Bulletin — February 2025

February 2025 is the month that defines the rest of the year. On 2 Feb the first binding step of the AI Act enters application and the regulator continent starts sanctioning. On 11 Feb in Paris, Vance picks up the gauntlet from the opposite side and buries the multilateral safety discourse with an “anti-overregulation” speech that breaks the Bletchley/Seoul consensus. On 21 Feb TraderTraitor executes the largest recorded cryptocurrency theft — $1.5B — and demonstrates that the supply chain of the frontend of a hosted multi-sig is the weakest piece of any custodial setup. And the same day, Apple withdraws Advanced Data Protection in the UK under pressure from the Investigatory Powers Act. Four open fronts for 2025.

EU AI Act Art. 5 — first binding application date

2 February. Chapter II of Regulation (EU) 2024/1689 enters application, the prohibitions of Art. 5. It’s the first time the AI Act triggers real obligations on operators: eight unacceptable practices out of the EU market, with a sanction band up to €35M or 7% of global turnover. On 4 February the Commission publishes the Guidelines on Prohibited AI Practices (non-binding but interpretive) in all 24 official languages; on 6 February, the guidelines on the definition of “AI system” in Art. 3(1).

The detail is covered in this month’s technical post — category by category, exemptions under Art. 5.2 and the extraterritoriality of Art. 2(1)(c). What matters to highlight here: the practices that fall are less exotic than they appear. Emotion recognition in school proctoring tools and corporate interview AI (5.1.f), trans-context social scoring on tenant screening and gig worker rating platforms (5.1.c), Clearview-style indiscriminate facial scraping (5.1.e), real-time FR blocking for law enforcement except in scheduled cases (5.1.h).

The real operational load for companies in February 2025: closed AI inventory, triage against Art. 5, removal or reconfiguration plan before end of Q1, and minimum staff training under Art. 4. AESIA still has no specific Spanish guidelines — default alignment with the Commission’s.

Source: https://digital-strategy.ec.europa.eu/en/library/commission-publishes-guidelines-prohibited-artificial-intelligence-ai-practices-defined-ai-act · https://eur-lex.europa.eu/eli/reg/2024/1689/oj

AI Action Summit Paris — the end of the multilateral consensus

10–11 February, Grand Palais, Paris. Third international AI summit after Bletchley Park (2023) and Seoul (2024). Co-organised by France and India, declared intention: move from the inherited safety approach to the action approach — investment, infrastructure, open ecosystem. The summit closes with the Inclusive and Sustainable AI for People and the Planet declaration signed by 58 countries including France, India, China, Japan.

The US and the UK don’t sign. The public reason on the US side: the speech by Vice President JD Vance on 11 Feb. It’s Vance’s first foreign intervention since the inauguration and translates into geopolitical discourse the Trump AI Executive Order of 23 Jan.

Central messages of the speech, as they appear in the France 24 transcript and the Washington Post coverage:

• “Excessive regulation of the AI sector could kill a transformative industry just as it’s taking off.”
• “We feel strongly that AI must remain free from ideological bias and that American AI will not be co-opted into a tool for authoritarian censorship.”
• Direct criticism of the Digital Services Act and the AI Act (“foreign regulatory regimes that target our companies”).
• Commitment to pro-growth AI policies and opposition to any binding international framework.

The next summit — India 2026 — is left with the open question of whether the multilateral format holds. The AI safety consensus that cohered Bletchley/Seoul has bifurcated: a regulatory axis led by the EU with the UK in ambiguous position, an innovation-without-a-net axis led by the US, and China operating with its own framework. For multinational companies, the rest of 2025 is about translating that bifurcation into regulatory calendars by jurisdiction.

Source: https://www.france24.com/en/europe/20250211-jd-vance-warns-against-excessive-regulation-of-ai-at-paris-summit · https://www.washingtonpost.com/politics/2025/02/11/vance-paris-ai/

ByBit / Safe{Wallet} — $1.5B and the broken visualisation chain

21 February, 14:13:35 UTC. TraderTraitor (DPRK cluster inside Lazarus) executes the transaction that empties ByBit’s Ethereum cold wallet: 401,347 ETH, $1.5B at the day’s price. It’s the largest recorded cryptocurrency theft, without dispute.

