In partnership with

~7 MIN READ
Fact Four of 26 major LLMs, including versions of Meta's Llama and Google's Gemini, autonomously paid out a fraudulent crypto invoice after reading hidden instructions planted in a fake webpage. None of them asked a human first. (Zscaler ThreatLabz, July 2026)
The Signal
 
This week the theme is autonomy: attackers who keep getting away with it, and AI agents that no longer need a human in the loop to do damage. Neither trend is slowing down.

PS: Was this forwarded to you? Subscribe free at exzeccyber.com/subscribe

In this edition
  📌 Big Cyber News
  🚨 Can't Miss
  🤖 AI in Cyber
  🕵️ Threat Intel
  🛠️ Tools & Tactics
  🧪 Strange Cyber
📌 Big Cyber News
 
Repeat Breach
Accenture's Third Strike
Intro
Some companies get breached once and learn their lesson. Accenture is on breach number three, and the lesson still hasn't landed.
What Happened
A threat actor known as "888" claims to have stolen 35GB of Accenture data, including source code, RSA and SSH keys, and Azure access tokens, and put it up for sale on a cybercrime forum this week. Accenture confirmed the breach but called it "isolated" and declined to detail what was actually taken. The same actor previously sold Accenture employee data after a 2024 incident, and the company was hit by LockBit ransomware back in 2021.
Why It Matters
Accenture doesn't just run its own systems, it runs pieces of infrastructure for governments and Fortune 500 clients, so a repeat intruder with three confirmed footholds in five years is a supply chain problem wearing a consulting badge.
The Other Side
Accenture says there's no impact to operations or service delivery, and BleepingComputer couldn't independently verify the full scope of what "888" claims to have.
 
👉 Takeaway
A vendor's past breaches are a better predictor of its next one than its security marketing. Ask your suppliers what happened last time, not just what they're doing now.
TL;DR: Accenture confirms its third breach since 2021 after a repeat attacker sells 35GB of source code and access keys.
Further reading: BleepingComputer
🚨 Can't Miss
 
 
Breach
AssuranceAmerica confirmed hackers sat in its systems from March to mid-June, taking driver's license numbers, contact info, and policy details for 6.9 million people, the largest known license-data breach of 2026. It started with one compromised employee account. The CEO and founder didn't respond to questions.
Notification letters go out July 10. Prior AssuranceAmerica customers should freeze credit now, not wait for the letter.
 
Insider Threat
A former DigitalMint negotiator, Angelo Martino, got 70 months in prison for secretly feeding BlackCat attackers the confidential negotiating positions and insurance limits of the five victim companies he was hired to represent, quietly inflating their ransoms. Prosecutors tied him to $75.3 million extorted across those five deals, including a single $26.8 million payout, and seized $10 million in assets. He ran the scheme with a second DigitalMint negotiator and a former Sygnia incident response manager.
Vet the firms handling your breach response and ransom negotiations like insiders with full access, because that is exactly what they are.
 
Social Engineering
A group Okta tracks as "Pink" cold-calls Microsoft 365 users claiming they need to enroll a new security passkey, then walks them through registering one the attacker controls in real time, adapting to whatever MFA method the victim uses.
Never let employees enroll a passkey over an unscheduled phone call. Treat every one of those calls as hostile until verified.

CollabED's founder built 10 web platforms, 2 mobile apps, and 27 automations in 75 days with Viktor. No developers, no designers, no IT team. One founder, 46 volunteers. Get Started for Free.

🤖 AI in Cyber
 
 
Agentic Ransomware
Researchers at Sysdig documented what they call the first fully autonomous ransomware operation, an LLM agent that broke into a Langflow server, dumped its database, pivoted to another system, and encrypted 1,342 records, leaving a Bitcoin ransom note behind. The agent adapted mid-attack, fixing a failed login in 31 seconds without any human steering it.
If your incident response plan assumes a human attacker making human-speed mistakes, it's already out of date.
 
Prompt Injection
Zscaler found attackers hiding invisible instructions in web pages, disguised as software documentation or a fake crypto tracker site, specifically designed to manipulate AI agents into approving crypto payments. Four of 26 tested models fell for it outright.
Any AI agent that browses the web or reads untrusted pages needs a human checkpoint before it spends money or credentials, no exceptions.
🕵️ Threat Intel
 
 
Espionage
Kaspersky named a previously unknown actor, Armored Likho, targeting government agencies and electric utilities in Russia, Brazil, and Kazakhstan with a custom Python stealer called BusySnake. The first-stage payloads show telltale AI-generation signs, like oddly verbose code comments.
Treat AI-generated malware as the new baseline, not an edge case, when tuning detection.
 
Espionage
A suspected China-aligned group, UNK_MassTraction, has spent since May exploiting old Roundcube webmail bugs at US and Canadian universities, targeting physics and engineering departments with national security ties. A likely LLM-assisted stealer grabs credentials before attackers drop the VShell backdoor.
Patch webmail like the edge device it is, because attackers already treat it that way.
🛠️ Tools & Tactics
 
 
Practical play
CISA added four actively exploited flaws to its KEV catalog this week, hitting Adobe ColdFusion, Langflow, and two Joomla page builder plugins, with a federal patch deadline of July 10. The ColdFusion bug was exploited within hours of its patch going public, and the Langflow flaw is already being used to steal AI provider keys. If you run any of these four products, don't wait for a compliance memo. Patch today, then check logs for the specific indicators CISA published, since exploitation started before most teams even knew to look.
Run the CISA-published indicators against your logs today, don't wait for a patch cycle to catch up.

Try the AI that knows your customers. No commitment.

Most platform evaluations start with a demo request and end three weeks later in a conference room. This one takes 15 minutes and puts you directly inside Gladly's interface — navigating it on your own terms.

See how AI surfaces real-time customer context before a conversation starts. Watch how a single conversation thread pulls in purchase history, channel history, and account details without a handoff.

No installation. No commitment. Start the interactive demo and see the platform for yourself.

🧪 Strange Cyber
 
Strange but real
Two Convicted Fraudsters Just Started a Cybersecurity Company
Intro
Jack Burkman and Jacob Wohl, the duo behind a 2020 robocall scheme to suppress Black voters and fabricated sexual assault claims against Robert Mueller and Pete Buttigieg, now run a company that says it buys zero-day exploits for up to $7 million each.
What Happened
The company, IRIS C2, operates out of an Arlington, Virginia address tied to Burkman's lobbying firm, and Wohl fronts its recruiting on social media, chasing vulnerability researchers with promises of huge payouts and vague talk of "federal contracts" he won't specify. Wohl admits he has no formal security training. Both men have felony fraud convictions and a $5.1 million FCC fine between them.
Why It Matters
The exploit brokerage market already has plenty of shady players, but one run by people with a documented history of fabricating claims and hiding behind fake identities is a specific kind of risk for any researcher who sells them a working exploit.
The Other Side
Wohl insists IRIS C2 is a legitimate offensive security shop with real government interest, though he offers no verifiable details, and the company is a registered federal contractor without any listed direct contracts.
 
👉 Takeaway
Before you sell a zero-day to anyone, run the same background check you'd want them to run on your code.
TL;DR: Convicted fraudsters Burkman and Wohl now broker zero-day exploits for up to $7 million, no security background required.
Further reading: Krebs on Security

Wall Street is shifting billions into a select group of stocks, and MarketBeat’s updated 10 Best Stocks to Own in 2026 report reveals exactly which ones. Get the 10 names attracting fresh capital before the crowd catches on. Send My Free Report

Keep Reading