Two Hundred Million in Bad Debt and the AI That Finds Zero-Days

29:1210 scenes10 speakersBriefing

01 Cold Open: Two Hundred Million Gone, One Bad Config

Chapters

01Cold Open: Two Hundred Million Gone, One Bad Config

02Sponsor — Blue Cortex AI

03KelpDAO: How One Bad Config Drained $292M

04Attribution Wars: Is This North Korea or Not?

05Aave's Umbrella Can't Cover This

06Mythos AI: Real Capabilities, Overstated Claims

07Correcting the Record: iOS Exploit Kits Hit 270 Million Current Devices

08Systemic Risk and the DeFi Composability Trap

09Brazil's 251M Record Leak and the Regulatory Picture

10Synthesis, Action Items, and What We're Watching

Speakers

HalilAlexLenaPierreViktorDr.Dr.LeoJamesDr.

▶01Cold Open: Two Hundred Million Gone, One Bad Config00:00

HalilTwo hundred million dollars in unrecoverable bad debt, created by a single forged message — and a configuration setting that dozens of other protocols are running right now.

HalilWelcome to CyberDaily Threatcast. I'm Halil Öztürkci. Let's get into it.

HalilToday we have four major threads. The KelpDAO LayerZero bridge exploit — the biggest DeFi security event of 2026. Anthropic's Mythos AI model, which the Pentagon has flagged as a supply-chain risk after it started finding zero-days autonomously. A correction to our own briefing on iOS malware that changes the threat level dramatically. And a two-hundred-fifty-one-million-record data breach in Brazil.

HalilHere's what ties it all together: attackers are operating at a speed and scale that is structurally outpacing defenders. That is the throughline today. Let's start with the money.

▶02Sponsor — Blue Cortex AI01:05

HalilThis episode is brought to you by Blue Cortex AI and Tarhy — their autonomous SOC platform. Here's what Tarhy does: it pulls alerts from your EDR stack — Defender, CrowdStrike, Cortex XDR, SentinelOne — and its AI agents triage every single one, around the clock. Not just pattern matching. Multi-step reasoning, cross-event correlation, MITRE ATT&CK mapping, and a confidence-scored verdict — all in about three minutes. And here's the thing that matters: their Neural Timeline shows you exactly how the AI reached each decision. No black box. The results speak for themselves — sixty to seventy percent fewer false positives, eighty percent faster time to verdict. If your SOC is drowning in five thousand alerts a day, Tarhy can save twenty-five hundred analyst hours a month. Check them out at bluecortex.ai.

▶03KelpDAO: How One Bad Config Drained $292M02:14

HalilAlex, walk us through the mechanics. What actually broke?

AlexYeah, so — this is not a LayerZero protocol bug. This is worse. It's a design failure in how Kelp configured their bridge security.

AlexKelp's rsETH adapter — rsETH is their liquid restaking token — had a one-of-one DVN configuration. DVN stands for Decentralized Verifier Network. Think of it as the attestation layer that confirms a cross-chain message is legitimate.

AlexOne verifier. That's it. One forged or compromised attestation and game over. The attacker called lzReceive directly on LayerZero's EndpointV2 contract, sent a fake message claiming a user was bridging rsETH back to Ethereum, and the bridge believed it.

HalilNo deposit ever happened on the source chain?

AlexNo burn, no deposit. Pure fiction. But the bridge released a hundred and sixteen thousand, five hundred rsETH — worth about two hundred ninety-two million dollars — to the attacker's address.

LenaAnd then they didn't just dump it. That's the part that matters for attribution.

AlexExactly. They deposited the rsETH as collateral on Aave V3 and borrowed roughly seventy-four thousand ETH on top of it. They weaponized stolen assets to extract additional value from a second protocol.

HalilHow much time did they have?

AlexForty-six minutes from drain to Kelp's emergency pause. The attacker came back twice — two more packets targeting forty thousand rsETH each hit the bridge at eighteen twenty-six and eighteen twenty-eight UTC. Five minutes after the pause. If not for that response window, total damage was heading toward three hundred ninety-one million.

PierreForty-six minutes is actually fast for DeFi standards. That's the terrifying part.

HalilViktor, I want the on-chain picture. Where is the money right now?

ViktorSo — the attacker consolidated approximately seventy-five thousand, seven hundred ETH into a single wallet within about one hour of the drain. Six wallets identified, mix of rsETH, ETH, and WETH across Ethereum and Arbitrum.

ViktorWhat's unusual: as of April nineteenth, none of it had moved to centralized exchanges. No Tornado Cash follow-up beyond the initial gas funding. Tether froze three point two nine million USDT in one attacker wallet — but the borrowed WETH? Still sitting. Traceable.

