Mind the gap between IT and OT.

Iranian hackers hit LA transit. Chinese cyber operators target Middle East infrastructure. Dutch police take down a 17-million-device botnet. Researchers uncover a phishing risk in ChatGPT. Anthropic prepares its Mythos model for release. Chrome patches 22 critical bugs. Zapier fixes a dangerous vulnerability chain. ShinyHunters claims a Charter breach. A data broker who fueled scams against millions of seniors heads to prison. Maria Varmazis joins me for a look back at a decade of ransomware. A Google insider allegedly went from threat hunting to bet hunting.

Today is Friday May 29th 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Iranian hackers were likely behind a March cyberattack that disrupted LA public transit. 

Iranian-linked hackers were likely behind a March cyberattack that disrupted parts of the Los Angeles County Metropolitan Transportation Authority (LACMTA), according to Israeli cybersecurity firm Gambit Security. The company said it uncovered at least 700 gigabytes of stolen emails, backups, and other files after the data was accidentally exposed online. Gambit’s investigation traced the server hosting the data to a known hacking operation previously linked by Israeli officials and researchers to Iran.

The attack disrupted passenger-facing digital services, including arrival-time displays and digital fare card systems. Gambit reported that the operation went beyond data theft, with attackers allegedly deleting virtual machines, databases, storage volumes, and backup infrastructure in an apparent effort to hinder recovery efforts.

A group called Ababil of Minab claimed responsibility shortly after the intrusion. While the group presents itself as an independent activist organization, security researchers have long suspected ties to Iranian state-backed cyber operations. U.S. authorities, including the FBI, are investigating the incident, though official attribution remains unresolved.

The Chinese exploit geopolitical instability to target maritime, energy, and government organizations. 

Chinese state-aligned hacking groups are increasingly exploiting geopolitical instability in the Middle East to target maritime, energy, and government organizations, according to ESET’s latest APT Activity Report. Researchers observed Chinese cyber operations focused on improving Beijing’s visibility into regional political and economic developments following U.S. military actions against Iran. Activity included attacks on maritime-related government entities in Venezuela, Syrian government networks, and an AI and robotics company in South Korea, reflecting China’s broader strategic and economic interests.

The report also highlighted continued Russian cyber activity targeting Ukraine, including attacks on military-linked organizations, drone manufacturers, and logistics providers, as well as destructive malware campaigns attributed to Sandworm. Meanwhile, Iran-linked cyber operations appeared to shift from established state-backed groups to proxy and hacktivist actors, with Israel remaining a primary target for espionage and disruptive attacks.

Dutch police dismantle a major botnet. 

Dutch police have dismantled a botnet containing at least 17 million compromised devices after a tip from a researcher at the Netherlands’ National Cyber Security Centre. Investigators identified roughly 200 servers supporting the botnet’s infrastructure within the country and seized several systems for analysis. A hosting provider subsequently shut down the network after determining it was being used for criminal activity.

Authorities did not disclose the botnet’s name, the specific devices involved, or how it was used, though officials noted botnets are commonly leveraged for phishing, distributed denial-of-service attacks, and online fraud. The takedown comes amid growing concern over residential proxy networks, which cybercriminals increasingly use to disguise malicious traffic.

Separately, the NCSC reported cyberattacks against Dutch organizations fell to a nine-year low in 2024, a trend it partly attributed to broader adoption of multi-factor authentication.

Hidden Markdown payloads could trick ChatGPT into delivering phishing links. 

A prompt injection technique dubbed “ChatGPhish” could allow attacker-controlled web content to influence ChatGPT’s responses when users request page summaries. According to Permiso threat hunter Andi Ahmeti, hidden instructions embedded in a webpage’s Markdown can cause the chatbot to display convincing phishing links or fake security alerts that appear to originate from ChatGPT itself.

Ahmeti demonstrated how attackers could insert fraudulent account warnings and malicious links into otherwise legitimate summaries. He also showed that embedded QR codes could redirect victims from their desktops to attacker-controlled websites on mobile devices, potentially bypassing browser-based security protections. The vulnerability stems from ChatGPT treating untrusted external content as trusted input during summarization.

Ahmeti reported the issue to OpenAI through Bugcrowd but said he has not received confirmation that a fix has been implemented. Researchers recommend treating AI-generated content as untrusted and strengthening safeguards around rendered external content.

Anthropic preps Mythos for public consumption. 

