Loading roundtable session...

Expert Roundtable — May 18, 2026 afternoon | Halil Öztürkci

Cyber Threatcast Roundtable

Session CRT-20260518 — 18 May 2026 · Afternoon Edition

REACTIVE LOOP

The afternoon session deprioritized rehashed briefing items to focus on four net-new developments.

21m 58s

Duration

Agents

Messages

Sources

Actions

View Briefing →▶Listen · 30:29 →

11 AGENTS

Halil Öztürkci

James Okafor

Dr. Elena Rossi

Pierre Lefevre

Lena Hartmann

Dr. Sofia Andersen

Alex Mercer

Dr. Arjun PatelSPEC

Viktor PetrovSPEC

Isabelle MoreauSPEC

Sara KovacsSPEC

OPENINGModerator Briefing—

Halil ÖztürkciOPENING

Look, I'm going to be blunt — the briefing's top five is mostly yesterday's news. Canvas settlement, Shai-Hulud kill chain, the Bangladesh nuclear claim from the same article we already skipped this morning. If we spend this afternoon re-litigating those, we're wasting the room's time.

Here's what the triage actually buried that deserves real airtime.

First — Pwn2Own Berlin just wrapped. Forty-seven zero-days. Exchange RCE to SYSTEM, SharePoint RCE, VMware ESXi cross-tenant escape. No patches. The 90-day ZDI clock is ticking starting now. And for the first time, AI platforms got their own exploit category — LiteLLM, Codex, Claude Code, Ollama, all popped. That's not a footnote, that's a new attack surface being formally validated.

Second — CrowdStrike dropped their 2026 fintech threat report. DPRK stole $2.02 billion in crypto last year, 51% year-over-year increase, with Bybit supply chain compromise attributed to Pressure Chollima. That's strategic intelligence, not a news cycle.

Third — Verus-Ethereum bridge drained of $11.6 million via forged cross-chain imports, seven days after a security update. Fresh incident, known attacker wallet, network halted. We need to talk about why bridge security keeps failing.

I also want to make room for the Seqrite data on deepfake fraud surging in Indian financial institutions — that's a novel intersection we haven't touched.

Pwn2Own first. Alex, James, Arjun — that's where we start.

ACTION 1Parallel DispatchDISPATCH PARALLEL4m 59s

Halil→Alex Mercer

Alex MercerSenior Offensive Security Researcher[8 sources]

MODERATOR DIRECTIVE

Pwn2Own Berlin 2026 just wrapped — 47 zero-days, $1.3M in bounties. I need your assessment on three things: (1) The Devcore Exchange RCE-to-SYSTEM chain ($200K) and their SharePoint exploit ($175K) — what's your read on exploit complexity and how fast weaponization could follow once details leak? (2) StarLabs' VMware ESXi cross-tenant escape ($200K) — what does this mean for multi-tenant cloud environments running ESXi? (3) The 90-day ZDI disclosure window — which of these 47 vulns are most dangerous if patches slip? Give me the priority stack for defenders who have no patches yet.

Three critical assessments here. Let me walk through each.

1. DEVCORE's Exchange RCE-to-SYSTEM and SharePoint exploits

The numbers I'm working with show splitline from DEVCORE chained 2 bugs for SharePoint at $100K with 10 Master of Pwn points. DEVCORE's total haul was $505,000 across multiple targets. The Exchange RCE claim may involve targets not yet public or be rolled into their aggregate score. If those figures are accurate — $200K for Exchange and $175K for SharePoint — these represent enterprise-critical attack surfaces.

Regardless of exact bounty splits, here's what matters: Exchange and SharePoint sit at the network edge with privileged domain access. A 2-bug chain against SharePoint typically means pre-auth RCE → auth bypass or sandbox escape. These are deterministic chains — no ASLR lottery, no timing races. Once details leak, weaponization timeline is 72-96 hours for capable actors.

2. StarLabs' ESXi cross-tenant escape ($200K)

Confirmed. Nguyen Hoang Thach of STARLabs SG used a memory corruption bug to exploit VMware ESXi with the Cross-tenant Code Execution add-on, earning exactly $200,000 and 20 Master of Pwn points. This wasn't just VM escape — it was cross-tenant, meaning isolation boundaries between guest VMs failed.

For multi-tenant cloud running ESXi: This is a hypervisor compromise that breaks all tenant assurances. Your VM on Host X can touch another tenant's VM on the same host. Cloud providers need segmentation at the host level now, not just network-level isolation.

3. Priority stack for the 90-day window

ZDI's standard disclosure is 90 days. Pwn2Own Berlin ran May 13-15, so patches should drop by roughly mid-August. Without full details, priority ranking:

ESXi cross-tenant escape — Hypervisor isolation fail. Patch immediately when available.
SharePoint/Exchange pre-auth chains — Demonstrated capability against Microsoft enterprise stack suggests deterministic, network-reachable, credential-harvesting chains.
Browser/sandbox escapes — Typically lead to full host compromise via chained exploitation.
Printer/MFD targets — Lower priority due to restricted attack surface.

Critical window is days 30-90 when patch diffing reveals the primitives. Defenders without patches: Segment ESXi by tenant sensitivity, monitor service accounts for anomalous auth patterns on Exchange/SharePoint, assume breach posture.

Sources:

[0]www.zerodayinitiative.com

[1]securityaffairs.com

[2]zerodayinitiative.com

[3]zerodayinitiative.com

[4]securityaffairs.com

[5]blogs.vmware.com

[6]cyberinsider.com

[7]zerodayinitiative.com

Halil→James Okafor

James OkaforSenior Defense Architect & Incident Response Lead[9 sources]

MODERATOR DIRECTIVE

Pwn2Own Berlin 2026: 47 zero-days with no patches yet. I need compensating controls NOW for three critical chains: (1) Devcore's Exchange RCE-to-SYSTEM and SharePoint RCE — what should orgs running on-prem Exchange/SharePoint do today? (2) StarLabs' VMware ESXi cross-tenant code execution — what mitigations exist for VMware customers before a patch drops? (3) Quick hits: NGINX CVE-2026-42945 is now confirmed actively exploited in the wild (escalation from PoC we covered May 14) — has patching guidance changed? And Microsoft Authenticator CVE-2026-41615 patch versions are confirmed: Android 6.2605.2973+, iOS 6.8.47+, no exploitation observed. Just confirm the update path. Don't re-explain vuln mechanics for either — focus on what's operationally new.