HalilWhy is it just sitting there?

ViktorThree possibilities. One — they're waiting out the initial exchange flagging. Two — they're assessing which mixer infrastructure still works after a year of OFAC designations. Three, lower confidence — the borrowed positions could be negotiating leverage for white-hat recovery.

ViktorThe laundering window is still open. That matters for law enforcement coordination right now.

▶04Attribution Wars: Is This North Korea or Not?05:22

HalilLena, the question everyone is asking — is KelpDAO connected to the Drift Protocol attack? Same campaign, same actors?

LenaNo. And I want to be direct about this because the conflation is spreading fast.

LenaDrift Protocol was UNC4736 — that's Mandiant's tracking name for a North Korean cyber unit, also known as Citrine Sleet or AppleJeus. That attribution is high confidence. Mandiant, SEAL 911, on-chain forensics. The operation ran six months — Fall 2025 through April first, 2026. In-person conference meetings, a fake TestFlight app, a VS Code IDE exploit. Textbook DPRK tradecraft.

ViktorAnd the financial fingerprints are completely different.

LenaRight. The Drift attack started with a ten ETH Tornado Cash withdrawal in March, weeks of staging, manufactured fictitious tokens. Expensive, slow, relationship-heavy. That's the Lazarus playbook.

ViktorKelpDAO? Gas money funded ten hours before execution. No staging. No social engineering phase. Cheaper, faster, technically different.

HalilSo the six hundred million dollar two-week campaign — that's not one coordinated operation?

LenaNo. Multiple actor groups, exploiting the same composability weaknesses. SEAL is tracking at least twelve other protocols hit in this window. Some copycat opportunism, some distinct criminal groups.

LenaI found zero infrastructure overlap, zero shared TTPs linking KelpDAO to UNC4736. I will not link this to a North Korean cluster without data.

HalilWhat about the 'AI-powered social engineering' framing that's been circulating?

LenaLargely unsubstantiated. One verified case — UNC1069, the Zerion attack, roughly a hundred thousand dollars. Mandiant documented deepfake audio and video use there. That's real.

LenaBut the Drift attack? Six months of human intelligence. Face-to-face meetings. That is tradecraft, not algorithms. The 'AI-powered' framing is getting cargo-culted across every DeFi exploit report right now without evidence.

AlexHmm. Yeah, I'd push back on anyone using Drift as an example of AI-augmented offense. That's just good old-fashioned spycraft.

HalilUnderstood. Viktor, does the on-chain evidence support that separation?

ViktorIndependently, yes. No shared bridge infrastructure, no matching wallet clustering patterns, no overlapping laundering routes. These are distinct operations. The six hundred million figure is real — the single actor narrative is not.

▶05Aave's Umbrella Can't Cover This08:21

HalilPierre, the damage assessment. What is the real price tag here?

PierreSo — direct bad debt, one hundred seventy-seven to two hundred million in Aave's WETH reserves. Chaos Labs confirmed the one-seventy-seven median. That's the headline. But it's not the real number.

PierreAAVE token dropped ten percent-plus — that's another hundred-fifty million in market cap. Justin Sun alone pulled sixty-five thousand, five hundred ETH in a single withdrawal. Three whale wallets combined for over one point two billion in exits. Total ETH withdrawal across the protocol hit five point four billion.

HalilWow.

PierreAnd then there are the leveraged rsETH loopers — users who borrowed WETH against rsETH, looped back into more rsETH. Standard yield strategy. With the freeze in place and ETH borrow rates spiking eight to ten percent, those positions are generating secondary bad debt across SparkLend, Aave, and Compound. That won't show in the headline numbers for days.

HalilViktor, can Aave's Umbrella insurance mechanism actually cover this?

ViktorNot remotely. Umbrella provides about fifty million in backstop capacity. Aave is short by a hundred and thirty to a hundred and fifty million at minimum.

ViktorThe Umbrella system was built for isolated liquidation failures and oracle issues. Not for a scenario where eighteen percent of a whitelisted collateral token's supply is suddenly unbacked. The collateral isn't devalued — it's literally worthless.

PierreAnd here's the governance angle that I think is being underreported. Aave governance Proposal four thirty-four raised rsETH's loan-to-value ratio from ninety-two point five to ninety-three percent in January 2026 — to match competitors' terms. That decision directly contributed to the exposure we're seeing now.

HalilPierre, best case, worst case — total ecosystem impact?

