Daily Signal Note: State Revenue Infrastructure | Identity Drift | Enforcement Asymmetry

Welcome reader, here’s today’s Cyber Briefing Note.

Brought to you by:

Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

 LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

CybersecurityHQ exists to issue and preserve external cyber judgment.

Each briefing establishes a dated, bounded position on enterprise security failure patterns intended for reliance under executive, audit, and regulatory scrutiny.

This is not news reaction, advisory opinion, or consensus analysis.

—

Subscriber access includes weekly CISO briefings, deep-dive intelligence reports, premium research, and supporting tools. Corporate plans available.

Signal 1: North Korea crypto theft hits $2.02B in 2025

DPRK-linked hackers stole $2.02 billion in cryptocurrency in 2025, up 51% year-over-year. The Bybit exchange breach in February accounted for $1.5 billion. Total global crypto theft reached $3.4 billion. North Korea now accounts for 76% of all service-level compromises. Laundering follows a 45-day cycle using Chinese-language money services and cross-chain bridges. Crypto exchanges are now functioning as unsanctioned state revenue infrastructure operating outside traditional financial controls.

Signal 2: Fortinet confirms active exploitation of five-year-old 2FA bypass

Fortinet disclosed observed abuse of FG-IR-19-283 (CVE-2020-12812) on December 24, 2025. The flaw allows SSL VPN users to bypass FortiToken by changing username case in specific LDAP configurations. Patched in July 2020. Exploitation requires local 2FA users linked to LDAP groups used in authentication policies. Identity policy drift across five years of configuration changes created latent breach conditions that outlived the patch itself.

Signal 3: INTERPOL Operation Sentinel arrests 574 across 19 African countries

Operation Sentinel ran October 27 to November 27, 2025. Authorities recovered $3 million, took down 6,000 malicious links, and decrypted six ransomware variants. Investigated cases tied to $21 million in estimated losses. A Senegal petroleum company BEC attempt targeting $7.9 million was halted before cash-out. Enforcement scaled to 19 countries; economic asymmetry remains intact at $21 million recovered against $3.4 billion in global crypto theft alone.

Signal 4: NFC-abusing Android malware detections up 87% in H2 2025

ESET Threat Report H2 2025 shows NFC relay attacks growing in scale and sophistication. NGate received contact-stealing upgrade. New entrant RatOn combines RAT capabilities with NFC relay. PhantomCard, adapted to Brazil, appeared in multiple campaigns. Malware prompts victims to tap payment cards, captures NFC data and PIN, relays to attacker-controlled terminals. Consumer trust surfaces are collapsing into mobile endpoints where traditional banking controls do not apply.

Author
Daniel Michan is the founder of CybersecurityHQ, a CISO-grade intelligence platform read weekly across the Fortune 100. He analyzes identity-centric risk, machine identity failures, SaaS integration breakdowns, and emerging AI-speed threats, producing executive briefings and deep-dive research used by enterprise security leaders for decision support.