Security Digest

Mines and Mythos

Trump ordered the Navy to shoot Iranian boats mining Hormuz. Voice phishing surged against IT helpdesks. The Vercel breach widened. India's finance minister flagged Anthropic Mythos as a banking risk. A new 2 Tbps DDoS record set a fresh ceiling for the threat surface.

7 min read By FTRCRP

This Week in Brief

The Strait of Hormuz crossed from blockade into mine warfare, and Trump’s response was a shoot-and-kill order against Iranian small craft. A third US aircraft carrier reached the region. On the security side, the week’s pattern was social-engineering scale: voice phishing campaigns running against IT helpdesks at industrial volume, a 2 Tbps DDoS record set by a new IoT botnet, and the Vercel breach widened into a multi-customer incident. India’s finance minister convened bank chiefs over Anthropic Mythos AI risks, and a Black Hat Asia demo showed a city’s worth of public EV chargers can be disabled remotely. The DOJ Epstein archive crossed 259,000 PDFs, with tracked-figure hit counts roughly doubling week-over-week as DataSet 10 completed and DataSet 11 pulled in.

Security

Voice Phishing at Helpdesk Scale

The week’s standout social-engineering pattern was a surge in voice phishing (vishing) attacks targeting IT helpdesks, attackers calling in posing as employees, social-engineering password resets and MFA bypass, and pivoting from there into the corporate environment. The volume is what’s new. Helpdesks are the soft tissue of the identity perimeter, and they’re being worked at scale this quarter. If your helpdesk’s password-reset workflow trusts a confident voice and a plausible employee number, that’s the vector. Add callback verification, supervisor approval for high-privilege resets, and out-of-band confirmation for any MFA reset request.

Record DDoS — 2 Tbps from a New Botnet

A new IoT botnet pushed a sustained 2 Tbps DDoS attack this week, a new ceiling. The combination of cheap consumer devices with poor patch hygiene and high-bandwidth fibre last-miles is what makes this floor keep rising. Mitigation hasn’t changed: Anycast scrubbing, capacity-based provider arrangements, and an actual DDoS playbook that includes a comms plan. The DDoS economy is still cheaper to run than to defend against.

Vercel Breach Widens

The April Vercel breach kept expanding through the week as more customer environments turned out to have been touched. Vercel hosts a significant slice of modern frontend deployments, Next.js apps, API edge functions, embedded forms. If you ship through Vercel, audit deployment tokens and any environment variables that were active during the exposure window, rotate everything that looked sensitive, and check git-integration tokens that may have been exposed at the platform layer.

Anthropic Mythos Flagged for Banking Risk

On April 23, Indian Finance Minister Nirmala Sitharaman convened heads of major banks for a high-level meeting on the security risks posed by Anthropic’s Mythos AI in financial systems. The concern, picking up the thread from 012’s report on Anthropic restricting Mythos Preview after autonomous zero-day discovery, is that Mythos-class capabilities now plausibly assist attackers against banking infrastructure at speed, phishing copy generation, transaction-laundering pattern variation, and live exploitation of disclosed flaws faster than patch cycles can close them. India isn’t unique here. Expect similar reviews from EU, UK, and Singaporean regulators in the coming weeks.

EV Charger Infrastructure Breakable at Scale

A Black Hat Asia demonstration this week showed that weak authentication in public EV charger management platforms allows a remote attacker to disable every public charger in a city. The pattern, IoT infrastructure deployed with consumer-grade auth, is the same one that drives DDoS botnet recruitment. The fix is neither glamorous nor expensive; it’s just not happening because the operator economics don’t reward it.

Continuing — SharePoint Deadline Today, ChipSoft Fallout, Healthcare Ransomware

  • CVE-2026-32201 (SharePoint) — federal CISA KEV remediation deadline is today, April 28. Pre-auth network spoofing, actively exploited. If you’re still on a pre-April 15 build, you’re out of compliance and exposed.
  • ChipSoft (Netherlands) — three weeks after the April 7 attack, several Dutch hospitals are still running degraded. No ransomware group has claimed responsibility. The unclaimed signal continues to suggest something other than a standard criminal operation.
  • Hospital-ransomware-as-terrorism policy proposal (former FBI cyber chief, April 21) has gained traction in US Senate discussions this week. Watch for legislative motion through May.