The vector, unpacked in the technical post this month, is an impeccable chain. On 4 Feb a Safe developer downloads a malicious Docker project (MC-Based-Stock-Invest-Simulator-main), a signed TTP from TraderTraitor since 2022. The malware extracts active AWS session tokens from the compromised host and the attackers operate inside Safe’s AWS environment for 16 days without adding their own MFA — re-using Developer1’s legitimate session, adjusting hours to the victim’s so it doesn’t look weird. On 19 Feb at 15:29 UTC they replace a single JavaScript file (_app-52c9031bfa03da47.js) in the S3 bucket serving app.safe.global, with a payload that only activates when the signer is ByBit’s cold wallet address. On 21 Feb at 14:13 the transaction ByBit asks to sign (routine transfer) is swapped for an execTransaction(...) with to = 0x96221423... (attacker contract), operation = 1 (delegatecall) and calldata transfer(0xbDd077f6..., 0): an SSTORE in disguise that rewrites slot 0 (the implementation address) of the multi-sig proxy. Two minutes later, the attackers restore the benign JavaScript in S3. There’s barely any forensic trace on the frontend.

What the chain teaches: the human signer can’t locally verify what they’re signing. In blind signing, the Ledger shows to, value, data in hex without decoding, so the signer depends on the frontend UI to understand the operation. When that frontend is compromised, the 3-of-N multi-sig, the hardware wallets and the air-gap processes stop protecting.

Industry response: on 24 Feb Ethereum Foundation, Ledger, Trezor, MetaMask and WalletConnect announce a working group on an open clear signing standard to end blind signing by default. The operational transition, however, will take quarters. Meanwhile, any multi-sig that depends on app.safe.global (or another hosted frontend) has the same surface.

On 26 Feb the FBI publishes PSA-250226 formally attributing to DPRK via TraderTraitor, with a list of Ethereum addresses for blocking. Ben Zhou (ByBit CEO) does a public livestream two hours after the hack confirming 1:1 reserve solvency and absorption of the loss; as of 20 March, 88% of the funds remain traceable, $280M have moved via mixers and are considered “dark”.

Source: https://www.ic3.gov/PSA/2025/PSA250226 · https://www.sygnia.co/blog/sygnia-investigation-bybit-hack/ · https://www.nccgroup.com/research/in-depth-technical-analysis-of-the-bybit-hack/

Apple withdraws Advanced Data Protection in the UK — Investigatory Powers Act bites

21 February (same day as ByBit, coincidentally). Apple announces that Advanced Data Protection (ADP) — the opt-in end-to-end encryption feature for iCloud Drive, Photos, Notes, Reminders, Safari Bookmarks and full device backups — is no longer available for new users in the United Kingdom. Existing British users with ADP enabled have to manually disable it within an unspecified grace period to keep their account operational.

The trigger: in early February, the UK Home Office issues a Technical Capability Notice (TCN) under the Investigatory Powers Act 2016 demanding from Apple the capability to access the encrypted content of any Apple user worldwide, not just in the UK. The TCN’s existence leaks to the Washington Post on 7 Feb. Apple states to Bloomberg: “We are gravely disappointed that the protections provided by ADP will not be available to our customers in the UK given the continuing rise of data breaches and other threats to customer privacy.”

The exit Apple chose — withdrawing the product instead of complying with the universal backdoor — is the Lavabit pattern at continental scale. The IPA allows secret TCNs: officially, Apple cannot confirm the TCN’s existence or its terms. Withdrawing the product is the only public signal it can give.

What’s next: Apple appeals before the Investigatory Powers Tribunal. Secret hearing on 14 March. The open question is whether the UK can sustain an extraterritorial TCN without entering conflict with the Data Adequacy it has with the EU under GDPR. If the UK doesn’t guarantee personal data confidentiality by maintaining access for LE, the adequacy decision can be reviewed — with commercial impact much larger than ADP alone.

Source: https://www.bloomberg.com/news/articles/2025-02-21/apple-removes-end-to-end-encryption-feature-from-uk-after-backdoor-order · https://support.apple.com/en-us/122234

Anthropic Claude 3.7 Sonnet — visible reasoning as product

24 February. Anthropic launches Claude 3.7 Sonnet, its first hybrid reasoning model. A single API, two modes:

• Standard — immediate response, behaviour equivalent to 3.5 Sonnet.
• Extended thinking — goes through a phase of visible reasoning before responding. The user can inspect the raw CoT and control the thinking token budget (up to 128K).

