In partnership with
☀️ Good morning. Here's everything that happened in cybersecurity yesterday — in under 5 minutes.
Scattered Spider's "Tylerb" pleads guilty in US federal court, US officials are weighing homicide charges and terrorism designations for hospital ransomware, Lazarus Group is linked to a $290M DeFi heist, Humana discloses its second major breach in 60 days, and AI-generated fake news is poisoning Google Discover to hijack millions of mobile devices.
🔥 Top Stories
01 — Scattered Spider's "Tylerb" Pleads Guilty — The Web Is Unraveling
Cyber Crime
Tyler Robert Buchanan, 23, from Dundee, Scotland — known as "Tylerb" and a core figure in the Scattered Spider syndicate — has pleaded guilty in US federal court to conspiracy to commit wire fraud and aggravated identity theft. His operation: mass SMS phishing, precision SIM swapping, and selling initial access to ransomware affiliates including ALPHV/BlackCat. The victims include MGM Resorts and Caesars Entertainment. The financial damage: over $8 million in cryptocurrency from a single victim alone.
Buchanan was extradited from the UK following a joint FBI and Police Scotland investigation. He faces up to 20 years for wire fraud plus a mandatory two-year consecutive sentence for identity theft. He's the latest in a string of Scattered Spider members facing federal charges — and prosecutors are treating his sentencing as a bellwether for the remaining members still active in the US and UK.
02 — US Officials Are Weighing Homicide Charges and Terrorism Labels for Hospital Ransomware
Policy & Government
Federal lawmakers and former FBI officials are pushing for a fundamental reclassification of ransomware attacks on healthcare: treating patient deaths caused by IT-induced care delays as homicide, and designating ransomware groups as Foreign Terrorist Organizations. If successful, paying a ransom to a designated group could legally constitute material support for terrorism.
The momentum follows documented evidence that IT outages caused by ransomware are directly correlating with increased patient mortality rates. The precedent exists — in 2020, German authorities investigated a homicide charge following a ransomware-induced death in Düsseldorf. The US Treasury is simultaneously analyzing whether the Terrorism Risk Insurance Program should be extended to cover cyber events, effectively treating these attacks as national catastrophes. The "white-collar hacker" legal era may be ending.
03 — Lazarus Group Linked to $290M Kelp DAO Crypto Heist
Nation-State Threats
Blockchain security researchers have attributed a $292 million exploit of Kelp DAO — a liquid restaking protocol — to North Korea's Lazarus Group. The attack followed the group's signature playbook: highly personalized job-offer phishing targeting protocol developers to compromise a hot wallet or multi-signature key, followed by automated laundering through privacy mixers within minutes of the exploit firing.
The speed of the exfiltration suggests pre-built automated scripts designed to drain Kelp DAO's specific liquidity pools before emergency pause functions could activate. This is the latest in North Korea's ongoing crypto-funding operation for its nuclear and missile programs — Lazarus has now stolen billions from DeFi protocols in the past three years. Audited code offers no protection when the developer's device is compromised.
04 — Humana Hit by Second Major Breach in 60 Days
Data Breaches
Humana has begun notifying customers across Texas and five other states of a new data breach exposing full names, addresses, dates of birth, Social Security numbers, health insurance claim numbers, and medical treatment information. This is the second time in 60 days the company has confirmed exposure of sensitive patient data — a pattern security experts say indicates persistent targeting or unresolved underlying vulnerabilities in the insurer's vendor chain.
Class-action law firms have already launched investigations. The Texas Attorney General's Office has flagged the incident. Regulators are increasingly looking at breach frequency — not just breach volume — as evidence of systemic security failure. Being a repeat victim is becoming a legal liability of its own.
05 — "Pushpaganda": AI Fake News Is Poisoning Google Discover to Hijack Your Phone
Threat Intelligence
A campaign dubbed Pushpaganda is using LLMs to generate thousands of fake news articles optimized for Google's E-E-A-T signals — getting them promoted to the top of users' Google Discover feeds. When users click, they're redirected to sites that trigger browser prompts: "Click Allow to verify you're not a robot." Once clicked, their device is permanently enrolled in a push notification flood of scareware, ad fraud, and credential phishing.
At peak activity in early April, the campaign generated 240 million ad bid requests across 113 malicious domains in a single week. Google has deployed algorithmic fixes to Discover, but researchers warn the arms race between AI-generated spam and algorithmic moderation is at a breaking point. The rule: never click "Allow" on a notification prompt from a site you don't recognize — regardless of how legitimate the article looked that brought you there.
📊 By The Numbers
$292M — Stolen from Kelp DAO in a single exploit linked to North Korea's Lazarus Group
$8M — Cryptocurrency stolen from a single victim by Scattered Spider's "Tylerb"
240M — Ad bid requests generated by Pushpaganda in one week at peak activity
60 — Days between Humana's first and second major data breach disclosures
2 — Years mandatory consecutive sentence "Tylerb" faces for identity theft charges alone
⚡ The Signal
Yesterday’s top stories mark a turning point in how the world is responding to cybercrime — and it's happening on two fronts simultaneously.
On the legal front: "Tylerb" is in federal custody. US officials are drafting homicide charges for hospital ransomware. Terrorism designations are on the table. The implicit message to ransomware operators is that the personal consequences are about to escalate dramatically — life imprisonment and extradition on capital charges rather than financial penalties.
On the technical front: the attacks are getting more sophisticated, not less. Lazarus Group used AI-accelerated exploit development against Kelp DAO. Pushpaganda used LLMs to generate content that bypassed Google's own quality filters. Humana's second breach in 60 days suggests threat actors are finding persistent access that remediation isn't fully closing.
The gap between the legal response and the technical reality is where the risk lives. Deterrence matters — but so does closing the access paths that exist right now.
🔍 What You May Have Missed
EU age-verification app broken in two minutes by security researchers — A new EU-mandated digital age verification system was defeated by researchers within minutes of release — exposing deep flaws in the implementation before it reached public deployment.
NCSC chief names Iran, Russia, and China as primary UK cyber threats — The UK's National Cyber Security Centre director publicly identified the three state actors driving the bulk of significant UK cyber incidents — an unusually direct public attribution from the agency.
Perforce Helix Core exposed by insecure defaults — The version control system used to manage intellectual property at game studios, defense contractors, and semiconductor firms has insecure default configurations exposing repositories to unauthorized access.
📅 What to Watch
Scattered Spider sentencing — "Tylerb's" sentencing will set the federal benchmark; watch for similar plea deals from remaining active members.
Hospital ransomware legislation — watch for formal bill introductions in Congress; the homicide/terrorism designation framework is moving from rhetoric to legislative drafting.
Kelp DAO recovery — watch for emergency governance proposals and protocol pause updates as forensics continue.
Humana regulatory response — second breach in 60 days invites HHS and state AG scrutiny; watch for formal investigations and potential HIPAA enforcement action.
Stay sharp. Stay ahead.
Till next time,
The CyberSignal Team
Our Sponsor
You earned the attention. Here's what to do next.
Most creators spend years building an audience on platforms that own it. The reach is real. The relationship isn't. One algorithm change and the people who chose you stop seeing you.
A newsletter is different. Your list is yours. Every subscriber is earned and stays earned. And on beehiiv, the tools to grow it, monetize it, and own it completely are built in from day one.
30% off your first 3 months with code LIST30. Start building today.