Welcome to Canary Trap’s “Bi-Weekly Cyber Roundup”. At Canary Trap, it is our mission to keep you up-to-date with the most crucial news in the world of cybersecurity, and this bi-weekly publication is your gateway to the latest news.
In this week’s round-up, we’ll explore a range of critical cybersecurity and tech developments, including the largest theft in history linked to the Bybit hack, Microsoft’s legal actions against AI hackers, and the discovery of nearly 12,000 exposed API keys and passwords in an AI training dataset. We’ll also explore a new malware campaign exploiting the Microsoft Graph API to infect Windows and examine the latest advancements from Google, Microsoft, and Amazon as they compete to create fault-tolerant qubits in quantum computing.
- The Largest Theft in History – Following the Money Trail from the Bybit Hack
Cryptocurrency exchange Bybit has fallen victim to the largest digital asset theft in history, with hackers stealing approximately $1.46 billion. Preliminary investigations indicate that malware was used to manipulate transaction approvals, allowing the attackers to divert funds unnoticed.
Blockchain analytics has attributed the attack to North Korean state-sponsored hackers, based on familiar laundering patterns and infrastructure links. The FBI later confirmed North Korea’s involvement. This latest breach adds to an estimated $6 billion in stolen cryptocurrency attributed to North Korean cybercriminals since 2017, with reports suggesting the funds are funneled into the country’s ballistic missile program.
The laundering process began within minutes of the attack, with stolen tokens such as stETH and cmETH rapidly exchanged for Ether via decentralized exchanges (DEXs) to prevent asset freezes by token issuers. The hackers then distributed the funds across at least 50 wallets, each containing approximately 10,000 ETH, before systematically moving them through cross-chain bridges, mixing services, and centralized exchanges.
One key facilitator of the laundering process is eXch, a cryptocurrency exchange known for allowing anonymous transactions. Over $120 million in stolen assets have been funneled through eXch, which has refused Bybit’s requests to block illicit transactions. Despite its attempts to obscure these dealings, the exchange continues to earn significant fees from processing the stolen funds.
Security firms, cryptocurrency platforms, and law enforcement agencies are working around the clock to trace and recover the assets. Some stolen funds have already been seized, but North Korea’s increasingly sophisticated laundering tactics present an ongoing challenge to international financial security.
- Microsoft Names Suspects in Lawsuit Against AI Hackers
Microsoft has publicly identified four individuals allegedly linked to a cybercriminal network known as Storm-2139, as part of an ongoing legal battle against the abuse of AI services.
The lawsuit, initially filed in December 2024, targets a group Microsoft refers to as the “Azure Abuse Enterprise.” This group is accused of creating and distributing tools that bypass the security measures of generative AI platforms, enabling users to generate deepfakes and other illicit content.
According to Microsoft’s findings, Storm-2139 has compromised services like Azure OpenAI by acquiring exposed credentials from public sources. These credentials grant unauthorized access, allowing the attackers to manipulate AI capabilities and sell modified versions along with instructions on producing harmful content. The investigation has categorized individuals involved in the operation into three roles: “creators”, who develop AI manipulation tools; “providers”, who distribute and modify these tools; and “users”, who generate unauthorized content. Microsoft notes that much of the illicit material revolves around celebrities and explicit imagery. Microsoft has identified additional members of Storm-2139 operating in various countries, including the United States, Austria, Turkey, Russia, Denmark, and several South American nations. Two individuals linked to the network have been located in Florida and Illinois, though their names have been withheld due to potential law enforcement investigations.
Microsoft has already taken down a website associated with the operation. In response, some members of Storm-2139 retaliated by doxing Microsoft’s legal team, exposing their personal information online. Meanwhile, internal disputes have surfaced, with some accused members revealing others’ real identities or attempting to shift blame.
Microsoft is preparing criminal referrals for both U.S. and international law enforcement agencies.
- Nearly 12,000 API Keys and Passwords Found in AI Training Dataset
Nearly 12,000 active API keys and passwords have been identified within the Common Crawl dataset, a massive open-source web archive frequently used for training artificial intelligence models.
Common Crawl, a non-profit organization, has been collecting and maintaining a publicly available repository of web data since 2008, amassing petabytes of information. Given its scale and accessibility, many AI developers incorporate portions of this dataset to train large language models (LLMs) from organizations such as OpenAI, Google, Meta, Anthropic, Stability AI, and DeepSeek.
An investigation by security researchers uncovered 11,908 valid authentication secrets, including API keys for Amazon Web Services (AWS), MailChimp, and WalkScore. These findings suggest that some LLMs may be trained on insecure code containing hardcoded credentials. Although AI training datasets typically undergo pre-processing to remove duplicate, irrelevant, harmful, or sensitive data, completely filtering out confidential information remains a significant challenge. This raises concerns about LLMs inadvertently learning from and potentially exposing sensitive credentials.
219 distinct secret types were identified in the dataset, with MailChimp API keys being the most frequently exposed. Approximately 1,500 unique MailChimp keys were hardcoded into HTML and JavaScript, rather than being stored securely in server-side environment variables. This type of misconfiguration could enable attackers to conduct phishing campaigns, impersonate brands, or exfiltrate data. One notable case involved a single WalkScore API key appearing over 57,000 times across nearly 1,900 subdomains, indicating a high rate of credential reuse. Additionally, a webpage was found containing 17 active Slack webhook URLs, which could allow unauthorized access to post messages within Slack channels.
