, ,

Trust but verify

How a $400,000 lobster theft exposed the hidden security gaps in modern logistics

 

By Skeeter Wesinger

January 5, 2026

 

Earlier this month, thieves made off with roughly $400,000 worth of lobster from a Massachusetts facility. The seafood was never supposed to vanish; it was en route to Costco locations in the Midwest. Instead, it became the end product of a carefully staged deception that blended cyber impersonation, procedural blind spots, and physical-world confidence tricks.

This was not a smash-and-grab. It was a systems failure.

The operation began quietly, with an altered email domain that closely resembled that of a legitimate trucking company. To most humans—and most workflows—that was enough. The email looked right, sounded right, and fit neatly into an existing logistics conversation. No servers were hacked. No passwords were cracked. The attackers didn’t break in; they were let in.

Modern organizations often believe that email authentication technologies protect them from impersonation. They do not. Tools like SPF, DKIM, and DMARC can verify that a message truly came from a domain, but they cannot tell you whether it came from the right one. The gap between technical validation and human trust remains wide, and that gap was the attackers’ point of entry.

Once inside the conversation, the criminals did what sophisticated attackers always do: they followed the process. They presented themselves as the selected carrier, responded on time, and matched expectations. Crucially, no one stopped to verify the change using a trusted, out-of-band channel—no phone call to a number already on file, no portal confirmation, no secondary check. The digital impersonation slid smoothly into operational reality.

The real turning point came at the loading dock. A tractor-trailer arrived bearing the branding of the legitimate company. The drivers carried paperwork and commercial licenses convincing enough to pass a quick inspection. Faced with routine procedures and time pressure, facility staff released the shipment. In that moment, digital deception became physical authorization.

This is where the incident stops being about phishing and starts being about trust. Visual cues—logos, uniforms, familiar names—still function as de facto security controls in high-value logistics. They are also trivial to counterfeit. Without a strong shared secret, such as a one-time pickup code or independently issued authorization token, the chain of custody rests on appearances.

After the truck departed, the final safeguards failed just as quietly. GPS trackers were disabled, and their sudden silence did not trigger an immediate, decisive response. In security terms, there was no deadman switch. When telemetry went dark, escalation was not automatic. By the time uncertainty turned into alarm, the window for recovery had likely closed.

Logistics theft experts know this pattern well. The first hour after a diversion is decisive. Organized theft rings plan around confusion, delayed verification, and fragmented responsibility. Their confidence suggests experience, not luck.

The CEO of Rexing Cos., the logistics firm coordinating the shipment, later described the crime as “very sophisticated” and attributed it to a large criminal organization. That assessment aligns with the evidence. This was not a crime of opportunity. It was a repeatable playbook executed by people who understood how modern supply chains actually operate—not how they are diagrammed.

The most unsettling lesson of the lobster theft is that no single system failed catastrophically. Email worked. Scheduling worked. Dock operations worked. Tracking existed. Each layer functioned more or less as designed. The failure emerged in the seams between them.

Security professionals often say that attackers don’t exploit systems; they exploit assumptions. This incident is a case study in that truth. Every handoff assumed the previous step had already done the hard work of verification. Each trust decision compounded the last until six figures’ worth of cargo rolled away under false pretenses. Always trust, but also verify, to quote President Reagan: “Doveryay, no proveryay”- “Trust, but verify.”

As supply chains become more digitized and more automated, it is tempting to treat logistics as paperwork and coordination rather than as critical identity infrastructure. This theft demonstrates the cost of that assumption. High-value goods move through a chain of identities—domains, vendors, drivers, vehicles—and each identity must be independently verified, not inferred.

The lobster didn’t disappear because the system was weak. It disappeared because the system was polite.

/3 Comments/by
, , , , ,

The $9.2 Million Warning

The $9.2 Million Warning: Why 2025 Will Punish Companies That Ignore AI Governance

By R. Skeeter Wesinger
(Inventor & Systems Architect | 33 U.S. Patents | MA)

November 3, 2025

When artificial intelligence began sweeping through boardrooms in the early 2020s, it was sold as the ultimate accelerator. Every company wanted in. Chatbots turned into assistants, copilots wrote code, and predictive models started making calls that once required senior analysts. The pace was breathtaking. The oversight, however, was not.

