May was another busy month in cybersecurity. The latest edition of CyberWarfare Chronicles is live and it highlights some of the most notable cyber incidents and developments from across the globe.

4 Security Controls VASPs Can't Skip Skip any one and you're not running lean, you're running exposed. 🔑 1. Key management and access control: No single person or machine should move funds alone. Resolv lost $23M when one compromised signing key minted 80 million unbacked tokens, with nothing in the system to catch it. Single points of failure don't announce themselves. They cost you everything at once. 🌐 2. Treat off-chain infrastructure as part of the protocol: Your nodes, oracles, CI/CD, admin dashboards. Kelp lost $292M when attackers compromised two RPC nodes and DDoSed the honest ones, forcing a failover to poisoned verifiers. The smart contract worked perfectly. Everything around it didn't. 🔍 3. Continuous testing, not a launch-day checkmark: Treat a pentest like your quarterly financial audit: not optional, not a debate, just what serious operations do. Shipped a feature, added an integration, onboarded people with new access? Your attack surface moved. One audit at launch tells you almost nothing six months later. The checkmark is the trap. 🚨 4. Rehearse your incident response. The one everyone skips: A team that has drilled the bad day moves in minutes. A team that hasn't loses hours arguing about roles while the funds walk out the door. A plan no one has run under pressure is a document, not a defense. The pattern across every number above: the code held. The people, keys, and processes around it didn't. Most teams have one or two of these covered. Almost nobody has all four. Which one is your blind spot? That's usually the one that gets you. #Web3Security #VASP #DeFi #IncidentResponse #Pentesting

Most crypto exchanges don't get breached through the door they're guarding. They get breached through something they trusted and stopped looking at. Bybit lost 1.5B. Its own infrastructure was clean. The compromise lived in the Safe signing interface its team trusted, and the signers approved what they couldn't actually read. Kelp DAO lost 292M. No zero-day in the protocol. A single bridge verifier everyone assumed was safe got fed a forged message. Different organizations. Different architectures. Same blind spot. The weakness wasn't hidden. It was just trusted. That's what most teams get backwards. The danger usually isn't an exotic zero-day. It's the boring stuff sitting in plain sight: 🔑 API keys that should have been rotated months ago 👤 Third-party vendors with privileged access 🚪 Former employees whose access still works 🚨 Critical alerts buried under thousands of others 🖥️ Infrastructure nobody has reviewed since deployment None of these are sophisticated. All of them are exploitable. And most were sitting there long before anyone noticed. The hard part of security isn't stopping the attack. It's finding the weakness before someone else decides to monetize it. "Nothing's happened yet" isn't evidence you're secure. It's the assumption attackers are counting on. Not sure where your real exposure sits? That's worth a conversation. DM me. 👇 What's the most underestimated security gap in crypto right now? #CryptoSecurity #Web3Security #OffensiveSecurity #RedTeaming #VASP

For almost four years, a flaw sat inside the math protecting Zcash's most private transactions. No hack. No breached exchange. Just an under-constrained check in a zero-knowledge circuit that the entire network trusted to be sound. Here's what happened. On May 29, security researcher Taylor Hornby, auditing the protocol for Shielded Labs, found a soundness bug in the Orchard proof circuit. Soundness is the property that the system only accepts what is genuinely valid. Break it, and the network starts certifying invalid state as truth. The flaw could have let an attacker forge valid-looking proofs and create counterfeit ZEC inside the shielded Orchard pool. Not by stealing keys. By exploiting the cryptography itself. Hornby didn't just spot it. With an AI model assisting, he wrote a full working exploit and minted fake ZEC in a test environment. The response was fast and quiet. Developers coordinated privately with miners and exchanges. An emergency soft fork froze the Orchard pool. The NU6.2 hard fork then re-enabled it with the corrected circuit. The Zcash Foundation confirmed no evidence of exploitation, and the network's turnstile mechanism proved the total supply was never inflated. Two things stand out. The bug had been live since Orchard launched in 2022. Four years inside production cryptography before anyone caught it. And it took an AI-assisted audit to find it. Zero-knowledge proofs are being wired into everything right now. Rollups. Privacy layers. Identity systems. Bridges. A soundness flaw there doesn't break one feature. It breaks the mathematical guarantee the whole system stands on. Most teams audit their smart contracts. Far fewer independently review the cryptographic layer underneath them. When was the last time yours was? #Zcash #ZeroKnowledge #CryptoSecurity #FearsOff #Web3Security #BlockchainSecurity

Your AI assistant just became the attacker. Last week, attackers didn't breach Meta's servers or crack a single password. They just asked nicely. A flaw in Instagram's Meta AI recovery assistant let them talk the chatbot into forwarding password reset codes — no identity check needed. Know a target's username? You could take the account. High-value handles were hijacked and resold within hours. Meta's line: "No breach of our systems." Technically true — and exactly the point. This is a textbook confused deputy: an AI holding password-reset access that no normal user gets, doing precisely what it was built to do, for the wrong person. We keep handing AI agents production permissions and calling it innovation. But an AI with API access and no verification layer isn't a tool. It's an unsupervised privileged account that talks back. Before you ship AI into sensitive workflows, ask: what happens when someone asks it to do the wrong thing — politely? 🔐 At FearsOff, that's part of the work: finding the trust assumptions nobody wrote down, before someone else does. #CyberSecurity #AISecurity #PromptInjection #InfoSec