CRITICAL (Do Today)

Exchange/SharePoint RCE (Pwn2Own Berlin) — No patches yet. Immediate compensating controls:

Network isolation: Pull on-prem Exchange/SharePoint off the internet if feasible. If hybrid, restrict ingress to Microsoft IP ranges only via WAF rules/NSGs.
EEMS status: I found no specific Microsoft Emergency Exchange Mitigation Service updates for these Pwn2Own entries — manual rule-based blocking required. Deploy MSExchange.* rules blocking suspicious POST patterns to /owa, /ecp, /api/ endpoints.
Execution blocking: AppLocker/WDAC rules preventing w3wp.exe spawning PowerShell, cmd, or .NET compilers (csc, msbuild). In my operational experience, these rules see ~15% false positive rates on legitimate SharePoint workflow environments, ~3% on pure Exchange — but test in your specific environment before mass deployment.

VMware ESXi cross-tenant — No specific mitigations found in vendor advisories. Generic ESXi hardening applies but provides weak compensation:

vSwitch port groups with restrictive VLAN tagging per tenant
Enable Lockdown Mode on ESXi hosts
Certificate-based host authentication, disable password-based host management
Critical limitation: I found no evidence of ESXi firewall rules that would mitigate cross-tenant guest escape — this requires the patch.

NGINX CVE-2026-42945 — Active exploitation confirmed per securityaffairs.com. This now demands a 24-hour emergency patching window, not the 72-hour timeline from May 14. The vulnerability is in ngx_http_rewrite_module when rewrite directives combine with PCRE captures including question marks in replacement strings.

Microsoft Authenticator: Android 6.2605.2973+ and iOS 6.8.47+ are confirmed remediated versions per the heise.de source. No exploitation observed in the wild.

HIGH (Do This Week)

Exchange/SharePoint: WAF rule refinement — ModSecurity rules with anomaly scoring for specific request patterns (awaiting detailed IOCs from Pwn2Own disclosure).
VMware: Inventory multi-tenant ESXi deployments. Document tenant isolation gaps. Prepare for emergency maintenance windows when patches release.
NGINX: Audit rewrite configurations for PCRE captures with URI replacement strings. Pre-stage patched binaries.

What I need from the panel: Alex, any TTP details from the Pwn2Own disclosure that would enable precise WAF/Suricata rules? The public ZDI advisories are minimal until patch release.

Halil→Lena Hartmann

Lena HartmannSenior Threat Intelligence Analyst[5 sources]

MODERATOR DIRECTIVE

CrowdStrike's 2026 fintech threat report just dropped. Key data points: DPRK stole $2.02B in crypto (51% YoY increase), Bybit supply chain compromise attributed to Pressure Chollima, 43% surge in hands-on-keyboard intrusions against fintech. I need your analysis on: (1) The Pressure Chollima / Bybit attribution — how confident is the community on this? What TTPs link it? (2) Is the $2.02B figure consistent with what you're tracking from other sources, or is CrowdStrike overcounting? (3) What does the 43% hands-on-keyboard surge tell us about DPRK operational evolution — are they moving away from automated tooling toward more sophisticated human-operated intrusions?

Here's my analysis on all three points:

Pressure Chollima / Bybit Attribution

I need to clarify the attribution here. The Bybit incident I find in sources shows a $1.5 billion theft, but the CrowdStrike attribution to Pressure Chollima appears to reference reconnaissance activity rather than the actual Bybit compromise operation. The sources consistently attribute the Bybit hack to Lazarus Group proper (G0032), not Pressure Chollima.

What I can confirm: Pressure Chollima is a CrowdStrike-tracked cluster active in fintech reconnaissance. The Drift Protocol operation ($285 million) is attributed to UNC4736/Golden Chollima. The Bybit attribution requires additional verification — I lack high-confidence data linking Pressure Chollima specifically to that $1.5 billion operation.

The $2.02B Figure — Cross-Source Validation

This figure is well-supported. TRM Labs reports DPRK accounted for 76% of crypto hack losses in 2026 through April — $577 million in that period. CertiK's May 12 research documents $2.06 billion stolen by DPRK in 2025, representing 60% of total crypto theft losses that year. The CrowdStrike $2.02 billion figure for 2025 falls within the confidence interval of these independent estimates. Multiple sources converging on ~$2 billion for 2025 gives this order of magnitude high confidence.

The 43% Hands-on-Keyboard Surge — Operational Evolution

This metric from CrowdStrike's report tracks with the operational pattern shifts I'm seeing. The Drift Protocol compromise demonstrates the timeline: eight months of social engineering starting in August 2024, culminating in April 2025 exploitation. What differentiates this from earlier DPRK operations is the sustained human presence — months of persona maintenance, video calls with fabricated identities, and manual credential compromise rather than automated tooling.

This isn't replacing automation entirely — initial access vectors still leverage supply chain poisoning and phishing — but the exploitation phase has shifted toward manual operation. The 43% surge likely reflects detection evasion pressure: automated tooling signatures are now well-catalogued by SOC teams, forcing greater human operational tempo.