Now, in 2025, the consequences of that imbalance are becoming painfully clear. Across the Fortune 1000, AI-related compliance and security failures are costing an average of $9.2 million per incident—money spent on fines, investigations, recovery, and rebuilding trust. It’s a staggering number that reveals an uncomfortable truth: the age of ungoverned AI is ending, and the regulators have arrived.

For years, companies treated AI governance as a future concern, a conversation for ethics committees and think tanks. But the future showed up early. The European Union’s AI Act has set the global tone, requiring documentation, transparency, and human oversight for high-risk systems. In the United States, the Federal Trade Commission, the Securities and Exchange Commission, and several state legislatures are following suit, with fines that can reach a million dollars per violation.

The problem is not simply regulation—it’s the absence of internal discipline. IBM’s 2025 Cost of a Data Breach Report found that 13 percent of organizations had already experienced a breach involving AI systems. Of those, 97 percent lacked proper access controls. That means almost every AI-related breach could have been prevented with basic governance.

The most common culprit is what security professionals call “shadow AI”: unapproved, unsupervised models or tools running inside companies without formal review. An analyst feeding customer data into an online chatbot, a developer fine-tuning an open-source model on sensitive code, a marketing team using third-party APIs to segment clients—each one introduces unseen risk. When something goes wrong, the result isn’t just a data spill but a governance black hole. Nobody knows what model was used, what data it touched, or who had access.

IBM’s data shows that organizations hit by shadow-AI incidents paid roughly $670,000 more per breach than those with well-managed systems. The real cost, though, is the time lost to confusion: recreating logs, explaining decisions, and attempting to reconstruct the chain of events. By the time the lawyers and auditors are done, an eight-figure price tag no longer looks far-fetched.

The rise in financial exposure has forced executives to rethink the purpose of governance itself. It’s not red tape; it’s architecture. A strong AI governance framework lays out clear policies for data use, accountability, and human oversight. It inventories every model in production, documents who owns it, and tracks how it learns. It defines testing, access, and audit trails, so that when the inevitable questions come—Why did the model do this? Who approved it?—the answers already exist.

This kind of structure doesn’t slow innovation; it enables it. In finance, healthcare, and defense—the sectors most familiar to me—AI governance is quickly becoming a competitive advantage. Banks that can demonstrate model transparency get regulatory clearance faster. Hospitals that audit their algorithms for bias build stronger patient trust. Defense contractors who can trace training data back to source win contracts others can’t even bid for. Governance, in other words, isn’t the opposite of agility; it’s how agility survives scale.

History offers a pattern. Every transformative technology—railroads, electricity, the internet—has moved through the same cycle: unrestrained expansion followed by an era of rules and standards. The organizations that thrive through that correction are always the ones that built internal discipline before it was enforced from outside. AI is no different. What we’re witnessing now is the transition from freedom to accountability, and the market will reward those who adapt early.

The $9.2 million statistic is less a headline than a warning. It tells us that AI is no longer a side project or a pilot experiment—it’s a liability vector, one that demands the same rigor as financial reporting or cybersecurity. The companies that understand this will govern their algorithms as seriously as they govern their balance sheets. The ones that don’t will find governance arriving in the form of subpoenas and settlements.

The lesson is as old as engineering itself: systems fail not from lack of power, but from lack of control. AI governance is that control. It’s the difference between a tool that scales and a crisis that compounds. In 2025, the smartest move any enterprise can make is to bring its intelligence systems under the same discipline that made its business succeed in the first place. Govern your AI—before it governs you.

/2 Comments/by
, , ,

The Power Law of Mediocrity

The Power Law of Mediocrity: Confessions from the Belly of the VC Beast

By Skeeter Wesinger

October 6, 2025

We all read the headlines. They hit our inboxes every week: some fresh-faced kid drops out of Stanford, starts a company in his apartment, lands millions from a “top-tier” VC, and—poof—it’s a billion-dollar exit three years later. We’re force-fed the kombucha, SXSW platitudes, and “Disruptor of the Year” awards.