Conflicts

Hormuz: From Blockade to Mine Warfare to Shoot-on-Sight

The Strait situation escalated three steps this week:

  1. Iranian boats began mining the Strait of Hormuz with naval mines deployed from small craft.
  2. Trump ordered the US Navy to “shoot and kill” Iranian boats observed mining the Strait.
  3. A third aircraft carrier arrived in the region. The US also boarded another tanker accused of smuggling Iranian oil.

The Strait is at “an effective standstill” for non-military traffic, shipping insurers have priced the risk to the point that legitimate commercial passage has paused. Trump’s posture: “we are in no rush to end the war with Iran but the clock is ticking for Iran.” The Islamabad talks remain stalled; Iran has not asked for a ceasefire and has reasserted earlier maximalist demands (no missile-program limits, formal Hormuz control, compensation for war damage, security guarantees).

Israel-Lebanon: Ceasefire Extended, Then Tested

Israel and Lebanon extended their ceasefire by three weeks following a White House meeting between representatives of both sides. The same week, Israel struck a Hezbollah missile launcher in Lebanon after Hezbollah fired into Israel, Israeli air defences intercepted the launch. The ceasefire is holding on paper while both sides continue limited tactical exchanges. Hezbollah remains a sticking point in any wider US-Iran framework.

Climate Cost of the War

A March 21 Climate and Community Institute analysis quantified the first 14 days of the US-Israel war on Iran as releasing more carbon than the annual emissions of several smaller nations including Iceland. The CCI report has gained policy uptake this week as European environment ministers cite it in domestic debate over arms-export licensing.

China’s Currency Push

War and sanctions are accelerating China’s bid to build a renminbi-based financial system beyond the dollar’s reach, per Wall Street Journal reporting picked up across the week. The traction is real: Gulf and BRICS-adjacent counterparties moving more settlement off USD rails. The macro consequences are slower-moving than Hormuz but durable.

DOJ Epstein Archive

The Transparency Act pipeline crossed 259,591 PDFs this week as DataSet 10 completed (~166k files) and DataSet 11 entered active pull (~53k of an unknown total). Total local archive: 27 GB. Tracked-figure hit counts roughly doubled week-over-week as the larger corpus came online:

rod-larsen      1225  (was 657)
jagland          791  (was 383)
ehnbom           633  (was 237)
andersson-dubin   18  (was 12)
Mona Juul          7  (unchanged)

The Nordic OCR scanner remains paused, the image-heavy fraction of the archive has not yet been processed. Expect another step-change in tracked-figure hits when OCR resumes against DataSets 9–11.

By the Numbers

Category This Week
Sustained DDoS record set this week 2 Tbps
Iranian boats targeted by Trump’s “shoot and kill” order mining-equipped small craft
US aircraft carriers now in the Middle East 3
Israel-Lebanon ceasefire extension 3 weeks
SharePoint CVE-2026-32201 remediation deadline 2026-04-28 (today)
DOJ archive PDFs (local mirror) 259,591
Tracked-figure hits increase week-over-week ~2×
Days of degraded operations at Dutch hospitals (ChipSoft) 21

What to Do This Week

  1. Voice-phishing your helpdesk now. Run a tabletop. Confirm reset workflows require callback to a known number, supervisor approval over a threshold, and out-of-band MFA confirmation. The vishing campaigns are working because most helpdesks haven’t been pressure-tested against them.
  2. Confirm SharePoint patches are deployed. April 28 KEV deadline. If you haven’t, you are non-compliant and exposed to pre-auth exploitation.
  3. Audit Vercel deployment tokens and environment variables. Rotate anything sensitive that was live during the breach window. Check git-integration tokens.
  4. AI security review for finance teams. Anthropic Mythos isn’t theoretical anymore. If your fraud or AML platform has begun ingesting LLM-generated content (transaction descriptions, customer comms), treat the input layer as actively adversarial.
  5. DDoS playbook review. 2 Tbps as a new ceiling means the bar for “we’re being attacked above our scrub capacity” just rose. Confirm provider escalation paths are current.
  6. Healthcare IT vendors: ChipSoft’s 21st day of degraded hospital operations is your case study for vendor-side blast radius. Use it.

FTRCRP Security Digest, published weekly. Sources: FTRCRP evidence pipeline (DOJ tracker, Nordic scanner, scam monitor), open-source reporting (Reuters, Bing News aggregation, BleepingComputer, The Hacker News, SecurityWeek, Wall Street Journal, Climate and Community Institute). Week 18, 2026-04-28