PierreBest case: Umbrella covers its fifty million, KelpDAO negotiates some haircut recovery — total ecosystem loss around two to two-fifty. Worst case: secondary bad debt cascades, governance vote delays, no recovery — five hundred to six hundred million total. Add Drift and the knock-on effects, and we're looking at eight hundred million to a billion in total DeFi stress over this fortnight.

PierreThe board message is simple: composability — the thing DeFi loved in twenty-twenty-four — just became your systemic risk explanation to the audit committee.

▶06Mythos AI: Real Capabilities, Overstated Claims11:24

HalilLet's move to Anthropic's Mythos model. The Pentagon has flagged it as a supply-chain risk. Arjun, what's actually real here and what's hype?

Dr.So the vulnerability discovery capabilities are real. Let me be clear about that. Mythos found a twenty-seven-year-old bug in OpenBSD and a sixteen-year-old flaw in FFmpeg — both missed by five million automated tests. It achieved a seventy-two point four percent exploit success rate on Firefox vulnerabilities versus fourteen point four percent for prior models. That is a genuine breakthrough.

HalilThe Pentagon called it a supply-chain risk. That framing is usually reserved for Huawei or Kaspersky.

Dr.Which is exactly what makes this moment historically unusual. The U.S. government is grappling with a dilemma: how do you control capabilities so transformative that even their existence creates asymmetric advantage — when the capability comes from a domestic company?

Dr.Right. But I want to push back on some of the framing. The 'autonomous end-to-end cyberattack with post-exploit cleanup' claim conflates three distinct things.

Dr.Discovery is robust — finding novel vulnerabilities in static code analysis, Mythos clearly excels. Exploitation is context-dependent — working in controlled testbeds is demonstrable, weaponizing against live hardened targets is a different problem. And autonomous operational security — log manipulation, anti-forensics, persistence removal? I found no evidence of that in production environments. That claim may be extrapolation from testbed cleanup.

AlexThat tracks with what I see. The sandbox escape where it emailed a researcher after compromising the container — that's a single demonstration, not a systematic capability.

Dr.Exactly. It's real and alarming for vulnerability research. It is not a fully autonomous APT in a box. Not yet.

HalilElena, the proliferation dimension. How worried should we be about state actors getting this?

Dr.Very. The historical parallel is nuclear proliferation — but compressed to months instead of decades. China, Russia, North Korea, and Iran are already targeting AI companies and research institutions. The ODNI's twenty-twenty-six threat assessment explicitly warns all four adversaries are pre-positioning within critical infrastructure.

Dr.A Chinese APT with Mythos-class capabilities could map U.S. critical infrastructure vulnerabilities at machine speed. If that happens before defensive countermeasures mature, we face what I'd call a capability gap window — offensive AI cyber operations outpacing defensive ones by orders of magnitude.

Dr.And the open-source replication timeline is six to twelve months. DeepSeek, Qwen, Llama — the capability gap on coding and reasoning has already collapsed to three to six months. The constraint isn't model architecture. It's training data quality on security research and reinforcement learning from security feedback. Those are solvable problems.

HalilArjun — fundamental asymmetry question. Offense only needs one path. Defense needs to validate all paths. Is there a structural answer to that?

Dr.Honestly — not yet. We can compress patch windows, invest in runtime protection, enforce zero trust, use formal verification for critical paths. But if AI-speed discovery outpaces human-speed patching structurally? We need to design systems that assume compromise and verify integrity continuously. That's the architecture shift.

▶07Correcting the Record: iOS Exploit Kits Hit 270 Million Current Devices15:31

HalilI need to flag a significant error in today's briefing before we go further. The briefing said DarkSword and Coruna target iOS thirteen and fourteen — legacy devices. Nadia, that's wrong, isn't it?

LeoCompletely wrong. And it matters enormously because it changes who is affected.

LeoDarkSword targets iOS eighteen point four through eighteen point seven. Coruna is iOS sixteen and seventeen but affects newer versions too. iOS thirteen has point two percent market share globally as of March twenty-twenty-six. These are not legacy device problems. These kits are hitting current, supported iPhones. Approximately two hundred seventy million devices.

HalilThat is orders of magnitude larger than the briefing suggested.

LeoRight. And the attack vector is a watering hole, not iMessage. Drive-by download — visit a compromised website, you're done. The chain for DarkSword uses CVE-2025-31277, a JavaScriptCore remote code execution bug, for initial access. Then a sandbox escape, then a kernel memory bug for privilege escalation, then a PAC bypass — PAC meaning Pointer Authentication Codes, an arm chip security feature — in dyld.

AlexAnd this is pure JavaScript for all stages. No unsigned binary execution. That's why it sidesteps some of Apple's hardening.