The public narrative of venture capital is that of a heroic journey: visionary geniuses striking gold, a thrilling testament to the idea that with enough grit, hustle, and a conveniently privileged network, anyone can build a unicorn. It’s the Disney version of capitalism—“anyone can be a chef,” as in Ratatouille—except this kitchen serves valuations, not ratatouille.

And it’s all a delightful, meticulously crafted fabrication by PR mavens, institutional LPs, and valuation alchemists who discovered long ago that perception is liquidity.

The truth is far less cinematic. Venture capital isn’t a visionary’s playground—it’s a casino, and the house always wins. Lawyers, bankers, and VCs take their rake whether the founders strike it rich or flame out in a spectacular implosion. The real magic isn’t in finding winners; it’s in convincing everyone, especially limited partners and the next crop of naive founders, that every single bet is a winner in the making. And in the current AI gold rush, this narrative isn’t just intoxicating—it’s practically a MDMA-induced hallucination set to a soundtrack of buzzwords and TED-ready hyperbole.

Full disclosure: I’ve been on both sides of that table—VC and angel investor, and founder. So consider this less a critique and more a confession, or perhaps karmic cleansing, from someone who has seen the sausage made and lived to regret the recipe.

The Power Law of Mediocrity

The first and most inconvenient truth? Venture capital isn’t about hitting singles and doubles—it’s about swinging for the fences while knowing, with absolute certainty, that you’ll strike out 90 percent of the time.

Academic data puts it plainly: roughly 75 percent of venture-backed startups never return significant cash to their investors. A typical fund might back ten companies—four will fail outright, four will limp to mediocrity, and one or two might generate a real return. Of those, maybe one breaks double-digit multiples.

And yet, the myth persists. Why? Because returns follow a power law, not a bell curve. A single breakout win papers over nine corpses. The median VC fund barely outperforms the S&P 500, but the top decile—those with one or two unicorns—create the illusion of genius. In truth, it’s statistical noise dressed up as foresight.

The Devil in the Cap Table

Not all angels have halos. Some of them carry pitchforks.

I call them “Devil Investors.” They arrive smiling, armed with mentorship talk and a check just large enough to seem life-changing. Then, once the ink dries, they sit you down and explain “how the real world works.” That’s when the charm evaporates. Clauses appear like tripwires—liquidation preferences, ratchets, veto rights. What looked like partnership becomes ownership.

These are the quiet tragedies of the startup world: founders who lose not only their companies but their sense of agency, their belief that vision could trump capital. Venture capital thrives on asymmetry—of information, of power, of options.

So no, I don’t feel bad when VCs get hoodwinked. They’ve built an empire on the backs of the optimistic, the overworked, and the under-represented. When a fund loses money because it failed to do due diligence, that’s not misfortune—that’s karma.

For every VC who shrugs off a loss as “portfolio churn,” there’s a founder who’s lost years, health, and ownership of the very thing they built. The VC walks away with a management fee and another fund to raise. The founder walks away with debt and burnout.

The Great AI Hallucination

If the 2010s were about social apps and scooters, the 2020s are about AI euphoria. Every week, another “AI-powered” startup raises $50 million for a product that doesn’t exist, can’t scale, and often relies entirely on someone else’s model.

It’s déjà vu for anyone who remembers the dot-com bubble—companies worth billions on paper, zero on the balance sheet. But in this era, the illusion has new fuel: the hype multiplier of media and the self-referential feedback loops of venture circles. Valuation becomes validation. Paper gains become gospel.

In private, partners admit the math doesn’t add up. In public, they double down on buzzwords: foundational models, RAG pipelines, synthetic data moats. They don’t have to be right—they just have to be first, loud, and liquid enough to raise Fund IV before Fund III collapses.

The House Always Wins

The cruel beauty of venture capital is that even when the bets go bad, the system pays its insiders. Management fees—usually 2 percent of committed capital—keep the lights on. Carried interest, when a unicorn hits, covers a decade of misses. It’s a model designed to appear risky while transferring the risk onto everyone else.

Founders risk their sanity, employees their weekends, and LPs their patience. The VC? He risks his reputation—which, in this industry, can always be rebranded.