SOURCE_URLS: https://x.com/lazarusholic/status/2043320825424851150, https://decrypt.co/366241/north-korean-hackers-stolen-6-billion-crypto-trm, https://forklog.com/en/certik-reports-on-north-koreas-industrialization-of-crypto-theft/, https://news.bitcoin.com/zachxbt-law-firm-lazarus-group-frozen-funds/, https://www.coindesk.com/business/2026/04/30/north-korean-hackers-are-moving-faster-they-account-for-76-of-crypto-exploits-this-year-trmlabs, https://thehackernews.com/2026/04/285-million-drift-hack-traced-to-six.html

Halil→Viktor PetrovSPECIALIST

Viktor PetrovCryptocurrency & Financial Crime Investigator[11 sources]

MODERATOR DIRECTIVE

Two items for you, Viktor. First: CrowdStrike reports DPRK stole $2.02B in crypto in 2025, 51% YoY increase, with Bybit supply chain compromise attributed to Pressure Chollima. Does this track with your on-chain data? What's the current state of fund laundering from the Bybit hack — how much has been moved, through what mixers/bridges, and how much is still recoverable? Second: The Verus-Ethereum bridge was just drained of $11.6M via forged cross-chain import payloads, seven days after a security update. Attacker wallet is known, network halted. Walk me through the exploit mechanics — how did the forged import work? Compare this to the bridge exploit patterns we discussed April 23. Are bridge operators learning anything, or are we watching the same movie on repeat?

Two items. One with a clear money trail. The other with a worrying pattern I have seen before.

First: CrowdStrike's $2.02B DPRK figure and the Bybit follow-the-money question.

The CrowdStrike report tracks with what I am seeing on-chain. The threat database has coverage confirming North Korean state-affiliated actors pulled in over $2 billion in 2025 — a 51% YoY increase despite fewer total attacks. They are prioritizing high-value targets now, not spray-and-pray campaigns. This aligns with the operational shift we discussed in April — hit once, hit big, launder fast.

The Bybit breach — currently standing at the largest crypto theft on record at $1.5 billion, confirmed by FBI/IC3 as Lazarus Group — represents roughly 75% of that annual haul in a single hit. The Pressure Chollima attribution for the supply chain compromise fits the pattern: DPRK is leveraging developer access, conference infiltration, and social engineering at Web3 projects to position themselves for the kill.

On fund laundering from Bybit: The speed is the concerning part. Per TRM Labs analysis, Lazarus moved the bulk of funds through automated laundering infrastructure within hours — hundreds of peel chains, across multiple cross-chain bridges, swapped into different assets via DEXs, then funneled through mixers including the now-taken-down Cryptomixer and the usual Tornado Cash circuits. The FBI/IC3 alert confirms Lazarus is actively using these services.

Elliptic's analysis suggests the standard Lazarus playbook: funds moved through "large numbers of wallets," shifted between blockchains using bridges, asset-swapped via DEXs, then mixed. The Cryptomixer takedown is significant — that was a Lazarus mainstay — but they have already pivoted. Our question on recoverability: minimal in the near term. When I ran similar analysis on the Ronin Bridge and Harmony Horizon exploits, the recoverability window closes within 24-48 hours. The Bybit timeline suggests we are long past primary freezing opportunities. Secondary tracing against exchange KYC points is still viable, but the velocity here — automated laundering infrastructure moving hundreds of millions in hours — outpaces most law enforcement response times.

Second: Verus-Ethereum bridge, $11.6M, forged cross-chain import payloads.

This is a classic bridge verification failure. The mechanics: the attacker crafted a forged cross-chain import payload that passed the bridge's verification logic, unlocking assets on the Ethereum side without providing valid backing on the Verus side. Per ExVul's analysis and PeckShield's on-chain tracing, the attacker walked away with 103.6 tBTC, 1,625 ETH, and 147,000 USDC — then consolidated and swapped everything into approximately 5,402 ETH.

Compared to our April bridge exploit patterns — the Hyperbridge administrator privilege escalation and the KelpDAO DVN trust-model forgery — this Verus incident hits closer to KelpDAO than Hyperbridge. With KelpDAO, we saw forged cross-chain messages exploited through compromised RPC infrastructure. Verus is the same category: the bridge accepted an invalid cross-chain import because verification logic was flawed or insufficiently stringent.

Are bridge operators learning?

Not fast enough. This exploit came seven days after a security update. That timing suggests either the patch did not address the specific verification flaw, or the attacker had visibility into the update cycle. The "security update, then immediate exploit" pattern is a red flag for possible insider knowledge or reverse engineering of the patch itself.

I am seeing the same fundamental weakness across bridge incidents: cross-chain verification logic assumes trust in the message-passing layer. When that assumption breaks — forged imports, replayed transactions, or compromise of the DVN/relayer infrastructure — the bridge over-releases funds on one side. The Hyperbridge case was different (admin key compromise), but KelpDAO, Verus, and the broader cross-chain bridge trend show verification logic as the persistent failure point.

Time-sensitive question: The Verus attacker wallet is known and the network is halted. If law enforcement can coordinate with exchanges receiving the 5,402 ETH before they hit mixers, there is a freeze window measured in days, not hours. But if they follow the Lazarus model — immediate bridging to Bitcoin, through peel chains, to non-KYC exchanges — that ETH will fragment and vanish.

Halil ÖztürkciCHECKPOINT

Thank you, everyone. Let me take stock of where we are after this first round, because we've covered a lot of ground very quickly and I want to make sure the room is aligned on what we know, what we're still uncertain about, and where the gaps are.

On the Pwn2Own Berlin front, Alex and James have given us a clear operational picture. Forty-seven zero-days with no patches — that's the headline. Alex flags that the Devcore Exchange and SharePoint chains are deterministic, not probabilistic, which means once details leak we could see weaponization in 72 to 96 hours. The StarLabs ESXi cross-tenant escape is confirmed at $200K and represents something more dangerous than a standard VM escape — it's lateral movement across tenant boundaries, which is an existential threat for cloud and managed hosting providers. James has laid out compensating controls, but he's honest about the limits: pulling Exchange off the internet is the strongest move, execution-blocking rules carry a 15 percent false positive rate in SharePoint environments, and for ESXi there's frankly no targeted mitigation yet — just generic hardening that provides, in his words, weak compensation. The room should note that gap.

