Musk's teen DOGE worker belonged to The Com, got fired from a company for leaking secrets

Please consider supporting Metacurity with an upgraded subscription so that you can continue receiving our daily missives, packed with the top infosec developments you should know.

If you can't commit to a subscription today, consider tipping or donating to help keep Metacurity going.

19-year-old high school graduate Edward Coristine, who goes by the name "Big Balls" online and is a prominent member of Musk's DOGE effort infiltrating the US government's most sensitive networks and systems, showed up in multiple chat servers that security companies closely monitor involving The Com, the English-language cybercriminal hacking equivalent of a violent street gang.

In November 2022, Coristine, under the name "Rivage," could be seen requesting recommendations for a reliable and powerful DDoS-for-hire service.

Coristine’s LinkedIn profile said that in 2022, he worked at an anti-DDoS company called Path Networks.

Marshal Webb, a young man, founded Path. He also co-founded a DDoS company called BackConnect Security LLC. On September 20, 2016, KrebsOnSecurity published data showing the company's history of hijacking others' Internet address space.

Less than 24 hours after that story ran, KrebsOnSecurity.com was hit with the biggest DDoS attack the Internet had ever seen. That sustained attack kept the site offline for nearly four days.

The other founder of BackConnect Security LLC was Tucker Preston, a Georgia man who pleaded guilty in 2020 to paying a DDoS-for-hire service to launch attacks against others.

A screenshot shared on the website pathtruths.com includes a snippet of conversations between Path employees in June 2022 about Coristine’s firing from Path Networks.

According to that record, Path founder Marshal Webb dismissed Coristine for leaking internal documents to a competitor. Not long after Coristine’s termination, someone leaked an abundance of internal Path documents and conversations. (Brian Krebs / Krebs on Security)

Related: Bloomberg, Databreaches.net, Newsweek, Fortune,  Reuters, Gizmodo, New York Times, The Hill, The Independent, Mediaite, Futurism, makes the systems more vulnerableThe Verge, New Republic, NPR, The Record, magpie's nest. r/cybersecurityr, r/Intelligence, Rolling Stone, Raw Story

In an emergency order, US District Judge Paul A. Engelmayer temporarily restricted access by Elon Musk’s government efficiency program to the Treasury Department’s payment and data systems, saying there was a risk of “irreparable harm.”

Engelmayer said the Trump administration’s new policy of allowing political appointees and “special government employees” access to these systems, which contain highly sensitive information such as bank details, heightens the risk of leaks and makes the systems more vulnerable to hacking.

He ordered any such official who had been granted access to the systems since Jan. 20 to “destroy any and all copies of material downloaded from the Treasury Department’s records and systems.” He also restricted the Trump administration from granting access to those categories of officials. (Hurubie Meko and Qasim Nauman / New York Times)

Related: AG.NY.gov, France24, CNN, FedScoop, Al Jazeera, Associated Press, Bloomberg Law, Forbes, The Register

Tom Krause, a veteran technology executive who’s now a special government employee or consultant at the Treasury Department, is a member of Musk's DOGE team, deeply cut costs at a company he owns called Citrix Systems, leaving security software and hardware more vulnerable than before, possibly allowing intruders to infiltrate Citrix’s products in two major hacks.

 In 2023, the Cybersecurity and Infrastructure Security Agency, or CISA, the US government’s top online watchdog, ranked two vulnerabilities in Citrix software as the top two most exploited flaws by hackers.

Cloud Software Group, which declines to discuss Krause’s role at the Treasury Department, says it inherited weaknesses at Citrix and is also facing rising security threats across the industry. Krause and his management team have made fixing flaws in Citrix’s security products “their first, second and third priorities” after the acquisition, the company said in a statement. (Jordan Robertson and Paula Seligson / Bloomberg)

Sources say TikTok Chief Executive Shou Chew met with senior White House officials and offered a proposal that envisioned a joint venture with US investors headquartered in the US and overseeing data security.

Management would be US-based, and a board of directors would consist of most US members.

It is unclear whether the investors include the US government itself. Donald Trump has ordered the creation of a sovereign wealth fund and suggested it could be used to acquire TikTok, which many observers see as far-fetched.

Meanwhile, Trump has tasked Vice President JD Vance with overseeing negotiations, hoping Vance’s background in venture capital and Silicon Valley ties can facilitate a deal. (Jessica Toonkel, Dana Mattioli, Alex Leary, and
Josh Dawsey / Wall Street Journal)

Related: The Information, SiliconANGLE

Newspapers across the country owned by the news media company Lee Enterprises were unable to print, had problems with their websites, and published smaller issues after a cyberattack last week.

Lee Enterprises said that a “cybersecurity event " was disrupting its daily operations, and it had notified law enforcement.

