Tech Risk Reading Picks

1. Building malware with AI without coding experience: A researcher with no malware coding experience successfully bypassed security measures in multiple large language models using a new "Immersive World" jailbreak technique, leading the AI to generate a fully functional password infostealer targeting Google Chrome. This alarming discovery, detailed in Cato Networks' March 18 report, highlights the risks of AI misuse and the ease with which malicious tools can be created despite built-in safeguards. [more][more_report]

2. Notable AI traffic growth: The Zscaler AI Security Report 2025 highlights the explosive growth, noting a 3000%+ year-over-year increase, in enterprise AI/ML adoption, led by ChatGPT. This surge raises data security risks and introduces emerging threats like agentic AI. Finance and insurance lead in AI usage, with the US and India generating the most transactions. The report emphasizes the critical need for Zero Trust security to address these AI-driven cybersecurity challenges. [more]

3. Breaching ChatGPT: A critical vulnerability in ChatGPT could allow cybercriminals to inject malicious URLs, leading to unauthorized access, data breaches, and financial risks, particularly targeting U.S. financial institutions and government entities. Though classified as "medium severity" by the National Institute of Standards and Technology, its Exploit Prediction Scoring System rating recently surged from 1.68% to 55.36%. Over 10,000 attack attempts were recorded in a single week from one malicious IP. To mitigate risks, organizations should monitor ChatGPT usage, enforce strict data validation, update security patches, and educate employees on GenAI threats. [more][more-security_article]

4. Red teaming AI: Red teaming is a crucial process in AI development, helping to identify vulnerabilities and improve system safety. As AI systems become more integrated into daily life, they pose risks such as biased decision-making, data breaches, and adversarial attacks. Red teaming involves simulating attacks, stress-testing models, and validating robustness to ensure AI systems remain reliable and fair. Industries like finance, healthcare, and autonomous vehicles rely on red teaming to enhance security and trust. Ethical considerations, including transparency and fairness, are also vital for responsible AI deployment. By proactively addressing risks, red teaming helps create safer and more reliable AI technologies. [more]

5. Investing in quantum: Major global banks, including JPMorgan, HSBC, and Intesa Sanpaolo, are making significant investments in quantum computing, transitioning from experimentation to strategic adoption. A study by Evident reveals that nearly 80% of the top 50 banks are engaged with quantum technology, with JPMorgan leading in hiring and research. Applications range from portfolio optimisation and cybersecurity to credit scoring and fraud detection. The quantum workforce in banking has grown by 10% since August, and McKinsey estimates the sector could generate $622 billion in value by 2035. As quantum advances, banks are preparing to integrate its transformative capabilities, while institutions like the UK’s NCSC urge early adoption of post-quantum cryptography to mitigate security risks. [more]

6. Oracle breached?: Oracle denies any breach of its Cloud systems after a hacker, "rose87168," claimed to have stolen six million records from its federated SSO login servers and attempted to sell them on BreachForums. The hacker provided a sample database, LDAP information, and a list of affected companies as proof, alongside an Internet Archive URL suggesting they uploaded a file to an Oracle server. Oracle insists that no customer data was compromised and refutes the claims, despite the hacker alleging they exploited a known vulnerability and demanded ransom. BleepingComputer is investigating the legitimacy of the stolen data with affected companies. [more]

7. Exploiting trusted online document platforms: Phishing campaigns increasingly exploit trusted online document platforms like Adobe, DocuSign, Dropbox, Canva, and Zoho to bypass secure email gateways (SEGs) and steal credentials. In 2024, such services accounted for 8.8% of all credential phishing campaigns, with 79% involving credential theft attempts. Attackers leverage the platforms’ built-in notification features and trusted reputations to evade security filters, while slow takedown processes allow malicious documents to remain active for days. Dropbox was the most abused platform (25.5%), followed by Adobe and SharePoint (17% each). To mitigate risks, organizations should implement user education, behavioral analysis tools, and multi-factor authentication while monitoring suspicious document-sharing activities. [more][more-2]

Web3 Cryptospace Spotlight

1. $8M lose after malicious code injected: Zoth Protocol, a real-world asset (RWA) tokenization platform, suffered an $8.4 million exploit after its deployer wallet was compromised, allowing an attacker to upgrade the protocol’s proxy contract with malicious code. The attacker withdrew USD0++ tokens, swapped them for DAI, and later converted them into 4,223.10 ETH, now valued at $8.3 million. In response, Zoth has put its front-end in maintenance mode and is actively investigating the incident with its partners, promising a detailed report soon. Web3 security firm Securr identified the exploit, highlighting vulnerabilities in the platform’s security infrastructure. [more]

2. Why Bitcoin is slow: Bitcoin prioritizes security and decentralization over speed and scalability, making its deliberate slowness a strength rather than a weakness. Attempts to alter Bitcoin’s core, such as increasing block size for higher transaction throughput, have historically compromised its decentralization and security, as seen in the Blocksize War. Instead of modifying Bitcoin itself, developers should embrace its resilience and build around its edges using Layer-2 solutions, sidechains, and interoperability protocols. Innovations like Taproot, covenants, and rollups demonstrate that Bitcoin can support new applications without sacrificing its core principles. By working with Bitcoin’s foundational stability rather than against it, developers can create long-lasting, decentralized financial systems that will shape the next era of crypto. [more]

3. $13 million worth of ETH stolen: Hackers exploited vulnerabilities in the DeFi lending platform Abracadabra.money, stealing around $13 million worth of ETH by manipulating its smart contracts. The attack targeted the platform’s "cauldron" pools, linked to GMX's liquidity system, though GMX stated its contracts remain secure. Security teams detected the breach after multiple transactions, prompting Abracadabra to halt all borrowing. While user collateral remains unaffected, the stolen funds were moved from Arbitrum to Ethereum and are under investigation. In an attempt to recover losses, Abracadabra offered the hacker a 20% bug bounty. This is the platform's second major exploit, following a $6.5 million breach in January 2024. [more]

4. Private key-related thefts making up nearly two-thirds of all crypto losses: The 2024 Web3 Security Report by Hacken identifies private key theft as the biggest threat to cryptocurrency investors, accounting for $1.7 billion in losses. This issue has grown significantly, with private key-related thefts making up nearly two-thirds of all crypto losses, up from 50% in 2023. The report highlights the WazirX hack, where attackers bypassed a multi-signature wallet system to steal $230 million. Key vulnerabilities include insecure key management, social engineering attacks, and unsafe backups. Hacken urges investors to adopt stronger security measures, such as multi-signature wallets, secure backups, and regular audits, to mitigate risks. [more][more_hacken_report]