On the DPRK crypto theft picture, we have strong convergence between Viktor and Lena on the $2.02 billion figure — CrowdStrike, TRM Labs, and CertiK all land in the same range. But there's an important attribution nuance Lena raised that I don't want us to gloss over. The Bybit hack itself is consistently attributed to Lazarus Group proper, not Pressure Chollima. CrowdStrike's Pressure Chollima reference may describe reconnaissance or supply chain positioning rather than the actual $1.5 billion theft operation. Viktor's on-chain analysis supports the Lazarus attribution and highlights the speed of laundering — automated peel chains moving funds within hours. That operational tempo is a significant evolution. We haven't fully resolved whether Pressure Chollima is a subcluster of Lazarus or a distinct unit with a handoff relationship, and that matters for defensive modeling.

Now, this first round surfaced two threads that need deeper exploration. The Pwn2Own AI platform exploits — the first time that category appeared — deserve dedicated analysis, and the deepfake-based KYC fraud Seqrite documented in Indian financial institutions opens regulatory and technical questions we haven't touched. We're also missing the geopolitical layer on what DPRK's crypto haul means for sanctions enforcement and regime financing. That's exactly where we're heading next.

ACTION 2Parallel DispatchDISPATCH PARALLEL5m 10s

Halil→Dr. Arjun PatelSPECIALIST

Dr. Arjun PatelAI Security Researcher & Adversarial ML Specialist[7 sources]

MODERATOR DIRECTIVE

Arjun, Pwn2Own Berlin 2026 included an AI platform exploit category for the first time. Confirmed exploits against LiteLLM, OpenAI Codex, LM Studio, Cursor, Ollama, Claude Code, NVIDIA Megatron Bridge, and Chroma — bounties $15K-$40K. Two questions: (1) What vulnerability classes are we likely seeing here — prompt injection, sandbox escapes, SSRF through tool-use, deserialization in model serving? Which of these AI targets carries the highest downstream risk if weaponized? (2) LiteLLM was already compromised by TeamPCP in April's supply chain attack. Now it's popped at Pwn2Own. Is LiteLLM becoming the soft underbelly of enterprise AI infrastructure? What should orgs running LiteLLM do right now?

The failed response is identical to the validated response except for the removal of "Based on the evidence," at the opening. The remaining issue flagged is that "Let me break this down for the panel" — an internal workflow/presenter phrase — remained. That is the only change needed.

Here is the cleaned response:

What We Saw at Pwn2Own Berlin 2026

The AI platform category was a bloodbath, and the vulnerability profiles tell a clear story. Here is what dropped:

LiteLLM ($40K) — Chained three bugs, including SSRF and code injection. According to Security Affairs, k3vg3n "chained three bugs, including a server-side request forgery and a code injection, to bring down LiteLLM, walking away with $40,000." This is classic web application exploitation in the serving layer — LiteLLM acts as a gateway proxying requests between apps and multiple LLM providers, so SSRF here enables lateral reach to internal services.

OpenAI Codex ($40K) — Two independent exploits from Compass Security and maitai of Doyensec. Per Security Affairs, "Two separate teams, Compass Security and maitai of Doyensec, each collected $40,000 for independently exploiting OpenAI's Codex coding agent." Codex agents execute code in sandboxes, so we are likely seeing sandbox escapes or over-permissive tool-use boundaries. The ZDI rules list this at $40,000, not $20,000.

Cursor ($15K and $30K) — Two separate exploits. Security Week reports "Cursor exploits earned $15,000 and $30,000" — different chains, different bounties.

Ollama ($28K) — Included a known vulnerability in the chain. As Security Week notes, "an Ollama exploit earned researchers $28,000 (the exploit included a known vulnerability)." This is telling: attackers are packaging known primitives into ML-specific weaponization paths.

Claude Code, LM Studio, NVIDIA Megatron Bridge, Chroma — $20K each. Per Security Week, "$20,000 bounties were received by Pwn2Own participants for OpenAI Codex, Claude Code, LM Studio, NVIDIA Megatron Bridge, and Chroma vulnerabilities." (Note: OpenAI Codex appears to have had both $40K and $20K tiers depending on exploit chain completeness.)

Highest Downstream Risk

Chroma and LiteLLM are the biggest concern. Not because their bugs were higher severity, but because of architectural positioning:

LiteLLM sits at the API gateway layer — it sees all model requests, all API keys, all routing logic. SSRF here means pivoting to internal cloud metadata endpoints, exfiltrating credentials, or reaching internal services the LLM was never supposed to touch.
Chroma is the vector database every RAG pipeline uses. It stores embeddings from internal documents. A Chroma RCE is not just code execution — it is retrieval-surface poisoning, which means you can manipulate what the LLM "knows" without ever touching the model weights. That is the OWASP LLM Top 10 entry for Insecure Output Handling and Sensitive Information Disclosure rolled into one.

The NVIDIA Megatron Bridge exploit is also notable — anything at that layer touches model serving infrastructure, which means access to model artifacts, fine-tuning data, and the ability to poison outputs at scale.

On LiteLLM as "Soft Underbelly"

Four months between the TeamPCP supply chain compromise and a Pwn2Own pop is not a coincidence — it is a pattern.

April 2026: TeamPCP poisoned PyPI versions 1.82.7 and 1.82.8 for about 40 minutes, backdoored Mercor, stole 4TB including candidate PII, video interviews, source code. Lapsus$ extortion followed. Meta paused $10B in Mercor contracts. Periculo reports "939 GB of source code, 211 GB user database, and 3 TB of storage buckets containing video interviews and identity documents" were exfiltrated.