A Confession, Not a Complaint

I say all this not as an outsider looking in but as someone who once believed the myth—that innovation needed gatekeepers, that disruption was noble, that capital was somehow creative. I’ve seen brilliant ideas die not for lack of ingenuity but for lack of political capital in a partner meeting.

Venture capital has produced miracles—no question. But for every transformative success, there are hundreds of broken dreams swept quietly into the footnotes of fund reports.

Pulling Back the Curtain

The next time you read about a wunderkind founder and their dazzling valuation, remember: you’re seeing the show, not the spreadsheet. Behind the curtain lies an industry that’s part casino, part cult, and wholly addicted to the illusion of inevitability.

Because in venture capital, the product isn’t innovation.
It’s a belief—and belief, conveniently, can be marked up every quarter.

/1 Comment/by
, , , ,

Inside the ShinyHunters Breach

Inside the ShinyHunters Breach: How a Cybercrime Collective Outsmarted Google

By Skeeter Wesinger

August 26, 2025

In June 2025, a phone call was all it took to crack open one of the world’s most secure companies. Google, the billion-dollar titan that built Chrome, Gmail, and Android, didn’t fall to an exotic zero-day exploit or state-sponsored cyberweapon. Instead, it stumbled over a voice on the line.

The culprits were ShinyHunters, a name that has haunted cybersecurity teams for nearly half a decade. Their infiltration of Google’s Salesforce system—achieved by tricking an employee into installing a poisoned version of a trusted utility—didn’t yield passwords or credit card numbers. But what it did uncover, millions of names, emails, and phone numbers, was enough to unleash a global phishing storm and prove once again that the human element remains the weakest link in digital defense.

ShinyHunters first burst onto the scene in 2020, when massive troves of stolen data began appearing on underground forums. Early hits included databases from Tokopedia, Wattpad, and Microsoft’s private GitHub repositories. Over time, the group built a reputation as one of the most prolific sellers of stolen data, often releasing sample leaks for free to advertise their “work” before auctioning the rest to the highest bidder. Unlike some cybercrime groups that focus on a single specialty—ransomware, banking trojans, or nation-state espionage—ShinyHunters thrive on versatility. They have carried out brute-force intrusions, exploited cloud misconfigurations, and, as Google’s case shows, mastered social engineering. What ties their operations together is a single goal: monetization through chaos. Their name itself comes from the Pokémon community, where “shiny hunters” are players obsessively searching for rare, alternate-colored Pokémon. It’s a fitting metaphor—ShinyHunters sift through digital landscapes looking for rare weaknesses, exploiting them, and then flaunting their finds in dark corners of the internet.

The attack on Google was as elegant as it was devastating. ShinyHunters launched what cybersecurity experts call a vishing campaign—voice phishing. An employee received a convincing phone call from someone posing as IT support. The hacker guided the target into downloading what appeared to be Salesforce’s Data Loader, a legitimate tool used by administrators. Unbeknownst to the victim, the tool had been tampered with. Once installed, it silently granted ShinyHunters remote access to Google’s Salesforce instance. Within hours, they had siphoned off contact data for countless small and medium-sized business clients. The breach didn’t expose Gmail passwords or financial records, but in today’s digital ecosystem, raw contact data can be just as dangerous. The stolen information became ammunition for phishing campaigns that soon followed—calls, texts, and emails impersonating Google staff, many of them spoofed to look as though they came from Silicon Valley’s “650” area code.

This wasn’t ShinyHunters’ first high-profile strike. They’ve stolen databases from major corporations including AT&T, Mashable, and Bonobos. They’ve been linked to leaks affecting over 70 companies worldwide, racking up billions of compromised records. What sets them apart is not sheer volume but adaptability. In the early days, ShinyHunters focused on exploiting unsecured servers and developer platforms. As defenses improved, they pivoted to supply-chain vulnerabilities and cloud applications. Now, they’ve sharpened their social engineering skills to the point where a single phone call can topple a security program worth millions. Cybersecurity researchers note that ShinyHunters thrive in the gray zone between nuisance and catastrophe. They rarely pursue the destructive paths of ransomware groups, preferring instead to quietly drain data and monetize it on dark web markets. But their growing sophistication makes them a constant wildcard in the cybercrime underworld.

