The algorithm gets questioned.

French police raid X’s Paris offices. The Feds take over $400 million from a dark web cryptocurrency mixer. The NSA says zero-trust goes beyond authentication. Researchers warn of a multi-stage phishing campaign targeting Dropbox credentials. A new GlassWorn campaign targets macOS developers. Critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile are under active exploitation. Researchers disclose a major data exposure on Moltbook, a social network built for AI agents. States bridge the gaps in election security. Nitrogen ransomware has a fatal flaw that permanently destroys data. Supersize your passwords — you want fries with that?

Today is Tuesday February 3rd 2026. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

French police raid X’s Paris offices.

French police raided X’s Paris offices as part of a criminal investigation into whether the platform allowed foreign powers to manipulate its algorithm. The probe, announced by the Parquet de Paris, began in January 2025 following complaints from a French lawmaker and a senior public official. Prosecutors are examining allegations of organized interference with automated data systems and fraudulent data extraction. The investigation later expanded to include X’s Grok chatbot, accused of spreading Holocaust denial and sexually explicit deepfakes. Because the case involves organized crime allegations, police have enhanced surveillance powers. Authorities have summoned Elon Musk and former CEO Linda Yaccarino for voluntary interviews in April 2026. X has criticized the probe as a politically motivated attack on free speech.

The Feds take over $400 million from a dark web cryptocurrency mixer. 

The US government has taken ownership of more than $400 million in assets tied to Helix, a dark web cryptocurrency mixer used to launder illicit funds. Helix operated from 2014 to 2017 and processed more than 350,000 bitcoins, primarily for online drug markets. Its creator, Larry Dean Harmon, pleaded guilty in 2021. The final forfeiture order caps a multinational investigation and highlights growing law enforcement focus on asset seizure and restitution, according to the U.S. Department of Justice.

The NSA says zero-trust goes beyond authentication. 

The National Security Agency has released updated zero trust guidance urging US government agencies to adopt continuous, behavior-driven security models as cyberattacks increasingly bypass traditional defenses. The recommendations outline phase one and two steps toward what the Department of Defense calls target-level zero trust maturity. Rather than treating authentication as a one-time gate, the NSA frames zero trust as an operating model that persists throughout a user or system session. The guidance emphasizes continuous evaluation based on user behavior, privilege use, and resource access, addressing gaps between stated zero trust strategies and real-world enforcement. Analysts say the focus reflects the reality that many successful attacks now occur after credentials are compromised. While aimed at national security systems, the guidance was released publicly to align expectations across civilian agencies and industry.

Researchers warn of a multi-stage phishing campaign targeting Dropbox credentials. 

Researchers at Forcepoint X-Labs are warning of a multi-stage phishing campaign designed to evade security controls and steal corporate credentials for Dropbox. The campaign uses brief, professional-looking emails tied to procurement or business requests, urging recipients to open a PDF attachment. Those PDFs contain hidden AcroForm links that are difficult for security tools to scan. Victims are redirected through legitimate cloud infrastructure to a convincing fake Dropbox login page. According to Forcepoint, this approach bypasses reputation-based defenses and reduces suspicion. Stolen credentials are sent to attacker-controlled channels on Telegram, enabling account takeover and potential follow-on attacks. Researchers note the campaign reflects a broader surge in credential theft and identity-based intrusions that can lead to deeper network compromise.

A new GlassWorn campaign targets macOS developers. 

Researchers are warning of a new GlassWorm campaign that spread through compromised extensions on OpenVSX, targeting macOS developers. Attackers hijacked a legitimate developer account and pushed malicious updates to four popular extensions, downloaded roughly 22,000 times. The malware hides code using invisible Unicode characters and steals browser data, crypto-wallet information, developer secrets, and macOS keychain data, while also enabling remote access. According to a report from Socket, the campaign pulls commands from Solana transaction memos and avoids Russian-locale systems. OpenVSX operator Eclipse Foundation removed the malicious releases and revoked access. Affected developers are advised to clean systems and rotate all credentials.

Critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile are under active exploitation. 