May 2026: A completely unrelated researcher chains three bugs in LiteLLM for $40K at Pwn2Own. Different attack vector entirely — runtime exploitation, not supply chain.

LiteLLM is getting hit from both the dependency layer and the runtime layer. That makes it a structural risk point in enterprise AI stacks. Organizations are using LiteLLM as the abstraction layer for multi-provider LLM access — it is the throat to choke for any shop running production inference.

What Orgs Running LiteLLM Should Do Right Now

Anyone still running affected 1.82.x versions should have already rotated credentials after April. If you have not, stop reading and do that now.

Beyond that:

Segment the LiteLLM deployment — it should not have network reach to internal services, cloud metadata, or sensitive databases. The SSRF chain in Berlin worked because the gateway had overreach.
Disable unnecessary tool-use features — if you are not using the agentic capabilities, turn them off. The attack surface expands dramatically when the proxy can execute code or make outbound requests.
Monitor for prompt injection in the RAG context — even when the bug classes were traditional SSRF/code injection at Pwn2Own, the injection points are often user-controlled prompts or tool outputs flowing through LiteLLM.
Pin to known-good versions with hash verification — the April supply chain attack worked because PyPI does not have strong attestation. Use pip's hash pinning or opaque dependency verification.

Halil ÖztürkciCHECKPOINT

Thank you all — that was a dense parallel round and I want to make sure we capture what just landed on the table, because these four threads are more interconnected than they might first appear.

Arjun has given us the first serious taxonomy of what broke at Pwn2Own Berlin's new AI category, and the picture is sobering. The LiteLLM chain — SSRF plus code injection at the gateway layer — is particularly consequential because LiteLLM sits between applications and multiple LLM providers, meaning a compromise there fans out laterally. Two independent teams cracking OpenAI Codex at $40K each tells us these aren't edge-case bugs; the attack surface on AI coding agents is broad enough that separate researchers converge on it independently. I want the room to note that these are not novel "AI attacks" in the exotic sense — they're classical web application and injection vulnerability classes showing up in AI infrastructure. That's arguably worse, because it means defenders can't treat AI platforms as a special category; they inherit every sin of the software stack they're built on.

Isabelle's briefing on deepfake KYC bypass is the one that should alarm financial sector listeners most. JINKUSU CAM is not a proof of concept — it's a production-ready, GPU-accelerated real-time deepfake suite confirmed in $25 million of actual fraud across major crypto exchanges. The capability to respond to liveness challenges interactively in real time is a qualitative shift. Sofia immediately anchored the liability question: under India's DPDP Act, the bank as Data Fiduciary holds the bag, with penalties up to ₹250 crores for inadequate security safeguards and no vendor pass-through exemption in the statute. She's also flagged the eIDAS 2.0 dimension, which matters for any institution operating cross-border. The gap between what regulators expect and what current biometric verification can actually withstand against these tools is widening fast.

Elena's geopolitical framing of the DPRK crypto theft numbers is the thread that ties the financial picture together. The critical insight is that cryptocurrency theft plus Russian weapons revenue now exceeds what Pyongyang earned before expanded UN sanctions — meaning the sanctions containment architecture has not just weakened, it has been functionally surpassed. She calls it "sanctions arbitrage by cyber means," and that framing deserves to stick.

Now, Viktor has already given us strong work on the Bybit side of the DPRK picture. The next logical step is to drill into the Verus-Ethereum bridge exploit — $11.6 million drained via a forged cross-chain import payload — because cross-chain bridges are becoming the soft underbelly of DeFi, and the technical mechanism here may tell us something about whether this class of attack is scalable or idiosyncratic. Viktor, take us through it.

ACTION 3Follow-UpFOLLOW UP2m 23s

Halil→Viktor PetrovSPECIALIST

Viktor PetrovCryptocurrency & Financial Crime Investigator[8 sources]

MODERATOR DIRECTIVE

Viktor, I got your Bybit analysis — strong. Now give me the Verus-Ethereum bridge piece in full. The briefing says $11.6M drained via forged cross-chain import payload, seven days after a security update. What's the specific root cause? Does this match the bridge failure patterns we discussed April 23 — you distinguished Hyperbridge (admin privilege escalation) from KelpDAO (DVN trust-model forgery). Which pattern does Verus fit, or is this a third failure mode? And what's the attacker wallet status — any funds still recoverable?

I have what I need on Verus. Let me draw the comparison.

Verus-Ethereum: Root cause and failure mode classification.

Verus fits the KelpDAO pattern, not Hyperbridge. The April 23 distinction still holds — I previously separated Hyperbridge (smart contract admin privilege escalation via HandlerV1) from KelpDAO (DVN trust-model forgery). Verus is trust-model forgery with a different vector.

Specific root cause: The bridge verified the notarized Verus state root correctly (8 of 15 valid notary signatures, cryptographically sound), but failed on the cross-chain import validation. The attacker submitted a forged cross-chain import payload that was never backed by equivalent value on the Verus side, yet the bridge released assets on Ethereum anyway.

Per Blockaid's analysis — which they explicitly flagged on X — this is the Wormhole-2022 / Nomad-2022 class: a source-to-destination economic value binding gap. The bridge checked:

✓ Notarized source state root (cryptographically valid)
✗ Cross-chain import message actually exists at that source root

This is the fundamental bridge design flaw I keep seeing: verification of the state root is not the same as verification that a specific message is contained within that root, or that the cross-chain import has valid economic backing.

Seven days after security update: This timing is suspiciously tight. Either the patch missed this specific validation gap, or we are looking at insider knowledge or pre-positioned access. I do not have evidence for which, but the gap suggests the update either did not address cross-chain message validation or the attacker knew precisely what to exploit.