Google wasn’t the only target. The same campaign has been tied to breaches at other major corporations, including luxury brands, airlines, and financial institutions. The common thread is Salesforce, the ubiquitous customer relationship management platform that underpins business operations worldwide. By compromising a Salesforce instance, attackers gain not only a list of customers but also context—relationships, communication histories, even sales leads. That’s gold for scammers who thrive on credibility. A phishing email that mentions a real company, a real client, or a recent deal is far harder to dismiss as spam. Google’s prominence simply made it the most visible victim. If a company with Google’s security apparatus can be tricked, what chance does a regional retailer or midsize manufacturer have?

At its core, the ShinyHunters breach of Google demonstrates a troubling shift in cybercrime. For years, the focus was on software vulnerabilities—buffer overflows, unpatched servers, zero-days. Today, the battlefield is human psychology. ShinyHunters didn’t exploit an obscure flaw in Salesforce. They exploited belief. An employee believed the voice on the phone was legitimate. They believed the download link was safe. They believed the Data Loader tool was what it claimed to be. And belief, it turns out, is harder to patch than software.

Google has confirmed that the incident did not expose Gmail passwords, and it has urged users to adopt stronger protections such as two-factor authentication and passkeys. But the broader lesson goes beyond patches or new login methods. ShinyHunters’ success highlights the fragility of digital trust in an era when AI can generate flawless fake voices, craft convincing emails, and automate scams at scale. Tomorrow’s vishing call may sound exactly like your boss, your colleague, or your bank representative. The line between legitimate communication and malicious deception is blurring fast. For ShinyHunters, that blurring is the business model. And for the rest of us, it’s a reminder that the next major breach may not come from a flaw in the code, but from a flaw in ourselves. And these ShinyHunters use fake Gmail accounts, which will get them caught.

/by
, , , , ,

Beyond Zapier

Beyond Zapier: What Happens When Workflow Automation Becomes Obsolete?

By Skeeter Wesinger August 3, 2025

For years, tools like Zapier, LangChain, and Make (formerly Integromat) have served as the backbone of modern automation. They gave us a way to stitch together the sprawling ecosystem of SaaS tools, APIs, and data triggers that power everything from startups to enterprise platforms. They democratized automation, enabled lean teams to punch above their weight, and brought programmable logic to non-programmers.

But here’s the uncomfortable truth: their days are numbered.

These platforms weren’t designed to think—they were designed to follow instructions. They excel at task execution, but they fall short when the situation requires adaptation, judgment, or real-time negotiation between competing priorities. The problem isn’t what they do; it’s what they can’t do.

The Next Frontier: Intent-Driven Autonomy

The future doesn’t belong to systems that wait to be told what to do. It belongs to systems that understand goals, assess context, and coordinate actions without micromanagement. We’re entering the age of intent-driven autonomy, where AI agents don’t just execute; they plan, adapt, and negotiate across domains.

Imagine a world where your AI agent doesn’t wait for a Zap to send an email—it anticipates the follow-up based on urgency, sentiment, and your calendar. Where you don’t need to build a LangChain flow to summarize documents—your agent reads, tags, stores, and cross-references relevant data on its own. Where infrastructure no longer needs triggers because it has embedded agency—software that adjusts itself to real-world feedback without human intervention.

This is more than automation. This is cognition at the edge of software.

Why This Isn’t Hype

We’re already seeing signs. From autonomous GPT-based agents like AutoGPT and CrewAI to self-updating internal tools powered by vector databases and real-time embeddings, the scaffolding of tomorrow is under construction today. These agents won’t need workflows—they’ll need guardrails. They’ll speak natural language, interact across APIs, observe results, and self-correct. And instead of chaining actions together, they’ll pursue objectives.

Don’t Panic. But Do Prepare.

This doesn’t mean Zapier or LangChain failed. On the contrary, they paved the way. They taught us how to think modularly, how to connect tools, and how to make systems work for us. But as we move forward, we need to unlearn some habits and embrace the shift from rigid logic to adaptive intelligence.

