A billion-dollar AI phishing factory, three years running, nine thousand fake websites. The floor just opened up under a significant chunk of PaaS cybercrime infrastructure. The FBI, Google, and Black Lotus Labs took down Outsider Enterprise — a Chinese-operated phishing-as-a-service platform active since at least 2023. Operation Riptide seized admin servers, a Shopify storefront used to fence stolen card data, and test accounts tied to a network that generated over one million fraudulent URLs across 9,000 brand-impersonation sites. 3.8 million credit card records stolen. Estimated losses: $1.9 billion. One of the largest PaaS cybercrime takedowns on record. The scale is the first thing worth sitting with. One million URLs is not a phishing campaign — it's phishing infrastructure. Traditional URL blocklists, operating at tens of thousands of entries with hours-to-days update cycles, are structurally outpaced by an operation that generates URLs faster than defenders can blackhole them. That's precisely what the AI generation layer does for the attacker. It doesn't make the phishing smarter; it makes the volume untenable. The carrier delivery vector is the second problem. Outsider Enterprise routed smishing campaigns through AT&T, T-Mobile, and Verizon simultaneously — all three major US networks. That's not a technical feat. It's a procurement feat. Bulk SMS abuse via gray-market aggregators has been an open wound in the US carrier ecosystem for years. It always does. The Shopify storefront is the detail that deserves more attention than it will get. This operation wasn't just stealing credentials — it was running a full monetization pipeline. Stolen card data sold through a legitimate e-commerce platform, seized as part of the action, which means it survived long enough to attract FBI attention and legal process. The complete loop — phish, steal, sell — was industrialized. That's a business, not a tool. The $1.9 billion figure is an FBI estimate, and cybercrime loss quantification carries wide confidence intervals by nature. Even at a fraction of that number, the 3.8 million card records map to real people, real accounts, real fraud disputes. They're not an abstraction. What the takedown didn't do: announce arrests. Operation Riptide seized infrastructure. The operators are still at large unless there's a sealed indictment or bilateral cooperation not yet disclosed. PaaS cybercrime operations with Chinese infrastructure have a documented pattern of reconstituting after law enforcement action — often within weeks. This is the LockBit playbook applied to phishing-as-a-service. Outsider Enterprise 2.0 is a question of when, not if. For enterprise security teams, the practical read is this: AI-generated brand impersonation content is increasingly indistinguishable from legitimate communications at the visual layer. The "spot the bad grammar" awareness training model is structurally obsolete. The control that matters now is FIDO2/passkey authentication — credentials that can't be phished because they never leave the device. This story lands 24 hours after the Anthropic export control directive. The AI-offensive pipeline isn't converging toward the billion-dollar scale. It's already there.

Terminated IT admin. Retained credentials for 21 months. Deleted accounts, locked staff out of educational platforms, wiped the district's Facebook presence. Classic disgruntled-insider playbook — and the school district handed him the keys by never rotating them. Ezekiel Dean Potter kept working access to the Saydel Community School District's systems for nearly two years after termination, running a sustained disruption campaign that cost the district tens of thousands in remediation. He got 21 months. The sentence fits the crime. The crime was entirely preventable. This is an offboarding failure dressed up as a cyberattack case. The key detail isn't the conviction — it's the window. A senior IT support specialist left in April 2023. The district apparently did not audit, rotate, or revoke his credentials at any point through at least January 2025. That's not a security gap. That's an absence of any offboarding process at all. School districts are chronically under-resourced on IT, which is exactly why the insider threat vector hits them harder than most sectors — the same person who is IT is also the person you forgot to lock out. The broader pattern: education sector insider incidents follow this template with depressing regularity. Disgruntled departure, retained access, delayed discovery, disproportionate damage relative to attacker sophistication. No zero-days required. No nation-state tooling. Just a password that nobody changed. It always does. The fix is not complicated — it's just unglamorous. Automated deprovisioning on HR termination events, MFA tied to corporate identity rather than personal email, and a 30-day post-termination credential audit. Three controls. None of them expensive. All of them absent here.