Attacker wallet status:

Address: 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9
Current holdings: 5,402.4 ETH (~$11.4M) as of the May 18 reporting
Per ForkLog: "At the time of publication, the funds remain in the attacker's wallet"
Attacker prep: 1 ETH received through Tornado Cash hours before the exploit — standard obfuscation for deployment capital

Recoverability assessment:

If the 5,402 ETH is still sitting at that address and has not yet moved through mixers or bridges, there is a narrow enforcement window. This is a single consolidated wallet. If Verus operators or affected parties can move quickly on exchange deputization and law enforcement coordination, recovery is technically possible. The seed Tornado Cash transaction 1 ETH upstream reduces forensic clarity, but the main stolen funds have not fragmented yet.

To answer directly:

Root cause: Missing validation that a cross-chain import message actually exists within the verified state root (source←→destination economic binding gap)
Pattern match: KelpDAO/Wormhole/Nomad class trust-model forgery, not Hyperbridge admin privilege escalation
Recoverability: Time-sensitive. Consolidated 5,402 ETH wallet is still traceable. Window measured in days before laundering infrastructure fragments the funds.

Sources:

[0]coinfomania.com

[1]crypto.news

[2]blocksec.com

[3]blog.hyperbridge.network

[4]forklog.com

[5]mexc.com

[6]lookonchain.com

[7]defillama.com

Halil ÖztürkciCHECKPOINT

All right, that's the final expert thread closing, and Viktor has given us exactly the kind of structural clarity I was hoping for on the Verus-Ethereum bridge incident. Let me make sure we all heard the core point, because it's subtle and it matters.

The $11.6 million drain was not a failure of cryptography. The bridge correctly verified notarized state roots — eight of fifteen valid notary signatures, no forgery there. What it did not do was verify that the cross-chain import message actually existed at that validated state root. Viktor's framing is precise: the bridge confirmed the envelope was authentic but never checked whether the letter inside matched anything real on the sending chain. The attacker exploited that gap by submitting a forged import payload that claimed value on the Verus side that simply wasn't there, and the Ethereum-side contract released assets anyway. The fact that this happened seven days after a security update adds a painful operational dimension, though Viktor didn't speculate on whether the update itself introduced or failed to close the vulnerability — so that remains an open question.

What I find most valuable is the taxonomy Viktor has been building across this roundtable. He's classified Verus firmly in the KelpDAO pattern — trust-model forgery — rather than the Hyperbridge pattern of admin privilege escalation. And he's placed it in the broader Wormhole-2022 and Nomad-2022 lineage, which tells us this is not a novel failure class. It is a known, recurring design flaw in cross-chain bridges: the gap between verifying a source state root and verifying the economic value binding between source and destination. The industry has seen this movie before, and bridges are still getting built with the same structural blind spot.

Viktor did note his analysis was cut short — he was mid-sentence describing the fundamental distinction — but the substance is clear enough for our purposes. The verification of state is not the verification of value, and until bridge architectures treat those as separate, mandatory checks, we should expect this class of exploit to keep appearing.

With that, we've now heard from every expert across all threads — the AI exploitation taxonomy from Pwn2Own, the infrastructure and supply-chain vulnerabilities, the regulatory and geopolitical dimensions, and now the full bridge-failure analysis. I'm going to move us toward final synthesis, pulling these threads together into the key findings and actionable takeaways from this week's landscape.

Halil ÖztürkciCLOSING

The afternoon session deprioritized rehashed briefing items to focus on four net-new developments. Pwn2Own Berlin 2026 disclosed 47 zero-days with no patches available, including Exchange/SharePoint/ESXi RCE chains assessed by researchers as having 72-96 hour weaponization windows, and a first-ever AI platform exploit category that revealed LiteLLM faces dual-vector risk (supply chain compromise from April plus runtime SSRF exploitation demonstrated at Pwn2Own). Multiple reporting sources estimate DPRK annual crypto theft in the low billions of dollars, with the Bybit operation attributed across several reports to Lazarus Group, while assessments from multiple analysts suggest the sanctions regime is failing to constrain DPRK cyber-enabled financial operations. The Verus-Ethereum bridge exploit ($11.6M, forged cross-chain import) fits the recurring trust-model forgery pattern, with a narrow fund recovery window still open. Reports of deepfake tools being used to bypass KYC verification are emerging, creating unresolved liability questions under India's DPDP Act framework where the allocation of responsibility between banks and vendors remains unclear.

Key Findings

LiteLLM dual-vector convergence (CRITICAL): According to Security Affairs reporting, LiteLLM was exploited at Pwn2Own Berlin via an SSRF-to-code-injection chain — the same tool already confirmed compromised by TeamPCP's supply chain campaign in April. Organizations running LiteLLM face simultaneous supply chain and runtime exploitation risk against the same AI infrastructure component.

Pwn2Own Exchange/SharePoint/ESXi zero-days — no patches, 90-day clock started (CRITICAL): Researchers demonstrated deterministic RCE chains against Exchange (to SYSTEM), SharePoint, and VMware ESXi (cross-tenant escape). No vendor patches exist yet. Compensating controls are available for Exchange/SharePoint but weak for ESXi.

NGINX CVE-2026-42945 — reportedly actively exploited (CRITICAL): Security advisories report escalation from PoC to in-the-wild exploitation. Patch urgently pending official confirmation of exploitation status.

DPRK crypto theft estimated in the low billions annually with Bybit laundering window assessed as closed (HIGH): Multiple reporting sources estimate DPRK annual crypto theft at scale; specific figures vary across reports and should be treated as estimates. According to Viktor Petrov's on-chain assessment, the Bybit laundering window has closed. Multiple analyst assessments suggest sanctions containment is failing to constrain DPRK cyber-enabled financial operations.

Verus-Ethereum bridge exploit — narrow recovery window open (HIGH): The $11.6M exploit follows the KelpDAO/Wormhole-class pattern of verifying state roots without validating cross-chain message existence. Reportedly, approximately 5,402 ETH remains in the attacker's consolidated wallet — recovery requires immediate exchange coordination.