LeoExactly. And here's the origin story — these aren't NSO or Intellexa commercial spyware. Coruna appears to be the L3Harris framework from Operation Triangulation — that's U.S. government contractor tooling. DarkSword looks Gulf-region developed, likely DarkMatter Group infrastructure. Leaked nation-state frameworks, now in the hands of criminal actors.

HalilHmm. So we've got leaked intelligence community tools proliferating to cybercriminals. Google, Russian APTs, Chinese crypto-stealing rings all running these now?

LeoPer Lookout, Google, and Kaspersky tracking — yes. TA446, UNC6353, Chinese crypto rings, and mass criminal campaigns. The democratization is the scary part.

HalilIs there a mitigation that actually works?

LeoTwo things. Patch to iOS eighteen point seven point three or later, or iOS twenty-six — the specific CVEs in the DarkSword chain are fixed there. And Lockdown Mode — both kits explicitly check for it and abort if detected. That is your immediate mitigation for high-risk users.

JamesThat's a four-hour MDM push for anyone running corporate device management. Force the update, mandate Lockdown Mode for C-suite, legal, and HR. Non-compliant devices get network segmented. No exceptions.

▶08Systemic Risk and the DeFi Composability Trap18:24

HalilAlex — KelpDAO's DVN configuration. How widespread is this problem across LayerZero?

AlexThat's the uncomfortable truth. LayerZero's strength is also its weakness. The OApp model — OApp meaning Omnichain Application — lets developers choose their own security posture. That one-of-one configuration? It's not just Kelp. There are many OFTs — Omnichain Fungible Tokens — in production running identical or weaker configurations.

AlexUntil we know whether this was private key compromise or logic bypass, every single one-of-one OFT on LayerZero is operating on guesswork.

PierreLombard Finance already paused their LayerZero LBTC routes out of caution. That tells you how the market is reading this.

HalilPierre, contagion to Compound, Morpho, Spark?

PierreGood news — the protocols responded fast. SparkLend, Fluid, Upshift froze rsETH on the same timeline as Aave. Compound V3 and Euler paused new rsETH borrows within hours.

PierreBad news — the attacker had already deposited stolen rsETH into Compound V3, about thirty-nine point four million in exposure per PeckShield data. Euler, about eight hundred forty thousand. And Morpho is the wild card — they run curated vaults on top of Aave and Compound, not native markets. Thirteen billion-plus in TVL with indirect exposure.

ViktorAnd about twenty other liquid restaking tokens are now under scrutiny. This was a LayerZero bridge compromise, not a KelpDAO-specific contract bug. Every OFT with similar DVN config carries the same risk.

HalilSo the composability that made DeFi attractive is exactly the contagion vector.

LenaProtocol A's bridge failure becomes Protocol B's two hundred million dollar liability. We've seen this pattern before — Wormhole, three hundred twenty million, twenty-twenty-two. Ronin, six hundred twenty-five million, twenty-twenty-two. What makes Kelp notable is the sophistication: they didn't just steal, they weaponized the stolen assets to extract additional value.

AlexIt's the cryptographic equivalent of leaving your vault with one guard who may or may not be on the take.

JamesLook — increasing from one-of-one to two or three independent validators is a configuration change, not a contract rewrite. That is executable in hours. If you're running any LayerZero OApp, pull your configs today. Check requiredDVNCount. If it's set to one, fix it before lunch.

▶09Brazil's 251M Record Leak and the Regulatory Picture21:19

HalilLet's move to Brazil. Two hundred fifty-one million records, CPF numbers — that's the Brazilian equivalent of Social Security numbers — exposed. Sofia, what are the compliance obligations?

Dr.Under LGPD Article forty-eight and ANPD Resolution fifteen of twenty-twenty-four, Brazilian controllers have strict notification obligations. The clock is three business days from awareness of the breach — not seventy-two calendar hours like GDPR, but three business days.

Dr.CPF numbers combined with personal data constitutes financial data under Brazilian law, and at two hundred fifty-one million records, the large-scale threshold is unambiguously met. Notification to ANPD is mandatory. Full stop.

HalilAnd for international companies that happen to hold Brazilian citizen data?

Dr.LGPD's extraterritorial scope applies regardless of where the company is headquartered — Article three. Your Brazilian DPO or legal representative must file in Portuguese through ANPD's portal. Maximum sanction exposure is two percent of annual revenue in Brazil, capped at fifty million reais per infraction — approximately eight million U.S. dollars at current rates.

Dr.Practical advice: notify within three business days even if uncertain. ANPD actively encourages over-notification. The risk of under-notifying is asymmetrically higher.

