Canada's Expulsion From Five Eyes Would Be a Disaster

Editor’s Note: This newsletter is part of a collaboration between Lawfare and Risky Business. You can find the full version of the Seriously Risky Business newsletter and previous editions on news.risky.biz.

Canada's Expulsion From Five Eyes Would Be a Disaster

The Financial Times has reported that Peter Navarro, one of President Trump's closest advisers, is pushing for the U.S. to remove Canada from the Five Eyes intelligence alliance.

Trump has said he wants to make Canada the 51st American state amid a tariff dispute. Per the FT:

The people familiar with the situation said Navarro, who has easy access to the Oval Office due to his close relationship with Trump, is arguing that the US should increase pressure on Canada by evicting the country from the Five Eyes.

Navarro did not respond to Financial Times requests for comment but denied pushing the idea after the article was published. Per The Hill:

Navarro slammed the piece to reporters, noting the Times reporting didn't name its sources.
"My view is that we should never have to comment on any story where it's based on unnamed sources," he said, adding, "We would never, ever jeopardize our national security, ever, with allies like Canada, ever."

That sounds a lot like a non-denial denial to us.

Disrupting the Five Eyes would be extremely damaging. The Financial Times quoted a current intelligence official who said "sitting where I'm sitting and looking at the array of threats that are coming at us, we need all the partners we can get."

In addition to losing the intelligence that it provides, kicking Canada out of the Five Eyes would undermine the trust that is the bedrock of that kind of alliance.

It would also prompt other members to question America's commitment to the alliance and reevaluate their agencies' relationships abroad.

Sweden's Signal Paradox

The Swedish government is proposing legislation that would require encrypted messaging apps to archive messages so that they could be provided to authorities under warrant. Even if the legislation passes, it is unlikely to have the desired effect. Small countries like Sweden do not have the political or economic heft to impose their will on global technology organizations.

The Swedish debate is a nice vignette of the ongoing encryption debate, with arguments on both sides of what we call exceptional or lawful access. Sweden's law enforcement and security agencies support the proposed bill, saying they need lawful access to catch criminals. But the country's own armed forces have recommended their personnel use Signal. They oppose the bill and wrote in a letter to the government that the bill will not be able to be implemented "without introducing vulnerabilities and backdoors that could be exploited by third parties."

The proposal doesn't break encryption in end-to-end encrypted messaging apps per se but effectively undermines the security guarantees that these messengers provide.

Signal Foundation President Meredith Whittaker told Swedish media outlet SVT News that Signal would leave the Swedish market if the bill was passed.

That's not unexpected. When it comes to smaller countries like Sweden, withdrawing services is a practical option for international tech organizations that want to avoid complying with laws they don't like.

This week, for example, Apple announced that it would no longer offer Advanced Data Protection (ADP), a warrant-proof iCloud encryption service, in the U.K. The company removed the service from Britain rather than complying with a U.K. government order to develop a lawful access capability for iCloud backups protected by ADP.

To date, in liberal democracies, there hasn't been the political will to try to force companies to comply with these types of orders. The U.K. found the political will, and this is the result.

Cryptocurrency Cockroaches Crippled, Not Killed

Financial sanctions have dented illicit cryptocurrency activities in the past year, but the infrastructure supporting crime is resilient and remains active, according to a new report.

The report, from blockchain analysis firm Chainalysis, examines how recent government actions have affected the cryptocurrency ecosystem.

In 2024, there were a series of "major crackdowns on Russian-linked crypto entities that played key roles supporting Russia’s war economy, illicit cyber activities, and organized crime networks."

Many of these actions were focused on Russia-linked entities. These include the sanctioning of a Russian UAV developer supplying drones to Russian forces in Ukraine, the seizure of 47 Russian-language cryptocurrency exchanges that did not observe Know Your Customer (KYC) protocols, and the dismantling of a money laundering network.

These sanctions and disruption operations have been impactful.

When it comes to Russian-language no-KYC exchanges, Chainalysis reports that overall inflows have declined, "reflecting the disruptive impact of U.S. and international sanctions measures."

It's not all good news though. Much like cockroaches after the nuclear winter, rebrands of previously dismantled exchanges rise to crawl the earth once more. There are now more no-KYC exchanges than ever before. That's disconcerting, for sure. But they're converting less funds, so it's still a win (so far).