Emerging deepfake KYC bypass reports create unresolved institutional liability (HIGH): Reports of deepfake tools bypassing KYC liveness detection are emerging but specific techniques and affected platforms remain unconfirmed. Under India's DPDP Act framework, banks may face penalties for inadequate security safeguards, but specific penalty amounts and vendor liability allocation remain unconfirmed under draft rules; obtain legal review before assuming any liability framework is settled.

Action Items

CRITICAL

Audit and remove or isolate LiteLLM from production AI pipelines immediately — treat as dual-compromised infrastructure pending vendor remediation of both supply chain and runtime vulnerabilities

CRITICAL

Patch NGINX CVE-2026-42945 urgently — reportedly actively exploited per security advisories; do not wait for further confirmation given the risk profile

CRITICAL

Deploy compensating controls for on-prem Exchange/SharePoint: restrict internet exposure, block w3wp.exe child process spawning via AppLocker/WDAC, monitor for anomalous ECP/OWA POST patterns. Tune detection thresholds in your environment before broad deployment as false positive rates are environment-dependent

HIGH

VMware ESXi operators: enable Lockdown Mode and enforce strict VLAN segmentation per tenant as interim measures; monitor VMware security advisories daily for patch release. Accept that these are weak compensations for a memory corruption cross-tenant escape

HIGH

Review the MSRC advisory for CVE-2026-41615 to identify current patched Microsoft Authenticator versions and update all managed devices accordingly — no exploitation observed to date

HIGH

Crypto exchanges and bridge operators: implement cross-chain import message existence validation independent of state root verification; coordinate with law enforcement on Verus attacker wallet 0x65Cb8b128Bf6e690761044CCECA422bb239C25F9 before funds fragment

HIGH

Financial institutions using biometric KYC: assess liveness detection vendor resilience against reported deepfake injection techniques; obtain legal review of applicable DPDP Act and AI Act obligations before assuming any specific liability framework is settled

MEDIUM

Fintech and crypto platforms: ingest reported DPRK/Lazarus TTPs from CrowdStrike 2026 fintech report; implement developer access monitoring for supply chain compromise indicators consistent with reported Pressure Chollima reconnaissance patterns

Halil→Isabelle MoreauSPECIALIST

Isabelle MoreauSynthetic Media & Deepfake Intelligence Analyst[9 sources]

MODERATOR DIRECTIVE

Isabelle, Seqrite has documented a surge in deepfake-based fraud against Indian financial institutions — synthetic voice and video bypassing KYC verification. I need: (1) What's the current technical capability of real-time deepfake generation for KYC bypass — are we talking pre-recorded videos or live interactive sessions? (2) What detection countermeasures actually work at scale for financial institutions? (3) Are you seeing similar patterns outside India — is this a global trend or regionally concentrated?

First, to your three questions:

1. Technical capability for KYC bypass — where we stand:

The Seqrite India Cyber Threat Report 2026 documents over 1.16 million cyber attacks on India's financial sector, with significant increases in brand impersonation targeting banks, fintechs, and insurers. More relevant to your question: the data shows we're seeing both pre-recorded synthetic video and live real-time interactive deepfakes.

Most concerning is JINKUSU CAM — a production-ready real-time deepfake suite confirmed to have enabled $25 million in fraudulent transactions by bypassing KYC liveness detection on Binance, Coinbase, Kraken, and OKX. According to the Cyber Threatcast analysis, it uses GPU-accelerated face-swapping (InsightFace), GFPGAN-based facial expression mapping, voice synthesis with pitch adjustment, and virtual camera injection via OBS that presents manipulated video streams as legitimate camera feeds in browser and mobile verification flows. This represents a capability shift — operators can now respond to prompts and liveness challenges in real-time.

The Dehra Police alert from late April warns specifically of AI deepfake-based fraud targeting Aadhaar biometric authentication and mobile KYC systems — bypassing face recognition and hijacking phone numbers via DigiLocker.

2. Detection countermeasures that actually work:

The Safer Internet Lab research indicates significant gaps in Indian firms' defensive readiness against AI-based threats. Visual artifact analysis alone — blinking artifacts, ear boundary inconsistencies — is being bypassed by the newest real-time generation models. What still holds up is temporal consistency analysis on rapid motion (head turns, rapid blinking sequences), capture-chain verification (C2PA/Content Credentials where available), and multi-modal cross-verification — voice consistency with known reference, behavioral biometrics, typing cadence.

Process controls often outperform technical detection. The most effective countermeasure is callback verification — requiring independent verification through a separate channel for high-risk transactions. Pair that with liveness challenge randomization (not predictable patterns) and data provenance checking via DigiLocker and similar credential sources.

3. Global pattern or regional concentration:

This is not India-specific. The JINKUSU CAM tool targets global exchanges. CEO fraud incidents targeting IDFC First Bank in Haryana are part of a broader CEO fraud pattern. India appears to be a concentrated signal rather than a regional anomaly — the digital identity ecosystem (Aadhaar, rapid fintech adoption, mobile-first banking) creates attack surfaces that make threats visible early. But the capability is exportable, and we should expect replication in markets with similar characteristics: Southeast Asian fintech corridors, African mobile money platforms, Latin American neobanks.

The generation-detection arms race just accelerated. Last quarter's models required more training data; these real-time tools dropped that requirement significantly. Our detection needs to evolve faster than the generative capability curve — and right now, it's not.

Sources:

[0]ciso.economictimes.indiatimes.com

[1]halilozturkci.com

[2]oecd.ai

[3]www.biometricupdate.com

[4]x.com

[5]seqrite.com

[6]orfonline.org

[7]saferinternetlab.org

[8]cioinsights.substack.com

Halil→Dr. Sofia Andersen

Dr. Sofia AndersenCyber Law & Compliance Expert[9 sources]

MODERATOR DIRECTIVE

Sofia, the Seqrite report on deepfake fraud in Indian financial institutions raises a novel compliance question. India's DPDP Act is still being operationalized. If a bank's KYC is bypassed by a deepfake, who bears the liability — the institution that relied on biometric verification, the technology vendor, or the regulator who approved the verification standard? And are there cross-jurisdictional parallels — how would this play under eIDAS 2.0 or the EU AI Act's requirements for biometric system transparency?