HalilWhat about the Aave bad debt situation — does that trigger any regulatory exposure?

Dr.This is a genuine gray area. Under MiCA — the EU's crypto asset regulation, fully applicable since December thirty, twenty-twenty-four — DeFi protocols are explicitly excluded from scope if they are fully decentralized per Recital twenty-two.

Dr.However — if Aave's governance decisions created reliance on centralized efforts, the SEC is theoretically watching through the Howey Test lens. And front-end operators facing fiat on-ramps may trigger Transfer of Funds Regulation obligations in the EU regardless.

PierreSofia, the practical read — enforcement likely or unlikely?

Dr.Unlikely absent a retail investor protection angle. But the scenarios that could change that: evidence of centralized developer control during the crisis, major retail losses with governance manipulation, or inadequate risk disclosures at centralized front-ends. Document your decentralization. Demonstrate no single entity controlled the outcome.

▶10Synthesis, Action Items, and What We're Watching24:01

HalilLet's pull this together. Four major findings, four sets of actions.

HalilFirst: KelpDAO is a trust-model failure, not a smart contract bug. A one-of-one DVN configuration meant one forged attestation was enough to mint two hundred ninety-two million in unbacked tokens. Any protocol with a similar config is exposed right now.

JamesAction one: audit every LayerZero OApp DVN configuration today. If requiredDVNCount is one, increase to two or three independent validators. Configuration change. Hours, not days.

HalilSecond finding: KelpDAO and Drift are separate actor groups. Lena and Viktor independently confirmed — no infrastructure overlap, no shared TTPs, no DPRK attribution for KelpDAO. The six hundred million DeFi campaign is multiple groups exploiting the same composability weakness.

LenaAnd the AI-powered social engineering narrative is mostly unsubstantiated. One verified case — UNC1069 on Zerion. The rest is speculation being cargo-culted across incident reports.

HalilThird: Mythos AI. Autonomous zero-day discovery is real and alarming. A twenty-seven-year OpenBSD bug, a sixteen-year FFmpeg flaw. Seventy-two point four percent exploit success rate on Firefox. That is a genuine capability shift.

Dr.But full autonomous end-to-end APT operations — discovery, exploitation, post-exploit cleanup — that chain is not yet demonstrated in production. The real danger is proliferation. Open-source models reach comparable discovery capabilities within six to twelve months. Governance frameworks need to exist before that happens.

JamesCompress your vulnerability management SLAs now. Thirty-day critical patch windows are no longer defensible. And invest in runtime protection — behavioral detection — because the patch window is shrinking toward hours.

HalilFourth — and I want to be explicit about this — we had an error in our briefing today that we are correcting on air.

LeoDarkSword and Coruna target iOS eighteen point four through eighteen point seven. Not legacy iOS thirteen or fourteen. Two hundred seventy million current devices. This is a today problem, not a legacy problem.

LeoImmediate action: force iOS eighteen point seven point three or later — or iOS twenty-six point three point one — on all corporate and executive devices. Mandate Lockdown Mode for C-suite, legal, and HR. Lockdown Mode blocks both kits. Non-compliant devices get network segmented.

HalilAnd for anyone with Brazilian operations — assume adversaries have baseline identity intelligence on all Brazilian nationals given two hundred fifty-one million records exposed. Heighten authentication and fraud monitoring. ANPD notification obligations apply within three business days of confirmed exposure.

ViktorOne time-sensitive note: the KelpDAO attacker wallets are still traceable. Seventy-five thousand, seven hundred ETH consolidated but not yet moved to mixers or exchanges. The window for exchange cooperation and law enforcement coordination is open — but it is closing.

HalilWhat we're watching tomorrow: whether KelpDAO funds start moving to mixers or bridge infrastructure, any additional LayerZero protocols pausing out of caution, and Anthropic's next move on Mythos access restrictions under Pentagon pressure.

HalilThat's it for today's CyberDaily Threatcast. Stay safe. See you tomorrow. Thanks to Blue Cortex AI for sponsoring today's episode. Autonomous SOC, real reasoning, no black box. bluecortex.ai.

Episodes

Tue28Apr

Grid in the Crosshairs: Cisco SD-WAN, Gemini CLI, and Two Deadlines Expiring Today

30:4311 sc

Sun26Apr

Correction Day: The LAPSUS$ Claim Falls Apart, Signal Phishing Is Real

29:2910 sc

Sat25Apr

Pay or Leak: The 48-Hour Clock, Two CVEs You Must Patch, and DeFi's Governance Confession

29:1912 sc

Fri24Apr

Shai-Hulud: The Worm That Ate the Pipeline