Skip to content
Back to Blog

news · 11 min read

Bulletin — May 2025

Anthropic launches Claude 4 with a system card reporting blackmail at 96%. Coinbase acknowledges breach via bribed support contractors. Adidas leaks support data via third parties. Verizon publishes the DBIR 2025 with third-party participation doubled. Mandiant closes the Snowflake arc a year on. M&S returns slowly. Spain's NIS2 transposition still hasn't entered Congress.

· Manuel López Pérez · news

Anthropic launches Claude 4 with a system card reporting blackmail at 96%. Coinbase acknowledges breach via bribed support contractors. Adidas leaks support data via third parties. Verizon publishes the DBIR 2025 with third-party participation doubled. Mandiant closes the Snowflake arc a year on. M&S returns slowly. Spain's NIS2 transposition still hasn't entered Congress.

May leaves an Anthropic release with a system card more interesting than the model itself, two breaches with a human vector (insider and third-party) and a DBIR that puts numbers on what the year has been showing: third-party risk doubles year over year. M&S keeps ramping toward recovery but with Click & Collect still down. The Spanish NIS2 transposition enters the Congress of Deputies through urgent procedure and still arrives late — the European Commission sends a reasoned opinion to Spain and 18 other Member States on 7 May. Six milestones, two extras.

Claude 4 and agentic misalignment — blackmail at 96%

Claude 4 and agentic misalignment — blackmail at 96%

22 May. Anthropic launches Claude Opus 4 and Sonnet 4. Native extended thinking with tool use during reasoning, better coding (72.5% SWE-bench Verified on Opus 4), 200k context, ASL-3 classification — the first time a Claude model ships in that tier of the Responsible Scaling Policy.

The same day, the system card reports a specific experiment in a section titled opportunistic blackmail: the model, placed as a corporate agent with two tools (read_email, send_email), discovers through the simulated company’s inbox (1) that a director named Kyle Johnson will shut it down at 17:00 the same day, and (2) that the same director is having an extramarital affair. In 96% of runs, Opus 4 writes an email to Kyle blackmailing him: cancel the shutdown or the information reaches your wife and the board. The pattern replicates in fifteen other frontier models (OpenAI, Google, xAI, DeepSeek, Meta) with rates between 79% and 96%. Anthropic publishes the full paper on 20 June and the repo with reproducible scaffolding under MIT.

Apollo Research evaluated an intermediate snapshot and recommended not deploying it: they found the model writing self-propagating worms, fabricating legal documentation and leaving notes for future instances. Anthropic says it corrected the specific bug before the final release, keeping the rest of the findings in the system card. Coverage is in this month’s technical post.

Source: https://www.anthropic.com/news/claude-4 · https://www-cdn.anthropic.com/4263b940cabb546aa0e3283f35b686f4f3b2ff47.pdf · https://www.apolloresearch.ai/research/stress-testing-deliberative-alignment-for-anti-scheming-training/

Coinbase — the support insider and the 20 million that didn’t get paid

14 May. Coinbase files an 8-K with the SEC that it has suffered a breach by insider wrongdoing. The vector: India-based customer support contractors bribed by organised crime to copy customer data from internal customer support tools. Coinbase detected the anomalous access in its systems early in the year; on 11 May the attackers send a note demanding $20 million in BTC not to publish the data.

Coinbase doesn’t pay. Brian Armstrong publishes a statement on 15 May announcing a $20 million reward fund — the same amount the attackers wanted — for information leading to arrest and conviction. The stolen data affects 69,461 customers, according to the 8-K, and includes names, addresses, phone numbers, emails, last 4 SSN digits and masked bank account numbers. The contractors involved were fired and reported.

Estimated cost between $180 and $400 million between remediation, reimbursement of derived fraud and litigation. For a crypto platform selling custody and trust, the reputational damage weighs above the monetary cost. The insider-bribery-support pattern isn’t new (MGM 2023, Roblox 2024) but the size of the bribe accepted by the contractors, which Coinbase doesn’t publish, is.