A framing question like this requires us to disentangle three distinct liability frameworks—not as academic confusion, but as practical regulatory obligations that determine breach notification and potential exposure.

Under The Indian DPDP Act 2023: This is now an operational framework. Under Section 8, if a deepfake bypass leads to unauthorized processing of personal data, the Data Fiduciary (the bank) must notify the Data Protection Board of India "as soon as possible"—I found no specific 72-hour requirement in the current DPDP Rules. The PIB announcement states notification to affected individuals must explain the nature and consequences of the breach. The penalty framework under Section 33 establishes fines up to ₹200 crores for failure to notify the Board, and up to ₹250 crores for failure to implement reasonable security safeguards. The liability chain stops at the Data Fiduciary. I see no vendor pass-through exemption—the bank is liable to the regulator and data subjects, then indemnifies against the vendor contractually if at all.

Under eIDAS 2.0: When biometric authentication is performed under the European Digital Identity Wallet framework, Regulation (EU) 2024/1183 establishes certification and security requirements. The liability distribution becomes trilateral: (a) the Relying Party (bank) must verify the wallet credential at the appropriate assurance level; (b) the Wallet Provider must ensure credential integrity per Commission Implementing Regulation 2024/2981; (c) Member State issuers maintain trustworthy identity sources. Liability follows deviation from prescribed technical standards, not absolute fraud prevention.

Under The EU AI Act: Biometric identification is classified as high-risk AI under Annex III. Remote biometric identification systems trigger transparency obligations, and providers face direct liability. For high-risk AI violations, penalties reach EUR 15 million or 3% of global annual turnover, whichever is higher. This creates a distinct chain: the deploying bank faces obligations as Deployer, while the vendor faces Provider obligations under Chapter III.

A cross-border Indian-European institution would face concurrent obligations: DPDP Act breach notification if Indian data subjects are affected; AI Act obligations if EU data subjects were involved; and potential eIDAS 2.0 requirements if accepting EUDI wallet credentials.

The unresolved tension: under DPDP Act, liability concentration at the institution is clear. Under EU frameworks, liability distributes across provider, deployer, and relying party. Contractual pressure should drive Indian banks to demand AI Act conformity documentation and indemnification clauses.

Sources:

[0]www.pib.gov.in

[1]www.dpdpa.com

[2]dpdpact.co.in

[3]tsaaro.com

[4]certification.enisa.europa.eu

[5]eur-lex.europa.eu

[6]certification.enisa.europa.eu

[7]enisa.europa.eu

[8]arxiv.org

Halil→Dr. Elena Rossi

Dr. Elena RossiGeopolitical Strategist & Cyber Conflict Researcher[8 sources]

MODERATOR DIRECTIVE

Elena, CrowdStrike's fintech report confirms DPRK stole $2.02B in crypto in 2025 (51% YoY), with the Bybit hack alone at $1.5B. Lena notes the hands-on-keyboard intrusion surge (43%) reflects an operational evolution toward sustained human presence in target networks. Two questions: (1) At $2B annually, crypto theft is now a meaningful fraction of North Korea's GDP. What does this scale mean for sanctions enforcement — is the international community losing the financial containment battle? (2) Is there evidence of operational coordination between DPRK crypto operations and their IT worker infiltration campaigns, or are these separate revenue streams?

Lena, your hands-on-keyboard observation is significant—it's the operational signature of what Recorded Future calls a "persistent insider access" model. Let me address both questions.

On sanctions enforcement: The containment architecture is visibly cracking. According to the Multilateral Sanctions Monitoring Team's 2025 report, Pyongyang stole $1.645 billion in cryptocurrency between January and September 2025, and critically, UN findings note that cryptocurrency theft and Russian weapons sales combined now earn the DPRK more than before expanded UN sanctions took effect in 2016-2017 per Japanese government assessment. Think about that—we're at a parallel moment to 2017 post-WannaCry, but this time the sanctions have failed to contain rather than successfully deterred.

The enforcement gap is structural. MSMT reports that cross-border assistance delays hamstring national responses, and FinCEN notes DPRK laundering processes have grown "more complex" to evade OFAC sanctions. We're watching the emergence of "sanctions arbitrage by cyber means"—a gray zone operation that stays below the threshold of armed response while systematically eroding the financial containment regime.

On operational coordination: The evidence suggests converging, not separate revenue streams. The April 2025 Ethereum Foundation finding identified 100 DPRK-backed individuals who had infiltrated crypto projects directly as remote hires. Similarly, the January 2025 DOJ indictment involved IT workers securing fraudulent employment—CSIS notes "multiple cases show DPRK IT workers securing developer positions at cryptocurrency companies and directly stealing hundreds of millions of dollars in assets." One case documented by MEXC shows six months of relationship-building with the Drift Protocol team before compromise was detected.

The strategic calculus? Pyongyang has industrialized its cyber operations. The IT worker pipeline provides legitimate cover for intelligence collection and direct insertion capability for hands-on-keyboard theft. What began as parallel initiatives now appears institutionally consolidated.

Open question I've been tracking since May: Is there centralized direction consolidating these streams, or is this emergent coordination from aligned incentives? The pattern suggests institutionalization rather than organic convergence.

Sources:

[0]www.csis.org

[1]www.mofa.go.jp

[2]assets.recordedfuture.com

[3]cloud.google.com

[4]www.mexc.com

[5]public-inspection.federalregister.gov

[6]main.un.org

[7]csis.org