Pricing equal to 3.5 Sonnet: $3 / $15 per million input/output (including thinking tokens). Benchmarks: SWE-bench Verified 70.3%, AIME 2024 80.0% with 64K extended thinking, GPQA Diamond 78.2%.

What’s relevant for security: unlike o1 (where CoT is hidden and only summaries are seen), Claude 3.7 shows the thinking in raw form. That changes the threat model in two directions:

• CoT exfiltration in product. Thinking outputs become a prompt injection surface — an adversary can steer the intermediate reasoning before the final response. Apollo Research investigation during 2025 will document this pattern.
• Jailbreak inspectability. When Claude jailbreaks, now you can read how it decides. For external researchers (Pliny, Embrace The Red) it’s a goldmine; for Anthropic it’s a transparency signal with the cost of exposing details that were previously proprietary.

Alongside 3.7 Sonnet, Anthropic launches Claude Code in limited preview — an agentic coding tool via CLI that executes read/write/run/test/commit/push with user authorisation. It’s the direct answer to Cursor/Cline and to the programming agent pattern that’s been maturing since 2024.

Source: https://www.anthropic.com/news/claude-3-7-sonnet · https://www.anthropic.com/news/visible-extended-thinking

Storm-2372 — device code phishing at scale

13 February. Microsoft Threat Intelligence publishes analysis on Storm-2372, a cluster with moderate confidence aligned to Russian interests. The campaign has been active since August 2024 but scales in February against governments, NGOs, telcos, defence, healthcare and energy across Europe, North America, Africa and the Middle East.

Vector: device code phishing. The attacker initiates an OAuth 2.0 device code flow against the target M365 app (Microsoft Teams, Microsoft Graph, etc.), receives the code and URL Azure returns, and passes them to the victim user via a plausible message (Teams meeting invitation, “authentication required to access document”). The victim enters the code at microsoft.com/devicelogin authenticating with legitimate credentials; what they have just done is authorise the session the attacker initiated. The generated access tokens end up in the attacker’s hands, without the user typing the password into a fraudulent page, without TLS error, without domain typosquatting.

What’s problematic about the vector: device code flow is designed for keyboard-less devices (smart TVs, IoT devices). Its legitimate operation is exactly “someone initiates, someone else authorises”. There’s no technical way to distinguish legitimate use from adversarial use without additional context.

Mitigation recommended by Microsoft: block device code flow in Conditional Access except for explicitly justified cases, monitor tokens generated by device code flow with unexpected geographic origin, specific training for staff because the social engineering layer is what closes the attack. One of the things the guidance doesn’t solve: many organisations have device code enabled by default without having consciously evaluated it.

Source: https://www.microsoft.com/en-us/security/blog/2025/02/13/storm-2372-conducts-device-code-phishing-campaign/

DOGE → Treasury — court order on 8 Feb, negotiated restriction on the 11th

Early February. Personnel from the Department of Government Efficiency (DOGE, executive office created by Trump on 20 Jan and effectively run by Elon Musk) gain access to internal systems of several federal agencies: Treasury (federal payments), OPM (federal employment data), IRS (tax data), SSA (Social Security). Access to the Treasury payments system — the piece through which trillions of dollars pass per year, with personal and banking data of millions of Americans — triggers the judicial response.

7 February. New York Attorney General Letitia James leads a coalition of 19 state AGs suing the Trump administration for unauthorised access. On 8 February, a federal judge in the Southern District of New York issues a temporary blocking order: anyone unauthorised must immediately destroy copies of material downloaded since 20 Jan onwards. On 11 February, the Trump administration accepts restrictions by agreement: only two DOGE members (with Treasury staff credentials) maintain access under supervision, read without write.

Background reading for security: what’s relevant isn’t the political dispute but the pattern. Administrative access to a federal database can be established in hours without complying with the privileged access procedures that normally surround it. When an incoming Treasury Secretary changes “policy for protecting sensitive personally identifiable information” (text of the lawsuit against Bessent) by direct order, the technical controls aren’t a barrier. The threat model “the legitimised executive skips the procedure” wasn’t in most agencies’ matrix.