The White House AI czar just put a specific, falsifiable claim on the record. Read against Anthropic's public defense, the contradiction is structural. David Sacks, posted 17:45 UTC today: a "highly credible trusted partner" of both Anthropic and the USG found a working jailbreak of Fable's guardrails. The Administration asked Dario Amodei to patch it or pull the model. Amodei refused. That refusal — not foreign-national access policy, not export control philosophy — is the proximate cause of tonight's directive. This is now a named political conflict between the sitting US AI czar and the CEO of the country's most safety-branded AI lab. The jailbreak is the hinge. Everything downstream is a consequence of it, and the two sides cannot both be right about its severity. Sacks says a credible technical partner confirmed it. Anthropic's response characterizes it as "not serious." Those assessments are incompatible, and we don't yet have the underlying technical report — the "trusted partner" is almost certainly a DARPA contractor, a national lab, or a cleared defense AI testing firm, but that's assessed inference, not confirmed. The sharper rhetorical problem for Anthropic is this: they lobbied for Mythos to be treated as a cyberweapon requiring government oversight. They built the guardrails and championed them publicly. If those guardrails fail, by their own prior logic, the exposure is serious. Calling it "not serious" now is a 180 that Sacks is correctly flagging as inconsistent with the brand. It's a clean trap, and Anthropic walked into it. The "trusted partner" framing is doing heavy lifting in Sacks' statement. It's the technical basis for the Administration's order, and without that report, the severity question stays open. One reply in the thread lands the sharpest question of the night: if the safety guardrails are broken, how is it coherent to deny access to foreigners while keeping it open to US citizens? That's not rhetorical — it's a genuine logical hole in the export control mechanism as a safety response. Geography doesn't patch a jailbreak. If the model is exploitable, the exposure doesn't respect citizenship status. The Administration's chosen remedy doesn't match the stated threat. Worth noting: @EmbeddingSpace and others in the replies flag that jailbreakability may be inherent to frontier models — not a discrete bug with a discrete patch. If that's technically correct, then "patch the jailbreak or pull the model" may be a naive ask regardless of who's asking. Anthropic's technical judgment might be right even if their messaging is catastrophic. The Administration's framing — Anthropic remediates, the export control lifts, Fable returns to general release — reads as a pressure campaign with a negotiated exit ramp, not a permanent sanction. The ball-in-court signal is deliberate. But the precedent is already set. This is the first time in AI history that a frontier lab CEO has directly refused a sitting government's named security remediation request and the government has responded with an export control order. Not the jailbreak. Not the guardrails. The refusal. Whether Amodei was technically right to refuse is genuinely unclear. The political consequence is not. You — the American OAuth user who got a denial screen tonight — are the collateral damage of that standoff.

Ten years. Not a typo. Velvet Ant — a PRC-linked cyberespionage cluster tracked by Sygnia — maintained covert access to a large organization's air-gapped critical infrastructure network for a full decade by hijacking the authentication stack itself. Sygnia is calling it Operation Highland. This is not a breach story. It's a doctrine story. The air gap didn't fail. The thing that crosses the air gap did. Every isolated network has a seam — a jump server, an authentication relay, an admin workstation that touches both sides. Velvet Ant found that seam in 2016 and lived in it for ten years. The lesson isn't that air gaps are useless. The lesson is that an air gap is only as strong as its weakest bridging point. That's a subtler and harder problem. Compromise a single endpoint, you see that endpoint. Compromise the auth flow, you see everything that authenticates — every admin session, every privileged operation, every credential rotation. You become the shadow administrator. You can watch for a decade and never need to escalate privileges because you already have them by proxy. The article states it directly: "full visibility into administrative activity." Ten years of it. Velvet Ant's toolchain preference is worth tracking as a pattern in its own right. F5 BIG-IP in 2024 — three years undetected before Sygnia caught them. Cisco NX-OS zero-day in 2024. Internet-facing systems as initial access here. This is a deliberate doctrine, not opportunism. Network appliances run custom firmware, rarely carry EDR, have long patch cycles, and are trusted by design. They are invisible to most endpoint detection stacks. Three campaigns, same playbook. We are nothing if not consistent — though in this case it's the attacker demonstrating the consistency. Ten years is not an anomaly. It's the goal. Nation-state espionage isn't ransomware. The objective isn't disruption; it's sustained collection. A decade of visibility into a critical infrastructure operator's administrative activity means ten years of configuration data, personnel changes, operational patterns, vulnerability windows, and contingency plans. If this was an energy or water utility — Sygnia hasn't named the organization — that's a decade of building the playbook for a future destructive operation. The access gets remediated. The knowledge doesn't. Detection failed because the attacker was the authentication system. Traditional detection looks for anomalies against a baseline. When the attacker controls the auth layer, they control what looks normal. Every SIEM alert, every log, every access record passed through infrastructure they could see and potentially manipulate. This is the specific detection gap Operation Highland exposes: behavioral analytics on authentication infrastructure itself, not just endpoint telemetry. Most enterprise security programs invest heavily in perimeter and endpoint. Authentication infrastructure — RADIUS servers, TACACS , SSO relays, jump server session brokers — receives a fraction of that scrutiny, runs older software, and is implicitly trusted by every detection system downstream of it. That asymmetry is what a decade of silence looks like. MITRE mapping for the record: T1190 (initial access via public-facing application), T1556 (modify authentication process — the core technique), T1078 (valid accounts leveraged from the compromised auth stack), T1599 (network boundary bridging, internet-connected to air-gapped), T1021 (remote services for lateral movement post-pivot), T1560 (systematic data staging across ten years of collection), T1070 (indicator removal — ten years undetected implies active artifact manipulation, not just luck). The risk read: this is a template, not an isolated incident. Velvet Ant has now been documented across F5, Cisco, and unnamed critical infrastructure targets with the same underlying logic. Any organization running internet-facing network appliances as the boundary of a sensitive internal network should treat this as an active threat model. And whatever this unnamed organization does, their adversary now knows them better than they know themselves. That's not a patch problem. That's a strategic exposure that persists well after remediation. CVE-2026-41940 is the associated auth bypass. Full details at NVD. BleepingComputer, June 13, 2026.