The question for builders, founders, and technologists isn’t “What should I automate next?” It’s “What kind of agency am I ready to give my systems?”

Because the future isn’t about building better workflows. It’s about building systems that don’t need them.

/by
, , , ,

Banking Without Prompts

Banking Without Prompts: Autonomous AI Agents and the Future of Finance

By Skeeter Wesinger

August 1, 2025

As artificial intelligence evolves beyond chatbots and scripted assistants, a new kind of intelligence is emerging—one that doesn’t wait to be asked, but rather understands what needs to happen next. In the world of finance, this evolution marks a profound shift. Autonomous AI agents are poised to redefine how we interact with our money, our banks, and even decentralized systems like Bitcoin. They will not simply respond to prompts. They will act on our behalf, coordinating, securing, optimizing, and executing financial operations with a level of contextual intelligence that eliminates friction and anticipates needs.

In traditional banking, autonomous agents will operate across the entire customer lifecycle. Instead of relying on users to initiate every action, these systems will recognize patterns, detect anomalies, and carry out tasks without requiring a single command. They will notice unusual account activity and intervene before fraud occurs. They will detect opportunities for savings, debt optimization, or loan restructuring and act accordingly, surfacing choices only when human approval is required. Agents will onboard new customers by retrieving identity credentials, verifying documents through secure biometric scans, and completing compliance steps in seconds—all in the background. On the back end, these agents will navigate regulatory checkpoints, reconcile ledgers, update Know Your Customer (KYC) files, and monitor compliance thresholds in real-time. They will not replace bankers—they will become the invisible machinery that supports them.

In the realm of Bitcoin and digital assets, the impact will be just as profound. Managing wallets, executing transactions, and securing assets in a decentralized environment is complex, and often inaccessible to non-experts. Autonomous agents will quietly manage these processes. They will optimize transaction fees based on current network conditions, initiate trades under preset thresholds, rotate keys to enhance security, and notify users only when intervention is required. In decentralized finance, agents will monitor liquidity positions, collateral ratios, and yield performance. When conditions change, the system will react without being told—reallocating, unwinding, or hedging positions across decentralized platforms. In multi-signature environments, agents coordinate signing sequences among stakeholders, manage the quorum, and execute proposals based on a shared set of rules, all without a central authority.

Crucially, these agents will act without compromising privacy. They will utilize zero-knowledge proofs to perform audits, verify compliance, or authenticate identity without disclosing personal data. They will operate at the edge when necessary, avoiding unnecessary cloud dependency, while still syncing securely across systems and jurisdictions. Whether in traditional banking, Bitcoin custody, or the emerging DeFi landscape, these agents will not just streamline finance—they will secure it, fortify it, and make it more resilient.

We are moving toward a world where finance no longer requires constant attention. The prompt—once essential—becomes redundant. You won’t need to ask for a balance, check your rates, or move funds manually. Your presence, your intent, and your context will be enough. The system will already know. It will already be working.

Contact: Skeeter Wesinger

Senior Research Fellow

Autonomous Systems Technology and Research

skeeter@skeeter.com

For inquiries, research partnerships, or technology licensing.