Following their discovery, security researchers collaborated with affected vendors to revoke compromised credentials, ultimately helping organizations rotate or deactivate thousands of exposed keys. However, these findings highlight a broader issue: poor security practices, such as hardcoding sensitive information in publicly accessible code, may not only expose organizations to cyber threats but could also influence the behavior of AI models trained on insecure data.
Even if an LLM is trained on older versions of the Common Crawl dataset, this research underscores the importance of secure coding practices to prevent confidential information from being inadvertently embedded in AI-generated outputs.
- New Malware Campaign Exploits Microsoft Graph API to Infect Windows
A newly discovered cyberattack campaign employs a combination of social engineering, multi-stage malware, and the abuse of legitimate cloud services to compromise Windows systems. This campaign introduces a modified version of the “Havoc Demon Agent”, an open-source post-exploitation framework while leveraging the “Microsoft Graph API” to mask malicious activity within legitimate cloud traffic.
The attack begins with a phishing email containing an HTML attachment designed to trick recipients into executing a PowerShell command. Using a technique known as “ClickFix,” the email presents a fabricated error message, urging the user to manually copy and execute a command in their system’s terminal. This action triggers a sequence of events leading to the download and execution of additional malicious scripts, strategically hosted on a SharePoint site to blend into a trusted environment. The initial PowerShell script evades sandbox detection before retrieving a Python script, which then injects a malicious DLL (KaynLdr). This DLL loads an embedded secondary payload while using API hashing to further obscure its operations.
At the core of the attack is the abuse of Microsoft Graph API for command-and-control (C2) communications. The Havoc Demon DLL= initiates communication by obtaining access tokens and creating uniquely named files within the victim’s SharePoint document library. These files serve as channels for exfiltrating system data and receiving commands, all encrypted using AES-256 in CTR mode. The malware then executes various post-exploitation actions, including data exfiltration, file manipulation, and token hijacking.
Security researchers warn that the increasing use of open-source C2 frameworks and legitimate cloud services allows threat actors to evade detection more effectively. The campaign’s reliance on manual user interaction, such as copying and pasting commands highlights an evolving social engineering tactic that adds an extra layer of deception.
Given the growing sophistication of these threats, cybersecurity professionals emphasize the need for heightened vigilance against phishing emails and any message that encourages executing terminal commands.
- Google, Microsoft, and Amazon’s Competing Paths to Fault-Tolerant Qubits
In the rapidly evolving world of quantum computing, February 2025 saw a significant leap forward with the announcement of two groundbreaking quantum chips: Amazon’s Ocelot and Microsoft’s Majorana 1, following Google’s release of Willow in December 2024. These new developments signal a concerted effort from tech giants to solve one of quantum computing’s most daunting challenges: quantum error correction.
Amazon’s latest chip, Ocelot, introduces a novel approach to error correction with its use of cat qubits. These qubits, named after Schrödinger’s famous thought experiment, employ bosonic error correction techniques that leverage the quantum harmonic oscillator. The key advantage of this approach is its ability to naturally suppress bit-flip errors, one of the most common issues in quantum systems.
By increasing the number of photons in the oscillator, the rate of bit-flip errors can be exponentially reduced, making error correction much more efficient. According to Fernando Brandao and Oskar Painter from Amazon, this method significantly improves quantum error correction efficiency by up to 90%. Unlike other quantum chips that rely on external error correction after computation, Ocelot’s design aims to minimize errors directly within the qubits themselves. This makes the chip closer in spirit to Microsoft’s Majorana 1, which also focuses on reducing errors through the inherent properties of the qubits.
While Amazon pushes forward with cat qubits, Microsoft takes a completely different approach with its Majorana 1 chip, which uses topological qubits. These qubits are based on Majorana zero modes, exotic quantum states that offer inherent stability and fault tolerance. Microsoft believes that using topological qubits will reduce the number of physical qubits needed to create a functioning logical qubit. The company has already demonstrated the placement of eight topological qubits on a chip designed to scale up to one million qubits in the future. While Majorana 1 is an exciting breakthrough, it remains to be seen whether it will offer a viable path toward practical quantum computing. Microsoft’s claim that this chip could revolutionize quantum stability is a promising development, but it is still very much in the experimental stage.
Google’s Willow chip, released in December 2024, is the closest to Amazon’s Ocelot in terms of architecture, both relying on superconducting qubits. Willow has focused on refining the measurement of qubits to reduce bit-flip and phase-flip errors, making superconducting qubits more reliable as they scale up. Google’s significant advancement lies in its ability to cut the error rate in half, achieving what they describe as an exponential reduction in errors. This improvement brings Willow closer to the threshold for error rates where it is possible to build arbitrarily large quantum computers. The idea is that reducing errors as the number of qubits increases will eventually make large-scale quantum computing viable. Google’s work with Willow has set a high bar for quantum error correction, making it one of the most advanced chips currently available.
All three companies, Amazon, Microsoft, and Google, are tackling the same core problem in different ways. Each new chip is a step forward, but the path to truly scalable and error-free quantum computing remains uncertain.
As the race toward practical quantum computing continues, these innovations are pushing the boundaries of what is possible. Every step forward, whether through improving existing techniques or exploring new avenues, brings the quantum computing community closer to a scalable, usable quantum computer—one that could transform industries and solve complex problems beyond the reach of today’s most powerful supercomputers.
References:
https://www.elliptic.co/blog/bybit-hack-largest-in-history
https://www.securityweek.com/microsoft-names-suspects-in-lawsuit-against-ai-hackers/
https://hackread.com/malware-exploits-microsoft-graph-api-infect-windows/
Post Comment