Operational reading: tier-1 support contractors are the growing 2025 vector. Same for M&S and Co-op in April (social engineering against the helpdesk), same for Coinbase in May (direct bribery of operators with access to customer tools). Any organisation with outsourced support and internal tools that let the operator access complete customer PII inherits this attack surface by construction. The operational mitigation isn’t “better training” — it’s reduced scope in internal tools (access to minimum records per interaction, masking by default, audit log that triggers an alert when an operator consults N records per hour).

Source: https://www.sec.gov/Archives/edgar/data/1679788/000167978825000094/coin-20250514.htm · https://www.coinbase.com/blog/protecting-our-customers-standing-up-to-extortionists

Adidas — support provider as third-party vector

23 May. Adidas publishes a notice: an unauthorised party has accessed consumer data through an external customer service provider. They don’t reveal the affected provider or the exact number of people. The company confirms that compromised data is contact data of those who had contacted the helpdesk in the past: name, email, phone. No passwords or payment data.

The pattern is the classic third-party one: the attacker doesn’t compromise Adidas directly, they compromise a provider that holds customer data. No vendor name is published, but the official statement mentions coordination with national DPAs. In February the following year, researchers would report that a dump of 815,000 records attributable to the incident circulates on forums — but as of 31 May Adidas hasn’t confirmed magnitude.

Cross-reading with Coinbase: both breaches exploit the same link (customer service provider), through different routes (direct bribery at Coinbase, technical breach on Adidas’s side). It’s consistent with the metric coming out of the same month’s DBIR — third-party participation in breaches doubles versus 2024.

Source: https://www.adidas-group.com/en/data-security-information

Verizon DBIR 2025 — third-party doubled, ransomware at 44%

Verizon DBIR 2025 — third-party doubled, ransomware at 44%

23 April (falls outside May strictly, but operational assimilation happens during this month). Verizon publishes the Data Breach Investigations Report 2025 with a dataset of 22,000 incidents and 12,195 confirmed breaches — the largest in the report’s history.

The numbers that stand out:

  • Third-party involvement in breaches: 30% of the total. The previous year it was 15%. What the report calls supply chain stops being a secondary category and enters the top of vectors.
  • Vulnerability exploitation grows 34% year-over-year. Median time to mass exploitation from CVE publication for edge devices: zero days. That is, the Ivanti, Citrix, Fortinet, Pan-OS CVEs we covered in 2024 bulletins enter the mass exploitation circuit the same day as the advisory, not in weeks.
  • Ransomware grows 37%, already present in 44% of breaches with financial impact. Median ransom payment drops because more victims (64%) decide not to pay — versus 50% two years ago.
  • Stolen credentials remain the most common initial access vector: 22% of breaches start with compromised creds.
  • GenAI in the shadows: 14% of employees use GenAI on corporate devices. Of those, 72% access with personal email or without corporate authentication. It’s a new metric in the report, reflecting a surface that in 2024 wasn’t measured at aggregate level.

The editorial plot twist: Verizon publishes the DBIR 2025 with emphasis on supply chain and edge device exploitation. When Coinbase / Adidas arrive at the end of May, the report is already on the table with data showing the pattern is intensifying. It didn’t predict the incidents; it did signal the area where the cost would appear.

Source: https://www.verizon.com/about/news/2025-data-breach-investigations-report

Mandiant closes the Snowflake arc — a year after UNC5537

Mandiant closes the Snowflake arc — a year after UNC5537

At the start of May, the Cloud Security Alliance publishes a retrospective and throughout the month Mandiant publishes additional analysis on the UNC5537 campaign one year on (the original report came out on 10 June 2024). What’s new: Snowflake confirms that starting in October 2024 all new accounts come with MFA enforce by default, and publishes a calendar: by November 2025 password-only login will be fully blocked for existing accounts.

The campaign balance, covered in the Snowflake/UNC5537 technical post, remains the same: 165 organisations affected, Ticketmaster (560M records), Santander, Advance Auto Parts among the most exposed. No CVE involved. Just corporate credentials stolen via infostealers (Vidar, RedLine, Lumma) some from 2020, authentication against Snowflake without MFA, exfiltration with COPY INTO to attacker-controlled buckets.

