I assume I don’t have to explain last week’s Louvre jewel heist. I love a good caper, and have (like many others) eagerly followed the details. An electric ladder to a second-floor window, an angle grinder to get into the room and the display cases, security guards there more to protect patrons than valuables—seven minutes, in and out. There were security lapses: > The Louvre, it turns out—at least certain nooks of the ancient former > palace—is something like an anopticon: a place where no one is observed. The > world now knows what the four thieves (two burglars and two accomplices) > realized as recently as last week: The museum’s Apollo Gallery, which housed > the stolen items, was monitored by a single outdoor camera angled away from > its only exterior point of entry, a balcony. In other words, a free-roaming > Roomba could have provided the world’s most famous museum with more > information about the interior of this space. There is no surveillance footage > of the break-in...

Anthropic reports on a Claude user: > We recently disrupted a sophisticated cybercriminal that used Claude Code to > commit large-scale theft and extortion of personal data. The actor targeted at > least 17 distinct organizations, including in healthcare, the emergency > services, and government and religious institutions. Rather than encrypt the > stolen information with traditional ransomware, the actor threatened to expose > the data publicly in order to attempt to extort victims into paying ransoms > that sometimes exceeded $500,000. > > The actor used AI to what we believe is an unprecedented degree. Claude Code > was used to automate reconnaissance, harvesting victims’ credentials, and > penetrating networks. Claude was allowed to make both tactical and strategic > decisions, such as deciding which data to exfiltrate, and how to craft > psychologically targeted extortion demands. Claude analyzed the exfiltrated > financial data to determine appropriate ransom amounts, and generated visually > alarming ransom notes that were displayed on victim machines...

A DoorDash driver stole over $2.5 million over several months: > The driver, Sayee Chaitainya Reddy Devagiri, placed expensive orders from a > fraudulent customer account in the DoorDash app. Then, using DoorDash employee > credentials, he manually assigned the orders to driver accounts he and the > others involved had created. Devagiri would then mark the undelivered orders > as complete and prompt DoorDash’s system to pay the driver accounts. Then he’d > switch those same orders back to “in process” and do it all over again. Doing > this “took less than five minutes, and was repeated hundreds of times for many > of the orders,” writes the US Attorney’s Office...

Long story of a $250 million cryptocurrency theft that, in a complicated chain events, resulted in a pretty brutal kidnapping.

It looks like a very sophisticated attack against the Dubai-based exchange Bybit: > Bybit officials disclosed the theft of more than 400,000 ethereum and staked > ethereum coins just hours after it occurred. The notification said the digital > loot had been stored in a “Multisig Cold Wallet” when, somehow, it was > transferred to one of the exchange’s hot wallets. From there, the > cryptocurrency was transferred out of Bybit altogether and into wallets > controlled by the unknown attackers. > > […] > > …a subsequent investigation by Safe found no signs of unauthorized access to > its infrastructure, no compromises of other Safe wallets, and no obvious > vulnerabilities in the Safe codebase. As investigators continued to dig in, > they finally settled on the true cause. Bybit ultimately said that the > fraudulent transaction was “manipulated by a sophisticated attack that altered > the smart contract logic and masked the signing interface, enabling the > attacker to gain control of the ETH Cold Wallet.”...

It turns out that all cluster mailboxes in the Denver area have the same master key. So if someone robs a postal carrier, they can open any mailbox. I get that a single master key makes the whole system easier, but it’s very fragile security.

It’s low tech, but effective. Why Germany? It has more ATMs than other European countries, and—if I read the article right—they have more money in them.