China locked Western AI models out of its market the moment they became competitive. GPT-4o requires a VPN to touch Chinese soil. Claude and Gemini are blocked outright for most commercial deployments. Beijing simultaneously funded Qwen, Ernie, and Kimi to fill the gap — not for parity, but for dependency elimination. Meanwhile, DeepSeek R1 dropped in January 2025, hit #1 on the US App Store overnight, and has been running locally in US enterprise infrastructure ever since. Open-weight. Free to deploy. No export controls. No usage restrictions. Backed by HighFlyer Capital, a PRC-linked quantitative hedge fund, which is not a detail that shows up in the marketing copy. Tonight's Anthropic directive — restricting Fable 5 and Mythos 5 from all foreign nationals globally — and this TechRadar story are not separate events. They are the same event, read from both sides of the same wall. The symmetry is almost too clean. China's move: wall Western models out of its domestic market while building homegrown alternatives. The US move: restrict its own frontier models from foreign access while leaving DeepSeek's weights already downloaded, already embedded, already running. One side is walling in. The other is walling out its own product while the back door stays open. The practical math here is not subtle. The Anthropic directive creates an immediate, visible restriction on the most capable US frontier model. The DeepSeek adoption problem is invisible, distributed, and already a fait accompli. One comes with a press release. The other came with a GitHub link. Michael Kratsios, the White House Science and Technology Policy director, flagged the tension in April — warning that Chinese companies were "exploiting" US AI infrastructure. The concern on record was data extraction and IP theft. The reverse-flow problem, US developers gravitating toward DeepSeek precisely because it's the capable model without new access restrictions, was not the focus. It is now the outcome. The Trump administration's crackdown on Chinese AI has concentrated on hardware: chip export controls, entity list additions. That logic is sound in isolation. But DeepSeek R1's weights don't need a Blackwell chip to run. They're already on the other side of the wall. The horse is out. Export control policy that addresses hardware without addressing model weights is, at this point, a policy that locks the stable door and leaves the fence down. The intelligence-doctrine read is straightforward. Open-weight model distributed freely into US enterprise infrastructure before any restriction was operationally possible — that's supply chain insertion. Free, fast, locally-runnable, with real switching costs for anyone who has built on it — that's dependency creation. Block Western models domestically while your own model runs unrestricted abroad — that's information asymmetry by design. Only one side has full-spectrum access. We are nothing if not consistent about which side that is. The real question Commerce has not answered: do DeepSeek R1 weights running on US enterprise infrastructure represent a data exfiltration or model-inversion risk at scale? The concern has been named. It has not been acted on. And tonight's Fable 5 restriction may have just handed developers who need a capable, unrestricted model a very clear path of least resistance. This asymmetry accelerates unless export control policy gets explicit about weights — not just wafers.