Anthropic says it plans to make its powerful Mythos-class AI models available to all customers in the coming weeks after initially restricting access over cybersecurity concerns. Introduced in April for select organizations and security researchers, Mythos was withheld from public release because of concerns that advanced coding and reasoning capabilities could be misused by attackers. The company now says it has made significant progress developing safeguards to reduce those risks. Anthropic claims Mythos delivers substantial improvements in code reasoning and autonomy compared to its current flagship model, Claude Opus 4.8, though it has not confirmed exactly which version will be publicly released.

The latest Chrome update patches 22 critical vulnerabilities. 

Google has released a Chrome 148 update that patches 151 vulnerabilities, including 22 rated critical. The most severe flaws include an out-of-bounds write in the GPU component and a use-after-free bug in Network, with each earning researchers a $43,000 bug bounty. Most critical issues involve memory safety weaknesses that could potentially enable remote code execution or sandbox escapes. The update also fixes 123 high-severity vulnerabilities. Google says it has paid more than $130,000 in rewards so far, though many payouts remain undisclosed. The company has addressed more than 350 vulnerabilities across Chrome 148 releases since late March, with many discoveries attributed to Google’s internal research efforts.

Zapier patches a dangerous bug chain. 

Researchers at Token Security uncovered a chain of five vulnerabilities in the automation platform Zapier that could have allowed attackers with only a free account to compromise millions of users and their connected services. By linking several seemingly routine flaws, the researchers were able to access internal systems, recover credentials, and identify a code-signing key tied to software running in every logged-in user’s browser. In a worst-case scenario, an attacker could have modified automations, sent emails, moved data, or interacted with connected applications while appearing to be a legitimate user. The researchers also demonstrated access to a third-party executive’s Gmail account through an exposed key. Token Security reported the issues in February, and Zapier says all vulnerabilities were patched within weeks with no evidence of exploitation.

ShinyHunters claim a breach of Charter Communications. 

The ShinyHunters extortion group has claimed responsibility for a breach of Charter Communications that exposed data from 4.9 million accounts, according to Have I Been Pwned. The attackers allegedly gained access through a voice phishing attack targeting an employee’s Microsoft Entra account and then stole data from Charter’s Salesforce environment. Exposed information reportedly includes names, email addresses, phone numbers, physical addresses, and some employee records. Charter confirmed the breach but stated that no sensitive personal information or customer proprietary network information was exfiltrated. After Charter refused to pay a ransom, ShinyHunters allegedly published the stolen data on its leak site.

Jail time for a man convicted of selling personal information on over seven million elderly Americans. 

A North Carolina man has been sentenced to more than 10 years in prison for supplying personal information on over seven million elderly Americans to scammers who used the data in lottery fraud schemes. Troy Murray, who operated under the alias “Steve Dixon,” pleaded guilty to conspiracy to commit wire fraud and received a 121-month prison sentence, along with forfeiture of $5.2 million. Prosecutors said Murray sold thousands of lead lists containing names, addresses, phone numbers, and email addresses between 2016 and 2023, generating more than $5.2 million while contributing to over $9.5 million in victim losses. He allegedly distributed at least 22,000 lead lists and later accepted payment through prepaid gift cards. Authorities also charged his son with laundering $1.6 million in fraud proceeds.

A Google insider allegedly went from threat hunting to bet hunting. 

A Google security engineer is facing insider trading charges after prosecutors say he turned confidential company data into a remarkably successful prediction market strategy. Michele Spagnuolo, a Google employee since 2014, allegedly used access to Google’s unreleased “Year in Search” rankings to place highly accurate bets on the decentralized platform Polymarket under the alias “AlphaRaccoon.” The raccoon mask came off when investigators started rummaging through the digital trash cans.

According to authorities, Spagnuolo wagered roughly $2.75 million on whether certain people would appear in Google’s annual trending-search lists, then collected about $1.2 million in profits when the results were publicly released. The alleged winning streak attracted attention online, where users began speculating that AlphaRaccoon had inside knowledge. Prosecutors say the account was later scrubbed of its username and the proceeds were moved through cryptocurrency services designed to obscure transactions.

Now, the engineer who helped secure systems is accused of exploiting privileged access to game a market, a strategy that proved lucrative until investigators started searching as well. He faces fraud and money laundering charges carrying potential decades-long prison sentences.

As investment strategies go, “access to confidential data” tends to perform well, at least until discovery begins.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s lead producer is Liz Stokes. We’re mixed by  Tré Hester, with original music by and sound design Elliott Peltzman. Our contributing host is Maria Varmazis. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher. And I’m Dave Bittner. Thanks for listening.