Cybersecurity Archives - Discerning Data

The Wallet Inspectors: The DPRK’s Sophisticated Campaign to Steal Cryptocurrency and How to Protect Yourself

On February 21, 2025, Bybit, one of the world’s largest cryptocurrency exchanges, suffered a cyberattack resulting in the theft of approximately $1.5 billion in Ethereum tokens. This attack marked a new pinnacle in the criminal efforts of cyber actors tied to the Democratic People’s Republic of Korea (“North Korea” or the “DPRK”). In recent years, these malicious actors have increasingly targeted the cryptocurrency industry, leveraging sophisticated tactics to steal and launder digital assets for the ultimate benefit of funding the North Korean government. These high-profile and high-dollar-value exploits underscore the ongoing risk from the DPRK cyber threat and the need for private sector actors to implement appropriate cybersecurity measures to combat these threats. The threat is particularly acute since most interactions with these actors raise the additional risk of committing a violation of U.S. sanctions, with corresponding civil and criminal legal exposure.

This blog post delves into the details of recent cybercriminal activity attributed to actors tied to North Korea, their impact on the cryptocurrency sector, and the steps organizations should consider to mitigate those risks.

Continue reading “The Wallet Inspectors: The DPRK’s Sophisticated Campaign to Steal Cryptocurrency and How to Protect Yourself”

Lessons from PayPal’s $2 Million Cybersecurity Settlement with the New York State Department of Financial Services

Introduction

On January 23, 2025, PayPal settled an enforcement action brought by the New York State Department of Financial Services (NY DFS) for failing to comply with cybersecurity regulations required for financial services businesses under the Department’s supervision. The settlement, which included a $2 million fine and required remedial measures, arose out of a cybersecurity incident where hackers gained access to PayPal customers’ sensitive information contained on tax forms in PayPal’s systems. As discussed further below, the incident highlights the importance of implementing an effective cybersecurity program and ensuring that employees are adequately trained to follow the policy in practice.

Summary of the PayPal Enforcement Decision

The NY DFS sets standards for cybersecurity practices among financial institutions through cybersecurity regulations established at 23 NYCRR Part 500. These regulations require all DFS-regulated entities to establish and maintain a comprehensive cybersecurity program to protect consumers’ nonpublic information (NPI) and ensure the security of information systems.

Continue reading “Lessons from PayPal’s $2 Million Cybersecurity Settlement with the New York State Department of Financial Services”

Oh No, Canada! Takeaways from the Indictment of a Canadian National Allegedly Responsible for $65 Million DeFi Cryptocurrency Theft

On February 3, 2025, the U.S. Attorney’s Office for the Eastern District of New York (EDNY) unsealed an indictment against Andean Medjedovic, a 22-year-old Canadian national, for allegedly stealing approximately $65 million in cryptocurrency from two decentralized finance (DeFi) protocols, KyberSwap and Indexed Finance. Medjedovic is charged with wire fraud, violation of the Computer Fraud and Abuse Act (“CFAA”) for unauthorized damage to a protected computer, attempted Hobbs Act extortion, money laundering and money laundering conspiracy. This case highlights the growing risks and vulnerabilities in DeFi platforms, which remain attractive targets for sophisticated cybercriminals.

Understanding the Alleged Scheme

DeFi platforms like KyberSwap and Indexed Finance operate on blockchain networks and use “smart contracts” to manage user transactions. These smart contracts facilitate automated cryptocurrency exchanges by maintaining liquidity pools, which are funded by investors. The indictment alleges that Medjedovic, a Canadian national, manipulated these smart contracts to drain funds from these pools, defrauding investors in the process through two different exploits.

Continue reading “Oh No, Canada! Takeaways from the Indictment of a Canadian National Allegedly Responsible for $65 Million DeFi Cryptocurrency Theft”

The UK Cyber Security and Resilience Bill

Background

The UK government has recently announced that it plans to introduce a Cyber Security and Resilience Bill (Bill). The Bill seeks to update the 2018 Network and Information Security Regulations, which implemented the European Union (EU) NIS 1 Directive when the UK was a member of the EU.

A key driver behind the UK government’s plans is a desire to stay broadly aligned with evolving EU legislation, particularly with the significant expansion in scope of the new EU NIS 2 Directive. Once presented to Parliament, the Bill could become law by early 2026.

Continue reading “The UK Cyber Security and Resilience Bill”

Countries Poised to Adopt New Cybersecurity Measures After UN Adopts Major Cybercrime Convention

On August 7, 2024, after three years of negotiation, the United Nation’s Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes unanimously adopted the Convention Against Cybercrime. The Convention now goes to the General Assembly, where it is expected to be adopted. If ratified by 40 member states, the Convention will enter into force.

Continue reading “Countries Poised to Adopt New Cybersecurity Measures After UN Adopts Major Cybercrime Convention”

UK and US Announce Partnership on Science of AI Safety

On 1 April 2024, the UK and US signed a memorandum of understanding on the science of AI safety. This partnership is the first of its kind and will see the two countries work together to assess risks and develop safety tests for the most advanced AI models.

Following their announcement of cooperation at the AI Safety Summit in Bletchley Park last November, the UK and US have formally agreed to align their scientific approaches to AI safety testing, with plans to perform at least one joint testing exercise on a publicly accessible model. The partnership will take effect immediately and will see the two countries work together to tackle the safety risks posed by next-generation versions of AI. The agreement will facilitate collaboration between the UK AI Safety Institute (formed last November) and the US AI Safety Institute (which is still in its initial stages) and will include the sharing of vital information and research on the capabilities and risks associated with AI systems, together with the exchange of expertise through researcher secondments between the institutes.

Continue reading “UK and US Announce Partnership on Science of AI Safety”

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

Category: Cybersecurity