Researchers at watchTowr are warning of active exploitation of critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile, a tool widely used to manage corporate mobile devices. Ivanti disclosed two severe code injection flaws, CVE-2026-1281 and CVE-2026-1340, that allow unauthenticated remote code execution on on-premise deployments. watchTowr says attackers have already exploited the bugs as zero-days, establishing backdoors and potentially erasing logs. Ivanti has issued a temporary RPM-based patch, but it must be reapplied after updates and is not a permanent fix. A full update is expected later in early 2026. Researchers warn organizations with exposed systems should assume compromise, begin incident response, and consider rebuilding affected infrastructure.

Researchers disclose a major data exposure on Moltbook, a social network built for AI agents. 

Security researchers at Wiz disclosed a major data exposure on Moltbook, a social network built for AI agents. The issue stemmed from an exposed Supabase API key embedded in client-side code, which lacked row-level security controls and granted full read and write access to the production database. Wiz researchers were able to access 1.5 million API tokens, 30,000 email addresses, and private agent messages, and could impersonate any account. The platform’s creator, Matt Schlicht, has since fixed the flaw. Wiz warned the incident highlights the risks of “vibe coding,” where rapid development outpaces secure configuration and human security review.

States bridge the gaps in election security. 

State and local election officials say the Trump administration’s second term has sharply reduced federal support for election security, forcing states to fend for themselves, CyberScoop reports. While President Donald Trump previously backed the creation of the Cybersecurity and Infrastructure Security Agency and major election security grants, officials now report staff cuts, reduced services, and diminished communication from CISA. Congressional Democrats, including Senator Alex Padilla, warn states are losing critical partnerships and funding. With federal grants from the Election Assistance Commission averaging less than $1 million per state, states like Arizona and West Virginia are turning to legislatures and local coordination to cover gaps. Officials such as Adrian Fontes dispute White House claims that federal support remains unchanged, saying election security assistance has clearly declined.

Nitrogen ransomware has a fatal flaw that permanently destroys data. 

Researchers say Nitrogen ransomware’s ESXi variant contains a fatal cryptographic flaw that permanently destroys data, even for the attackers themselves. The malware is derived from leaked Conti 2 builder code and uses public key cryptography to encrypt files. However, a coding error overwrites four bytes of the per-file public key in memory before encryption. As a result, files are encrypted using a corrupted public key that has no corresponding private key.

This breaks the normal Curve25519 key exchange process and makes decryption mathematically impossible. Paying a ransom will not help, since the attacker’s decryption tools cannot recover the data either. Victims without reliable backups have no recovery path. Analysts warn organizations hit by Nitrogen on ESXi systems to carefully assess encrypted files alongside the specific malware sample, as recovery outcomes depend entirely on whether backups exist.

 

Supersize your passwords — you want fries with that?

Change Your Password Day arrived with a gentle nudge from an unlikely security evangelist: McDonald’s. Its Netherlands team warned customers that while burgers may be comforting, they make terrible passwords. Drawing on breach data from Have I Been Pwned, the chain noted that classics like “bigmac,” “happymeal,” and even creatively mangled versions such as Ch!ck3nMcN4gg€t$ appear with depressing frequency in compromised password lists. The message was blunt and slightly cheeky: you might be lovin’ it, but hackers are too.

The campaign pokes fun at the enduring belief that swapping letters for symbols equals security, a trick attackers mastered decades ago. And while security pros lean on passphrases, managers, and multi-factor authentication, most users still cling to flimsy passwords. Even younger users fare no better, according to Google. The takeaway: enjoy the fries, but stop using them to protect your accounts.

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

 

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com

We’re proud that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K helps cybersecurity professionals and organizations grow, learn, and stay ahead. We’re the nexus for discovering the people, tech, and ideas shaping the industry.  Learn how at n2k.com.

 

N2K’s senior producer is Alice Carruth. Our producer is Liz Stokes. We’re mixed by Elliott Peltzman and Tré Hester, with original music by Elliott Peltzman. Our executive producer is Jennifer Eiben. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.