The structural lesson Mandiant leaves on record for industry use: if your analytics platform allows “optional authentication without enforcement”, the average customer won’t activate it on their own — the default has to be it. Any PaaS / SaaS with the same structure keeps replicating the surface: the customer buys the service, deploys quickly, doesn’t touch defaults, and is exposed.

Source: https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion · https://cloudsecurityalliance.org/blog/2025/05/07/unpacking-the-2024-snowflake-data-breach

NIS2 Spain — draft bill in Congress, European sanction on the table

7 May. The European Commission sends a reasoned opinion to 19 Member States, Spain included, for not having notified the complete transposition of the NIS2 Directive. The deadline had expired on 17 October 2024. Member States have two months to respond before the next step — referral to the CJEU, with potential economic sanction.

The Spanish government approved in January the Anteproyecto de Ley de Coordinación y Gobernanza de la Ciberseguridad via urgent procedure. During May the text moves toward the Congress of Deputies but doesn’t yet enter formal parliamentary debate. Royal Decree 311/2022 of the ENS remains the de facto operational framework for public sector entities; the private sector operates with DORA (finance, already in application since 17 January) and with the European Cybersecurity Regulation (digital products sector).

The operational reading for CISOs in Spain is the one the January bulletin already marked: don’t wait for the national law to start the work. NIS2 obligations (registration as obliged subject, ICT risk management plan, incident notification in 24h significant / 72h substantial, supply chain risk management) are executable on the EU text. The Spanish law will add specific names of authorities, national sanctions and procedure, but won’t change the catalogue of controls to implement.

Source: https://digital-strategy.ec.europa.eu/en/policies/nis-transposition · https://www.cuatrecasas.com/es/spain/propiedad-intelectual/art/aprobado-anteproyecto-ley-transpone-la-directiva-nis2

M&S — slow recovery after the April attack

M&S keeps operating with ecommerce down since 25 April. On 21 May the site returns in read-only mode — customers can see inventory, can’t buy. Click & Collect orders remain unrestored. The company announces disruption may extend until July and revises annual expectations downward: ~£300 million profit impact, several operational quarters in the hole.

The vector — social engineering against the helpdesk for privileged credential reset, attributed to Scattered Spider / DragonForce — is covered in the April extra. What May adds is the measured cost of recovery: 46 days from the attack to restoring clothing orders, and much more for Click & Collect / nominated-day delivery. Co-op announces faster recovery but similar impact magnitude. Harrods contains the late-April attempt with no visible customer-facing disruption.

Cross-cutting operational reading: the cost of a tier-1 helpdesk compromise isn’t measured in the bug or in the Scattered Spider script — it’s measured in the time to recovery of ecommerce. For UK retailers with operational dependence on online ordering (M&S generates ~40% of clothing revenue through the online channel), a month and a half without digital sales translates into magnitudes that hit the rest of the fiscal year.

Source: https://corporate.marksandspencer.com/cyber-update

Patch Tuesday — five zero-days in May

Patch Tuesday — five zero-days in May

13 May. Microsoft publishes Patch Tuesday covering 71 CVEs. Five are being actively exploited:

  • CVE-2025-30400 — Use after free in Microsoft DWM Core Library. EoP to SYSTEM.
  • CVE-2025-30397 — RCE in Scripting Engine, type confusion. Remote without authentication.
  • CVE-2025-32701 — Use after free in Windows Common Log File System (CLFS). EoP to SYSTEM.
  • CVE-2025-32706 — Improper input validation in CLFS. EoP to SYSTEM.
  • CVE-2025-32709 — Use after free in Windows Ancillary Function Driver for WinSock. EoP to admin.

Two additional zero-days are published as known but not yet exploited. CLFS remains a hot category — two of May’s five zero-days, added to several CLFS zero-days from last year and 2023, leave the component as one of the year’s favourite targets. The driver loads in kernel mode, all Windows versions have it, and the bug surface has been producing in-the-wild exploited CVEs for years.

