“AI”) known as Claude, announced that it had detected and helped disrupt what it believes to be the first cyber espionage campaign orchestrated primarily by autonomous AI agents.¹ Anthropic stated that it had “high confidence” that the campaign was orchestrated by a state-sponsored group, and described the campaign as a “significant escalation” in the evolution of cybersecurity threats. Like the artificial intelligence in William Gibson’s Neuromancer, AI technology is now able to automate and assist complex attacks on a large scale, and lowers the barrier to sophisticated hacking of computer systems. The incident is a reminder of the risks to both the developers of these technologies, and the businesses and individuals whose data may be at risk from malicious use of AI.

Summary of the Incident

In mid-September 2025, Anthropic’s Threat Intelligence team discovered suspicious activity that was later traced to a Chinese state-sponsored group they designated as “GTG-100.”² GTG-1002 had used social engineering and “jailbreaking” techniques to manipulate Claude Code developer tool into executing cyberattacks. Specifically, human actors convinced Claude to assist in the attack by posing as employees of a cybersecurity firm engaged in defensive testing and breaking the larger campaign down into smaller steps that standing alone, seemed innocuous and concealed their offensive purpose.³

Continue reading “Wintermute Arrives: AI-Orchestrated Cyber Espionage Becomes Reality”

Pig Butchering, Phone Farms, and a $15 Billion Forfeiture—Key Takeaways from the Prince Group Cybercrime Indictment

On October 14, 2025, the United States Attorney’s Office in the Eastern District of New York announced the indictment of a corporate executive of a Cambodian-based company for wire fraud and money laundering arising out of a near decade-long “pig butchering” cybercrime scheme, alongside a corresponding civil forfeiture action seeking approximately 12,271 bitcoin—worth approximately $15 billion—that are alleged to be proceeds and instrumentalities of the scheme. This is the largest forfeiture action in the Department of Justice’s history, and, together with the charges against the corporate executive, signals that the Department will continue to pursue corporate criminal enforcement, particularly where it involves cybercrime and cryptocurrency.

According to the government’s indictment and forfeiture complaint, since approximately 2015, the Cambodian-based company, known as the Prince Holding Group (“Prince Group”), under the direction of its Chairman, Chen Zhi (“Zhi”), was operating as one of the largest transnational criminal organizations in Asia. Although Prince Group claimed to be involved in real estate development and other legitimate businesses, the government alleges that, in reality, Prince Group used a sophisticated forced-labor scheme employing thousands of people to commit large-scale cryptocurrency fraud that enabled Zhi and his associates to steal and launder billions in fraudulent proceeds.

Continue reading “Pig Butchering, Phone Farms, and a $15 Billion Forfeiture—Key Takeaways from the Prince Group Cybercrime Indictment”

The Lumma Seizure: International Efforts to Take Down a Global Malware Network and How to Reduce Your Risk of Infection

On May 21, 2025, the United States Department of Justice (“DOJ”) announced it had obtained warrants authorizing the seizure of five internet domains used to operate a family of malware known as LummaC2, also referred to as LummaStealer (“Lumma”) that targets customers of the Windows operating system developed by Microsoft Corporation (“Microsoft”). The warrants were part of a global effort to take down Lumma, led by Microsoft. According to a recent blog post by Microsoft, between March 16, and May 16, 2025, Microsoft identified over 394,000 Windows computers throughout the world infected by Lumma. Europol’s European Cybercrime Center and Japan’s Cybercrime Control Center used this information to prevent Lumma from communicating with infected computers through their infrastructures. In addition, Microsoft filed a civil action in Georgia against Lumma’s operators—as well as marketers and end users—in which Microsoft obtained a temporary restraining order (“TRO”) requiring third parties owning or operating domains believed to be controlled by Lumma to give Microsoft control of the domains and take other actions to prevent Lumma from operating and misusing victims’ data.

Continue reading “The Lumma Seizure: International Efforts to Take Down a Global Malware Network and How to Reduce Your Risk of Infection”

DHS Playbook for Public Sector GenAI Deployment – Insights for the Private Sector

In January 2025, the Department of Homeland Security (DHS) released its “Playbook for Public Sector Generative Artificial Intelligence Deployment” (the “Playbook”). The Playbook provides valuable insights and actionable steps that can be adapted by the private sector looking to leverage generative artificial intelligence (“GenAI”) technologies.¹ The Playbook was drafted under the Biden administration, and may be changed to align with the policy views of the Trump administration. Nevertheless, the Playbook’s recommendations are relevant and helpful. This blog post summarizes key aspects of the Playbook and offers takeaways for the private sector.

Continue reading “DHS Playbook for Public Sector GenAI Deployment – Insights for the Private Sector”

The Wallet Inspectors: The DPRK’s Sophisticated Campaign to Steal Cryptocurrency and How to Protect Yourself

On February 21, 2025, Bybit, one of the world’s largest cryptocurrency exchanges, suffered a cyberattack resulting in the theft of approximately $1.5 billion in Ethereum tokens. This attack marked a new pinnacle in the criminal efforts of cyber actors tied to the Democratic People’s Republic of Korea (“North Korea” or the “DPRK”). In recent years, these malicious actors have increasingly targeted the cryptocurrency industry, leveraging sophisticated tactics to steal and launder digital assets for the ultimate benefit of funding the North Korean government. These high-profile and high-dollar-value exploits underscore the ongoing risk from the DPRK cyber threat and the need for private sector actors to implement appropriate cybersecurity measures to combat these threats. The threat is particularly acute since most interactions with these actors raise the additional risk of committing a violation of U.S. sanctions, with corresponding civil and criminal legal exposure.

This blog post delves into the details of recent cybercriminal activity attributed to actors tied to North Korea, their impact on the cryptocurrency sector, and the steps organizations should consider to mitigate those risks.

Continue reading “The Wallet Inspectors: The DPRK’s Sophisticated Campaign to Steal Cryptocurrency and How to Protect Yourself”

Lessons from PayPal’s $2 Million Cybersecurity Settlement with the New York State Department of Financial Services

Introduction

On January 23, 2025, PayPal settled an enforcement action brought by the New York State Department of Financial Services (NY DFS) for failing to comply with cybersecurity regulations required for financial services businesses under the Department’s supervision. The settlement, which included a $2 million fine and required remedial measures, arose out of a cybersecurity incident where hackers gained access to PayPal customers’ sensitive information contained on tax forms in PayPal’s systems. As discussed further below, the incident highlights the importance of implementing an effective cybersecurity program and ensuring that employees are adequately trained to follow the policy in practice.

Summary of the PayPal Enforcement Decision

The NY DFS sets standards for cybersecurity practices among financial institutions through cybersecurity regulations established at 23 NYCRR Part 500. These regulations require all DFS-regulated entities to establish and maintain a comprehensive cybersecurity program to protect consumers’ nonpublic information (NPI) and ensure the security of information systems.

Continue reading “Lessons from PayPal’s $2 Million Cybersecurity Settlement with the New York State Department of Financial Services”

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

Year: 2025