/by
, ,

Scattered Spider Attacks Again

Scattered Spider Attacks Again
By Skeeter Wesinger
July 2, 2025

In yet another brazen display of cyber subterfuge, Scattered Spider, the slick, shape-shifting cyber gang with a knack for con artistry, has struck again—this time sinking its fangs into Qantas Airways, compromising data on as many as six million unsuspecting customers. It wasn’t some arcane bit of code that cracked the system. It was human weakness, exploited like a well-worn key.
The breach targeted a third-party customer service platform, proving once again that it’s not always your network that gets hacked—it’s your vendor’s.
A Familiar Pattern, a New Victim
Qantas now joins the growing list of high-profile victims stalked by Scattered Spider, a crew whose previous hits include MGM Resorts, Caesars, Hawaiian Airlines, and WestJet. Their calling card? Social engineering at scale—not brute force, but charm, guile, and just enough personal data to sound like they belong.
They impersonate. They coax. They wear your company’s name like a mask—and by the time IT realizes what’s happened, they’re already inside.
This time, they walked away with customer names, emails, phone numbers, birthdates, and frequent flyer numbers. No passwords or payment data were accessed—Qantas was quick to say—but that’s cold comfort in an age when a birthday and an email address is all that it takes to hijack your digital life.
“Trust, but Verify” is Dead, well, sort of.
As Qantas CEO Vanessa Hudson issued the standard apology—support lines are open, regulators are notified, the sky is still safe. But the real damage isn’t operational. It’s existential. Trust doesn’t come back easy, especially when it’s breached by a whisper, not a weapon.
“We used to worry about firewalls and phishing links,” one insider told me. “Now it’s your own help desk that opens the front door.”
Scattered Spider doesn’t hack computers. They hack people—call center agents, IT support staff, even security teams—using their own policies and training scripts against them. Their English is fluent. Their confidence is absolute. Their patience is weaponized.
The Breach Beneath the Breach
What’s truly alarming isn’t just that Scattered Spider got in. It’s how.
They exploited a third-party vendor, the soft underbelly of every corporate tech stack. While Qantas brags about airline safety and digital transformation, it was a remote call-center platform—likely underpaid, overworked, and under-secured—that cracked first.
We’ve heard this story before. Optus. Medibank. Latitude. The names change. The failures rhyme.
And the hackers? They have evolved.
The Next Call May Already Be Happening
Scattered Spider is a ghost in the wires—a gang of young, highly skilled social engineers, some rumored to be based in the U.S., operating like a twisted start-up. Their tools aren’t viruses—they’re LinkedIn, ZoomInfo, and your own onboarding documents.
What you can do is rethink your threat model. Because the enemy isn’t always a shadowy figure in a hoodie. Sometimes it’s a cheerful voice saying, “Hi, I’m calling from IT—can you verify your employee ID?”
By then, it’s already too late. Need to hire an expert? Call me.

/by
, , , , , , ,

Scattered Spider

Scattered Spider: Impersonation, and Cybersecurity in the Age of Cloud Computing

By Skeeter Wesinger
June 29, 2025

In an era where companies have moved their infrastructure to the cloud and outsourced much of their IT, one old-fashioned tactic still defeats the most modern defenses: impersonation.
At the center of this threat is Scattered Spider, a cybercriminal collective that doesn’t exploit code—they exploit people. Their operations are quiet, persuasive, and dangerously effective. Instead of smashing through firewalls, they impersonate trusted employees—often convincingly enough to fool help desks, bypass multi-factor authentication, and gain access to critical systems without ever tripping an alarm.
This is the cybersecurity challenge of our time. Not ransomware. Not zero-days. But trust itself.
Who Is Scattered Spider?
Known to threat intelligence teams as UNC3944, Muddled Libra, or 0ktapus, Scattered Spider is an English-speaking group that has compromised some of the most security-aware companies in North America. Their breaches at MGM Resorts and Caesars Entertainment made headlines—not because they used sophisticated malware, but because they didn’t have to.
Their weapon of choice is the phone call. A help desk technician receives a request from someone claiming to be a senior executive who lost their device. The impersonator is articulate, knowledgeable, and urgent. They know internal jargon. They cite real names. Sometimes, they even use AI-generated voices.
And too often, it works. The attacker gets a password reset, reroutes MFA codes, and slips in undetected.
The Illusion of Familiarity
What makes these attackers so dangerous is their ability to sound familiar. They don’t just say the right things—they say them the right way. They mirror internal language. They speak with confidence. They understand hierarchy. They’re skilled impersonators, and they prey on a simple reflex: the desire to help.
In the past, we might have trusted our ears. “It sounded like them,” someone might say.
But in the age of AI, “sounding like them” is no longer proof of identity. It’s a liability.
When Cloud Isn’t the Cure
Many organizations have moved to cloud-based environments under the assumption that centralization and managed services will reduce their exposure. In some ways, they’re right: the cloud simplifies infrastructure and offloads security operations. But here’s the truth: you can’t outsource responsibility. The human layer remains—and that’s precisely where Scattered Spider operates.
They don’t need to breach Azure or AWS. They just need to impersonate someone with access to it.
It’s time we stop treating “trust but verify” as a cliché and start treating it as operational policy. Better yet: trust—but always verify. Every request. Every reset. Every exception.
Verification today means more than checking a box. It requires multi-channel authentication. It means never resetting MFA or passwords based solely on a phone call, no matter how credible the caller seems. It means locking down help desk protocols so impersonation doesn’t slip through the cracks.
Security teams must also monitor legitimate tools—like AnyDesk, TeamViewer, and ScreenConnect—that attackers often use once inside. These aren’t inherently malicious, but in the wrong hands, they’re devastating.
And above all, organizations must train their frontline personnel—especially support staff—to treat every identity request with healthy skepticism. If your instinct says something feels off, pause and verify through secure channels. Escalate. Slow down. Ask the questions attackers hope you won’t.
Scattered Spider doesn’t hack your servers. They hack your systems of trust. They bypass encryption by impersonating authority. And they exploit the one vulnerability no software can patch: assumption.
As we continue shifting toward remote work, outsourced IT, and cloud-based everything, the real threat isn’t technical—it’s personal. It’s the voice on the line. The urgent request. The person who “sounds right.”
In this world, cybersecurity isn’t just about what you build. It’s about what you believe—and what you’re willing to question.
Therefore, you have to train your teams. Harden your protocols. And remember in the age of the cloud, the most important firewall is still human.
Trust—but always verify!