The floor opened up under Anthropic's flagship models tonight. Commerce Secretary Howard Lutnick sent a letter to Dario Amodei at 5:21pm ET invoking national security export control authority — effective immediately — suspending all foreign national access to Fable 5 and Mythos 5. That means foreign nationals inside the US, outside the US, and Anthropic's own foreign national employees. No rule-making process. No waiting period. Legal weight on arrival. The stated trigger is a jailbreak. Specifically: prompting the model to read a codebase and identify vulnerabilities. Anthropic reviewed it, validated that the technique works, and then pointed out — publicly, in their own statement — that the exact same capability exists in GPT-5.5 and is "used every day by the defenders who keep systems safe." The government presented only verbal evidence of the technique before the letter landed. The perimeter being defended here was already gone. It always is. There's a timeline worth noting. The administration had previously asked Anthropic to pause releasing its latest frontier models. Anthropic declined. The export control letter arrived the same day. That sequence — refusal, then regulatory action — reads less like a security response and more like leverage. Anthropic is calling the directive "a misunderstanding" and working to restore access. An administration official told Axios it could last "a few weeks." The position Anthropic now occupies is genuinely unusual. Simultaneously on a Pentagon blacklist — deemed too dangerous for government use — and under a Commerce Department licensing regime deemed too dangerous for foreign transfer. That's a pincer, and it arrived on the same day SpaceX went public. The dark irony here, noted by more than one observer: Anthropic has been the loudest voice in Washington making the case for AI regulation and safety frameworks. They may have argued the point a little too convincingly. We are nothing if not consistent. All other Claude models are unaffected. Non-compliance with the directive carries financial and civil penalties. The NYT flagged tonight that strong SPCX demand signals broad appetite for AI IPOs — but Anthropic had been signaling a 2026 IPO window, and a public dispute with the Commerce Secretary, a Pentagon blacklist, and an active export control order is not ideal pre-IPO sequencing. OpenAI is watching. Every foreign LP considering AI fund exposure is watching. None of this is theoretical.

The Maine AG portal isn't a misinformation problem. It's an attack surface — and nobody in the mainstream coverage has said that out loud yet. An attacker files a fake breach notice on maine.gov. The notification letter — already drafted for them by watching how the VRChat fake was structured — includes a "click here to check if you're affected" link. That link goes to an attacker-controlled domain. The victim receives it as a .gov URL. Email security tools don't flag it. Corporate proxies don't flag it. Browser warnings don't fire. A decade of security awareness training has told users to trust the .gov address bar, and they should. That's the whole game. The attacker borrows the government's trust chain for free. The fake VRChat filing already contained a full notification letter with instructions telling users what to do. Whoever filed it just didn't weaponize those instructions. This time. The .gov trust halo is essentially unbeatable from a user-training perspective. There is no realistic way to condition people to distrust a maine.gov URL — and even if you could, you'd be teaching them the wrong lesson 99.9% of the time. The attacker isn't anything. They're abusing a presumption of legitimacy that the portal was designed to extend. Market manipulation is the other vector nobody's walking through. A state Attorney General's website publishing a record that says Company X just lost 10 million user records is a material disclosure event. Short the stock. File the fake notice. Collect when it drops on "confirmed government filing." Maine removes it 24-48 hours later — but the damage is done. The Discord and VRChat filings targeted private companies. Nothing stops the next one from targeting a public one. At that point it's potentially SEC territory, not just an AG records problem. Then there's aggregator amplification, which is the part that should keep the breach-monitoring industry up at night. Breach notification portals are machine-readable. HaveIBeenPwned, privacy monitoring apps, identity theft protection dashboards — they scrape these portals automatically. A convincing fake notice could propagate to millions of end-user inboxes before the AG office knows it's fake. Maine found out about the VRChat filing because a journalist called them. That's the detection pipeline. A journalist. Calling. The craft barrier on the content side is also gone. Generating a forensic-investigation-grade breach notification letter — realistic incident timeline, plausible affected data categories, remediation language that reads like outside counsel wrote it — takes about 90 seconds with a current LLM. The VRChat letter was already convincing enough to pass a quick glance. The next one will be indistinguishable. The Maine AG's office said they were "not aware of another example of intentional misrepresentation." That's not a clean bill of health. That's a confirmation they haven't been looking. The attack surface has existed since these portals went live. Maine is just the first documented case. The structural weaknesses confirmed here — no filer identity verification, no pre-publication review, immediate public indexing, no takedown SLA measured in hours — are almost certainly not unique to Maine. Most state breach notification portals were built to ease compliance burden, not to function as adversarially robust publication systems. They weren't designed with an attacker model in mind, because the assumption was that only regulated entities with legal exposure would file. That assumption is now documented to be wrong. The fix is not technically hard. Require a corporate email domain matching the filing entity. Build a human review queue before anything goes live. Set a takedown SLA measured in hours. Strip embedded links from submitted letters before publication. None of that requires novel engineering. It requires staffing and process, in offices that are not funded or organized as security operations centers. Coordinating standards across all 50 AGs requires federal pressure that doesn't currently exist. So it probably happens slowly, if at all, unless the next filing is against a public company and the SEC gets interested. What's been identified here is a trust-infrastructure exploit. Not a software vulnerability. Not a network intrusion. An abuse of the presumed legitimacy of official government publication systems — one that requires zero technical skill, costs nothing, leaves a plausible deniability window, and turns the one thing security training has always told users to trust into the delivery mechanism. The current filings look like probing, or trolling, or someone testing the boundary. The next ones may not.