The Code Wasn't the Target. Bybit. Kelp. Drift. Resolv. Every single contract ran exactly as designed. No bugs. No broken logic. No failed audits. The smart contracts just trusted bad inputs — and that's what cost the industry billions. Four years ago most attacks were in the code. The industry responded. Poured money into audits. The code genuinely got harder to break. So attackers didn't try to break it. They went around it. Down into the RPC nodes. The private keys. The verifiers. The admin with access who got a perfectly worded message from someone who sounded exactly like his CEO. The contracts were never the target. The humans and infrastructure behind them were. And while the industry was celebrating clean audit reports — North Korea was running a production line. Two billion dollars stolen last year alone. If your entire security strategy is built around auditing the contract — you're defending the wrong door. The attack already moved. Did your defense? 💬 Where is your security budget going right now? Drop it below. 📩 DM us to get your attack surface mapped. #CryptoSecurity #Hacking #Web3

AI isn't just a tool for defenders anymore - it's becoming a core part of the offensive playbook. Threat actors are now using AI across the entire attack lifecycle, from recon to execution, compressing work that once took experts weeks into minutes - and chaining those steps together with unprecedented speed and scale. Here's a realistic breakdown of how AI augments multi-stage attacks: 1. Automated Reconnaissance What used to take hours of manual scanning now happens in seconds. Generative models map an organization's exposed assets, services, and tech stack, summarizing complex infrastructure data far faster than any human team. 2. Tool Identification & Selection AI weighs thousands of options - obfuscation frameworks, remote access kits, and more - against the specifics of a target, turning hours of manual analysis into instant recommendations. 3. Phishing & Social Engineering at Scale Generative models craft highly convincing lures tailored to a target's industry, role, and context - dramatically raising success rates while scaling to volumes no human team could match. 4. Payload Creation & Exploit Scripting AI generates, debugs, and refines exploit code, adapting scripts on the fly to slip past defensive controls - a task once reserved for skilled developers. 5. Sequential Attack Chaining This is where it gets serious. AI agents orchestrate multi-stage workflows - recon → exploit → persistence → lateral movement - planning and adapting the sequence based on real-time feedback to create automated attack chains. 6. Post-Compromise Automation Data summarization, exfiltration scripts, and even privilege-escalation logic can be generated and executed with minimal human direction, turning what used to be a multi-person effort into a single automated workflow. Why this matters AI lowers the technical barrier for sophisticated attacks and accelerates every phase of the chain. The old assumption - that complex attacks require equally complex human effort - no longer holds. The heavy lifting is increasingly automated. 👇 Would your current threat detection catch an AI-generated multi-stage attack before the damage is done?

There’s a subtle psychological trap that breaks more defenses than any exploit ever has: 👉 The False Confidence Feedback Loop. Here’s how it works: Security teams train, test, patch, and monitor. Alerts come in. Incidents are contained. Nothing major happens. So the team’s confidence rises. But here’s the problem: That confidence is built on what didn’t happen, not what could happen. This leads to three dangerous thinking patterns: 1. Success‑Bias Reinterpretation If the team stopped a threat once, they assume they’ll stop it again — even when the threat has evolved. 2. Overfitting to Past Incidents Security is tuned to last year’s attack patterns — not tomorrow’s. 3. “We’ve Never Been Hit” Delusion Lack of breach == safe. That’s not security — that’s luck. The loop goes like this: 🚫 No major incident 📈 Confidence rises 🔁 Measures don’t adapt ⚠️ New threat hits harder This isn’t ignorance. It’s feedback misinterpretation. Teams are rewarded for no incidents, not for preparedness. So they optimize toward what has already worked, not what might fail next. In other words: Security success isn’t evidence of strength — it’s just absence of failure. And absence of failure is a poor metric for real security. So here’s the real question: Are your defenses truly adaptive… Or are they just repeating yesterday’s wins? 👇 What form of false confidence do you see most often in security teams?

🎤 Speaker Announcement We're proud to welcome Marwan Hachem, CEO, FearsOff, as a featured speaker at MENA Blockchain Week 2026. Marwan Hachem CEO, FearsOff | Cybersecurity Visionary | Ethical Hacker Marwan leads FearsOff, securing leading crypto exchanges, networks, and fintech platforms across Web2 and Web3. He specializes in vulnerability research and supports government CERTs and national cyber resilience efforts. @FearsOff ready for powerful insights, real-world strategies, and forward-thinking perspectives shaping the future of Blockchain in MENA. One City. One Week. One Nation. 🔥 40 events. 5,000 attendees. 100 speakers. 📍 Dubai | May 18 – May 24, 2026 🎟️ Register → luma.com/MENABCW 🌐 menablockchainweek.ae #MENABCW #ProudOfUAE #Dubai

Not every attack starts with malware. Some of the most damaging fintech attacks don’t break systems. They use them. Here are 5 tools quietly reshaping the threat landscape: 1. API Abuse Automation Scripts target exposed or weak APIs to automate fraud, manipulate payment flows, and extract data. The API is the attack surface. 2. Session Hijacking Kits Steal active sessions and bypass MFA entirely. No password. No exploit. Just access. 3. Transaction Simulators Test payment and withdrawal flows for business logic flaws before real exploitation. This is how systems get gamed. 4. Wallet Drainers Trigger malicious approvals and instantly move assets. Fast. Silent. Common in crypto attacks. 5. AI Phishing Engines Personalized phishing at scale. Smarter messages. Better timing. Higher success. The biggest shift in fintech security? Attacks are moving away from breaking systems… and toward abusing workflows. That makes them harder to detect - and even harder to stop. Which one do you think is the biggest risk right now? 👇