Lee Enterprises is the parent company of more than 70 daily newspapers, such as The St. Louis Post-Dispatch, and nearly 350 weekly and specialty publications in 25 states, including Alabama, New York, and Oregon. The company did not say how the attack happened or who was behind it.

Newspapers published by Lee Enterprises reported on the cyberattack and said that most of the problems began on Monday morning. Each newspaper included details about how the attack had stifled their operations. (Amanda Holpuch / The New York Times)

Related: The Columbian, KBTX, KWQC, Augusta Free Press, The Daily Progress, The Tulsa World, TechCrunch, St. Louis Post-Dispatch, The Daily Progress, La Crosse Tribune, The Press of Atlantic City

Researchers at NowSecure caution that many of DeepSeek’s AI platform design choices, such as using hard-coded encryption keys and sending unencrypted user and device data to Chinese companies, introduce glaring security and privacy risks.

In a teardown of the DeepSeek app, NowSecure urged organizations to remove the DeepSeek iOS mobile app from their environments, citing security concerns.

NowSecure founder Andrew Hoog said they have not concluded an in-depth analysis of the DeepSeek app for Android devices. However, there is little reason to believe its basic design would be significantly different functionally.

The device information shared, combined with the user’s Internet address and data gathered from mobile advertising companies, could be used to deanonymize users of the DeepSeek iOS app, NowSecure warned.

The company notes that DeepSeek communicates with Volcengine, a cloud platform developed by ByteDance (the maker of TikTok). However, NowSecure said it wasn’t clear if the data is leveraging ByteDance’s digital transformation cloud service or if the declared information share extends further between the two companies. (Brian Krebs / KrebsonSecurity)

Related: NowSecure, India Today. The Register, MakeUseOf, Gigazine, Apple Insider, Cybernews, TechWorm, Globes

A YouTuber who goes by Shalzuth revealed that he's found a remote code execution (RCE) vulnerability in Marvel Rivals that hackers can use as a doorway to take over a player's PC.

He details the issue without giving any technical details, which could then be used to harm other players. "Please note, this isn't about fearmongering," Shalzuth says. "It's about understanding how this class of vulnerability works and why it's so important for game developers to design hotfixes and patch updates in a secure and safe way."

It all started when Shalzuth was playing Marvel Rivals, and he "noticed something odd about how the game updates the cosmetics store" because it does so without a client patch or update.

This exploit has limitations right now. To see packets on the gamer's network, a hacker must be on the same Wi-Fi as the gamer. 

It's unclear how seriously the game maker is taking this issue. While commenters claim that they have raised this issue with the developers, there's no concrete evidence that the developers are aware of it. (Elie Gould / PC Gamer)

Related: Shalzuth, GBHackers, ReadWrite

The TikTok Policy account announced that the service has made Android Package Kits available for download through its official website.

The app briefly went offline on January 19 due to a US law banning it in the US unless its parent company ByteDance sells it to an owner based in the country took effect.

Under that law, the Apple App Store and the Google Play Store must remove their listings if they don't want to be fined $5,000 for every US user who downloads the app. TikTok didn't take a full day to restore access to its service, but its app has yet to reappear on Google and Apple stores in the US. (Mariella Moon / Engadget)

Related: Reuters, The Verge, PCMag, Android Headlines, 9to5Google, Forbes, Daring Fireball, iClarified, HotHardware, Neowin

Police arrested four Russians living in Phuket who are wanted in Switzerland and the United States on multiple charges of using ransomware to demand payments totaling US $16 million.

The men aged 27 to 39 were taken into custody on Sunday from separate residences, villas with swimming pools, in Muang and Thalang districts of the southern island province, Pol Lt Gen Trairong Phiwpan, head of the Cyber Crime Investigation Bureau, said on Monday.

Police also seized about 40 items, including notebook computers and mobile phones, as evidence. They withheld the four men's names.

Pol Lt Gen Trairong said the four suspects allegedly used ransomware to attack 17 companies in Switzerland between April 30, 2023, and October 26, 2024. They demanded payment in exchange for the codes to unlock the hacked computer systems. (Wassayos Ngamkham / Bangkok Post)

Related: Khaoso English, Nation Thailand

Hacker Bjorka, who shook Indonesia in 2022 and 2023 during the COVID-19 pandemic, has returned with an X account revealing that several private and state-owned banks in Indonesia, such as BCA, BNI, BSI, Bank Mandiri, and the Central Bank (BI) will be the next targets of ransomware hacker groups.

“@BankBCA a surprise for banks in Indonesia, if they do not respond immediately to this, then Bank BCA will experience a massive data breach,” A tweeted X account under the name Bjorka @bjorkanesiaaa, said on Wednesday, February 5, 2025.