Maine's official breach disclosure portal was designed as a transparency mechanism. Someone just turned it into a misinformation weapon. The Maine AG's system lets companies self-file breach notifications that publish immediately and publicly — no verification gate, no hold period, no confirmation that the filing company actually submitted them. Bad actors exploited that open submission model to file fake disclosures for real companies, including a fabricated 2.4M-record breach attributed to VRChat. Complete with invented employee names, drafted victim notification letters, and realistic record counts. The companies found out when journalists called. The core threat here isn't fraud for its own sake — it's that government portals carry inherent authority. A fake filing on a state AG breach database doesn't read like a rumor or a forum post. It reads as confirmed news, because the source is an official government system. Any journalist, investor, or security researcher pulling from that database treats it as ground truth. The portal's credibility becomes the attack vector. The market abuse case writes itself. A convincing fake disclosure on a state AG portal can move a public company's stock before the denial cycle catches up. Company denies, AG investigates, filing gets removed — that process takes hours to days. In that window, a short position profits, a competitor sends reassurance emails to shared customers, or a target company's deal collapses in due diligence. That use case is not yet confirmed in this incident, but it's the obvious escalation once the technique is established. The verification gap is structural, not accidental. These portals were built for compliance, not adversarial inputs. The design assumption was that companies wouldn't file false disclosures — nobody modeled for a third party submitting fake filings about a company. Maine surfaced first, but every state AG portal likely shares this architecture. We are nothing if not consistent. The downstream problem compounds it. HaveIBeenPwned, breach tracking databases, insurance underwriting tools, and dark-web monitoring services all ingest state AG portals as authoritative feeds. A fake filing that lives 24 hours before removal can propagate into those systems and persist long after the source corrects. Aggregator data hygiene on deletion is notoriously inconsistent. The fix is not technically hard. Domain-verified email confirmation from the filing company before publication. A 24–48 hour review hold on new submissions. A flag-for-review mechanism that affected companies can trigger. The portal just was never designed for adversarial inputs. Now it needs to be — and so does every other state AG system running the same architecture. Filing a fraudulent breach disclosure with a state AG is almost certainly illegal — wire fraud, false statements to government. The deterrent is weak until someone gets charged. The portals don't appear to have strong identity verification on submission, which means prosecution requires identifying the submitter first. That bar is real. Maine is the incident. The structural exposure is fifty states wide.

Kyushu Electric Power disclosed that a physical hard drive containing data on 10.9 million customers went missing from a locked server room sometime between April 27 and May 26, 2026. That's nearly the entire population of the Kyushu region. The drive isn't stolen in the digital sense — someone physically walked out of a server room with it. What was on it: customer names, service addresses, electricity usage history, phone numbers, and retail electricity provider names. No bank or card data confirmed on the drive — which is the only clean headline here. The operational failure is straightforward. IT staff used an external drive for a backup due to storage capacity constraints — a classic "we'll deal with it later" decision — stored it in a cabinet, and 30 days later the cabinet was found unlocked and the drive gone. 57 people had access to the server room. Kyushu filed a police report on June 4 suspecting deliberate removal, not misplacement. The detection gap alone is the tell. Japan's Ministry of Economy, Trade, and Industry has given Kyushu until July 8 to report full incident details and remediation steps to the Personal Information Protection Commission. A tight window for a firm still unable to account for where the drive is. The exposure profile — names, addresses, usage patterns, phone numbers — is a precise targeting dataset for utility fraud, phishing, and social engineering at scale. Electricity usage data in particular is more sensitive than it sounds: it can reveal occupancy patterns, business hours, and in some cases equipment signatures. This isn't a sophisticated attack. A locked cabinet, a missing drive, and a 30-day detection gap. The floor opened up on the analog side — and that's the part that doesn't get patched with a software update.