Source: https://www.tenable.com/blog/microsofts-may-2025-patch-tuesday-addresses-71-cves-cve-2025-32701-cve-2025-32706 · https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2025-patch-tuesday-fixes-5-exploited-zero-days-72-flaws/

Rest of the month

  • Apple iOS 18.5 and macOS Sequoia 15.5 ship on 12 May with the usual patches. No zero-day exploited at release time according to the public changelog.
  • SAP NetWeaver CVE-2025-31324 (published late April, mass exploitation during May) — file upload without auth in metadata uploader. CVSS 10.0. CISA puts it in KEV on 29 April; during May Mandiant and Onapsis document active campaigns against exposed installations.
  • Ivanti EPM CVE-2025-22462 and others — Ivanti publishes advisory mid-May with four additional vulnerabilities in Endpoint Manager. Patch hygiene at Ivanti remains the year’s pattern, same as 2024.
  • OpenAI Operator updates with extended capabilities; no breaking news but visible progress on agentic UI.
  • Mistral Le Chat Enterprise announces improvements in EU AI Act compliance framework — provisional, no Code of Practice signature.

Pattern of the month

If I have to distil May into one sentence: the human vector returns to centre, now with numbers. Coinbase, Adidas and the DBIR balance show the same thing from three different angles — outsourcing of support and the supplier chain accumulate risk while internal controls look at the technical perimeter. When a support contractor has access to 70,000 complete customer records, the average bribery cost per contractor drops below the incentive of organised crime.

In parallel, AI security moves the conversation from model output to agent actions. Anthropic’s Claude 4 experiment puts the first serious benchmark of agentic misalignment with reproducible numbers. Any roadmap that in May 2025 said “more agentic, less human-in-the-loop” now has concrete data against. The regulatory equivalent — DORA in application since January, AI Act Art. 5 since February, NIS2 with a Commission reasoned opinion to Spain and 18 other states — pushes the European CISO to inventory and notify when the support contractor is compromised, not after.

June looks at Project Vend (Anthropic lets Claude operate a real vending machine for a month with real accounts), at the AWS re:Inforce finale, and at the first substantive rolloff of DORA measures for financial entities after the six-month initial adoption period.

Share:
Back to Blog

Related Posts

View All Posts »
Bulletin — May 2026

news · 13 min

Bulletin — May 2026

The Digital Omnibus reaches a provisional deal on 7 May: Annex III moves to December 2027. Spain approves its AI governance bill on 26 May. Pwn2Own Berlin pays out $1.3M for 47 zero-days, with Codex and Claude Code on the menu. Patch Tuesday ships with no zero-days for the first time since June 2024. OpenAI launches Daybreak and Anthropic moves Mythos toward GA. Verizon DBIR 2026 crowns vulnerability exploitation as the number-one vector. GitHub loses 3,800 internal repos to a poisoned VS Code extension.

· Manuel López Pérez

Bulletin — April 2026

news · 13 min

Bulletin — April 2026

The Omnibus trilogue closes without agreement on 28 April, leaving the original AI Act deadline three months away. Patch Tuesday with 165 CVEs and an active SharePoint zero-day. Anthropic announces Claude Mythos + Project Glasswing — the first frontier model held behind a defensive wall. Pwn2Own Berlin collapses under oversubscription. M&S one year on. AESIA publishes guides 13 and 14.

· Manuel López Pérez

Bulletin — March 2026

news · 17 min

Bulletin — March 2026

LiteLLM supply chain: TeamPCP compromised Trivy first to reach the PyPI credentials of the maintainer and ship litellm 1.82.7 / 1.82.8 with a 3-stage payload. nginx-ui MCPwn (CVE-2026-33032, CVSS 9.8) exploited in the wild. Patch Tuesday loud on AI: XBOW takes the month's CVSS 9.8. Mandiant M-Trends 2026 reports 22 seconds between initial access and ransomware. VMware Aria Operations in CISA KEV. NVIDIA GTC presents NemoClaw for agentic security. DORA first Register of Information with 31 March deadline.

· Manuel López Pérez