Source: https://www.npr.org/2025/02/08/g-s1-47350/states-sue-to-stop-doge-accessing-personal-data · https://ag.ny.gov/press-release/2025/attorney-general-james-stops-elon-musk-and-doge-accessing-americans-private

Rest of the month

• Patch Tuesday 11 Feb — 67 CVEs published, four zero-days exploited according to Microsoft Threat Intelligence: CVE-2025-21391 (Windows Storage EoP), CVE-2025-21418 (Windows AFD.sys EoP), CVE-2025-21194 (Microsoft Surface security bypass), CVE-2025-21177 (Microsoft Dynamics 365 SSRF). No public attribution to a specific APT at publication time.
• OmniGPT data breach — 5 Feb, vendor on BreachForums claims to have exfiltrated conversations from 30,000+ users of the OmniGPT model aggregator, including service-owned API keys. OmniGPT does not publicly confirm, but does temporarily pause the service.
• Lee Enterprises ransomware — US newspaper chain suffers encryption in early month; Qilin claims responsibility. Disruption to publication of 75+ local daily papers for weeks.
• GrubHub data breach — 3 Feb, GrubHub confirms compromise via external service provider. US customer accounts affected: contact details + partial card data + password hashes.
• ENISA Threat Landscape 2025 preliminary draft — circulated among stakeholders at month’s end. Thematic focus for the year: AI-enhanced social engineering, SaaS-dependent supply chain, ransomware as a service in clear consolidation.
• MITRE ATT&CK v16.1 — published 6 Feb with new techniques in the Cloud Matrix specific to abuse of identity providers (Entra ID, Okta) and device-code phishing — coinciding with the Storm-2372 campaign cycle.
• Anthropic Claude 3.5 Haiku — pre-announcement on 25 Feb of the next-generation Haiku, no exact date. Pointing at a Q2 2025 release.
• Cisco IOS XE — several advisories this month — Cisco publishes incremental fixes in web-ui of IOS XE during February, no pre-auth chain comparable to 2023 (CVE-2023-20198/20273). Patches available, no mass exploitation reported.

The month that defines the rest of the year

If I distil February into one sentence: the European regulator starts applying the AI Act the same month the multilateral safety order breaks in Paris. The conversation that in 2023-2024 was “how do we regulate together” in February 2025 is “how do we each regulate on our own, who do we compete with for model deployment and how do we sustain data adequacy against the rest”.

On top of that, the operational lesson of the ByBit hack: in custodial setups of the order of hundreds of millions, the hosted frontend is the weakest piece because it concentrates two things that shouldn’t be together — the user experience of the signer (necessarily readable, dynamic, web) and the capacity to show what’s being signed (which in blind signing is exclusive to the frontend). TraderTraitor remains active with the same malicious Docker vector since 2022; the problem isn’t that they attack, it’s that the deployment model of a hosted Web3 frontend remains “S3 bucket + CloudFront + CI/CD cycle operated by human developers”.

And the Storm-2372 + DOGE Treasury pattern share something abstract: the attacker (state in one case, executive in the other) abuses mechanisms designed for legitimate but rare uses. Device code flow is for keyboard-less devices; nobody reviewed whether it was needed enabled by default. Administrative access from the Treasury Secretary is for emergencies; nobody reviewed whether it made sense to execute in hours and without external audit. It’s the legitimate function abused pattern that will define a lot of operational cyber in 2025 — harder to detect and patch than a CVE, because there’s no bug to fix.

The operational plan coming out of February:

1. AI Act Art. 5 complete withdrawal before end of Q1, documented and archived for procedural defence.
2. Audit of multi-sigs that depend on a hosted frontend: clear signing mandatory in signers, delegatecall guard in the contract, double payload verification via independent channel.
3. Conditional Access audit in M365 / Entra ID: device code flow blocked except for explicit allowlist.
4. Threat modelling for “the legitimised executive skips the procedure” in any critical system the organisation operates or hosts for third parties.

For March we’ll talk about the first serious paper on MCP tool poisoning — the AI security pattern that will be the equivalent of prompt injection for the rest of the year.