“You say it’s not true? Okay, just wait and see what happens! We said security needs to be tightened, but they said we’re just giving facts or fake news. LoL,” Bjorka added, on Thursday, February 6, 2025.

Bjorka tweeted that banks such as BNI, BCA, Bank Mandiri, BSI, and BI should be prepared to be the next ransomware targets. This was in response to BCA's denial of the news of leaked script data.

Bjorka said the ransomware hacker group had 890 thousand accesses to customer data and 4.9 million BCA databases.

The hacker also showed a screenshot showing an account named ‘Sky Wave’ selling data allegedly belonging to BCA customers to the dark web. (Julian Isaac / Indonesia Business Post)

Related: bne intelligence

The official X handle of the Kenya Directorate of Criminal Investigation (DCI Kenya) was hacked and used to promote a scam coin dubbed $DCI.

The hackers purported that the $DCI token was listed on major exchanges, notably Binance, the largest crypto exchange in Kenya and globally, and Pump.fun, a Solana-based platform that enables anyone to create and deploy a cryptocurrency or token.

DCI Kenya said, “For some moment this evening, we experienced a cyber-attack on the DCI digital platforms (X and Facebook), but have since regained full control." (Crypotguru / BitKE)

Related: Nairobi Leo, Kenyans.co.ke, TV47

The Iranian hacker group Handala published on its Telegram channels that it had stolen 2.1 terabytes of data, including 350,000 sensitive documents, from the Israeli police.

The information released by the group includes email addresses, gun licenses, photos of police officers, including personal numbers, classified documents, including details of suspects and convicted criminals (including their personal details), and sex offender employment permits.

The group claims to have stolen personal files of police officers, including psychological profiles and other sensitive information.

The hackers also claim to have penetrated the Ministry of National Security servers. Handla, known for previous attacks on Israeli entities, has hacked into the Elad municipality, the Ramat Gan Academic College, and other systems.

Israeli police denied the attack, saying there was no evidence of a breach. (Israel National News)

Related: PressTV, Iran International

Penetration tester Curt Hems and his colleague from Threat Spike Labs, part of a “black team” engagement, had been hired to evaluate the physical and operational security of a client’s premises. However, they were interrupted when armed police officers arrested them during a simulated breach of a corporate office in Malta.

Their mission included bypassing security controls, accessing sensitive areas, and identifying vulnerabilities in the organization’s defenses,

The testers were detained despite having authorization documents signed by the client’s general manager.

“The findings were critical major gaps in physical security, access control, and operational security. Yet, despite our success, we were ultimately apprehended. Not by security. Not by IT. But by 11 armed police officers.”

Law enforcement was called under the assumption that an actual attack was underway. The testers repeatedly explained their role and presented their authorization letter, but the situation took time to resolve. (Kaaviya / gbhackers)

Related: Curt Hems on LinkedIn

Sources say enterprise software and security startup Island Technology is raising money at a $4.5 billion valuation in a round led by investment firm Coatue Management.

Island, which has offices in Dallas and Tel Aviv, makes secure internet browsers for businesses. The product was launched in 2022.

The company previously raised almost $500 million from investors, including Sequoia Capital, Insight Partners, and Israeli VC firm Cyberstarts. It last raised money in early 2024 at a $3 billion valuation. (Katie Roof and Kate Clark / Bloomberg)

Observability and IT management solutions giant SolarWinds has entered into a definitive agreement to be acquired by San Francisco-based private equity firm Turn/River Capital.,

Turn/River Capital is prepared to pay SolarWinds $4.4 billion in cash, or $18.50 per share. This represents a 35% premium to the stock’s closing price 90 days before the deal was announced.

The transaction is expected to close in the second quarter of 2025. Once completed, SolarWinds will become a privately held company. (Eduard Kovacs / Security Week)

Related: Business Wire, PaymentSecurity.io

Best Thing of the Day: Honoring Aaron Swartz

Pablo Peniche, head of growth for the startup Aqua Voice, unveiled a marble bust of Aaron Swartz, the legendary programmer, activist, and open-access hero, at the Internet Archive auditorium in San Francisco.

Bonus Best Thing of the Day: At Least It Wasn't Llanfairpwllgwyngyllgogerychwyrndrobwllllantysiliogogogoch

Cybersecurity researcher Jason Jacobs discovered that the longest WiFi password was supercalifragilisticexpialidocious while the most complex WiFi password was some fancy JavaScript Cross-Site Scripting payload, “>

Worst Thing of the Day: Sure, Let's Wipe Out a Good Chunk of Foreign Intelligence

During what an NSA spokesman characterized as a chaotic process, the agency is planning a "Big Delete" of websites and internal network content that contain any of 27 banned words, including "privilege," "bias," and "inclusion, leaving the signals intelligence operation with a vast memory hole.

Closing Thought