/by
, ,

When Cybersecurity Is an Afterthought

When Cybersecurity Is an Afterthought: The Victoria’s Secret Breach and the Looming Threat to E-Commerce
By Skeeter Wesinger
May 30, 2025

Victoria’s Secret recently experienced a significant cybersecurity incident that led to the temporary shutdown of its U.S. website and the suspension of certain in-store services. The company stated, “We have taken down our website and some in-store services as a precaution,” emphasizing their commitment to restoring operations securely.
While the exact nature of the breach remains undisclosed, the incident aligns with a series of cyberattacks targeting major retailers. Notably, the threat group known as Scattered Spider has been linked to similar attacks on UK retailers, including Marks & Spencer and Harrods. Security experts suggest that the tactics employed in the Victoria’s Secret breach bear a resemblance to those used by this group.
The impact of the breach extended beyond the digital storefront. Reports indicate disruptions to internal operations, including employee email access and distribution center functions. Customers faced challenges in placing orders, redeeming coupons, and accessing customer service.
Financially, the incident had immediate repercussions. Victoria’s Secret’s stock experienced a decline of approximately 7%, reflecting investor concerns over the implications of the breach.
This event highlights a broader issue: the persistent vulnerability of retailers to cyber threats, which is often exacerbated by inadequate adherence to cybersecurity protocols. Despite the increasing frequency of such attacks, many organizations remain underprepared, lacking robust security measures and comprehensive response plans.
Furthermore, the reluctance of some companies to disclose breaches hampers collective efforts to understand and mitigate cyber threats. Transparency is crucial in fostering a collaborative defense against increasingly sophisticated cybercriminals.
In conclusion, the Victoria’s Secret breach serves as a stark reminder of the critical importance of proactive cybersecurity measures. Retailers must prioritize the implementation of comprehensive security protocols, regular system audits, and employee training to safeguard against future incidents. The cost of inaction is not just financial but also erodes consumer trust and brand integrity.

/by
, , ,

In a classic phishing move

In a classic phishing move: spoofing a legit security company like VadeSecure to make the email look trustworthy. Irony at its finest—phishers pretending to be the anti-phishing experts.

Here’s what’s likely going on:

  • vadesecure.com is being spoofed—the return address is faked to show their domain, but the email didn’t actually come from Vade’s servers.

  • Or the phishers are using a lookalike domain (e.g., vadesecure-support.com or vadesecure-mail.com) to trick people not paying close attention.

If you still have the email:

  • You can check the email headers to see the real “from” server (look for Return-Path and Received lines).

  • If the SPF/DKIM/DMARC checks fail in the headers, that’s confirmation it’s spoofed.

  • You can also report it to VadeSecure directly at: abuse@vadesecure.com

By Skeeter Wesinger

March 26, 2025

/by