Another cryptocurrency cockroach, Tornado Cash, features in the report. This one's a cryptocurrency mixer that attempts to launder illicit funds by combining them with legitimate money flows.

Tornado Cash was sanctioned in 2022 for facilitating the laundering of $455 million in stolen funds. However, the service is an Ethereum smart contract that, in theory, cannot be shut down and continues to operate, "despite OFAC [U.S. Treasury] sanctions, legal action and the arrests of its developers."

Inflows to Tornado Cash dropped nearly 90 percent after it was sanctioned, but it is still limping along. Chainalysis says it "still facilitates hundreds of millions of dollars in transactions each month." In 2024, about a quarter of inflows to Tornado Cash were from stolen funds.

North Korean cryptocurrency thefts, meanwhile, continue unabated. Chainalysis says that in 2023, actors affiliated with North Korea stole about $660 million in 20 incidents. Those numbers more than doubled in 2024, with $1.34 billion stolen across 47 incidents.

Last week alone, North Korea stole $1.5 billion in a hack of the Bybit cryptocurrency exchange. Way to hit your KPIs, guys! Someone's getting a waffle party! (Adam Boileau and Patrick Gray discuss the details of the hack in this week's Risky Business podcast, and it is covered in Risky Bulletin).

They'll be able to turn that stolen ethereum into real money, too. North Korea has well-oiled cryptocurrency laundering processes. In a post related to the Bybit hack, Chainalysis said North Korea's processes include moving stolen assets "through a complex web of intermediary addresses"; conversion from ETH into other cryptocurrencies using decentralized exchanges, cross-chain bridges, and a no-KYC instant swap service; and holding funds for a while to avoid the heightened attention immediately after a high-profile breach.

Chainalysis says that it has collaborated across the industry and has helped to freeze more than $40 million stolen in the Bybit hack. For those keeping count, that's only $1.46 billion to go.

In a way, we're glad that North Korea focuses on cryptocurrency. We'd hate to see them get involved in ransomware in a big way, where the crimes involve serious disruption.

Three Reasons to Be Cheerful This Week:

1. Gmail to ditch SMS for authentication: Google's Gmail service is planning to drop SMS codes for authentication and will replace them with QR codes. Rather than enter the code after receiving a text message, a user will be presented with a QR code that they scan with their phone. Google says this will reduce the risk of phishing, although we are not convinced. A QR code can still be phished. But it does reduce the risk of SIM-swapping. Forbes has more coverage.
2. Ransomware group BlackBasta implodes: A member of the BlackBasta ransomware-as-a-service group has leaked internal Matrix chat logs on the dark web. The information is being mined by cybersecurity researchers. It seems that the group was already in its death throes and had effectively ceased operations since the beginning of the year. More coverage in Risky Business News. 
3. Meta sues Instagram abuser: Meta claims Idriss Qibaa, a Las Vegas man, ran an online service that sold, among other things, the ability to disable and reinstate Instagram accounts and is suing him for violating Instagram terms of use. Instagram abuse is rampant, so at least Meta is trying a different approach to rein it in. The Department of Justice has already indicted Qibaa for sending death threats by text message.

Shorts

Full Speed Ahead for US Cyber Operations

Current Pentagon leadership wants changes that will unshackle Cyber Command, while at the same time its former head thinks that more aggressive cyber operations are needed.

According to The Record, the Pentagon is looking to remove barriers preventing cyber operations:

[T]he Pentagon asked Cyber Command to compile a list of authorities it needs to be more effective, as well as any regulations that hinder its ability to conduct operations online, according to a former U.S. official, who spoke on the condition of anonymity.

Secretary of Defense Pete Hegseth has also asked that work on a U.S. Cyber Command restructuring plan, dubbed "Cyber Command 2.0" be accelerated.

So, within the Pentagon, leadership wants a more capable Cyber Command, quickly.

Retired Gen. Paul Nakasone, the former head of Cyber Command and the National Security Agency, also thinks U.S. Cyber Command needs to be more aggressive in cyberspace. He told CyberScoop that the U.S. is "increasingly behind" its adversaries in cyberspace and that more aggressive cyber operations are required.

Back in November last year, we wrote to "expect more covert action under [President] Trump." It looks like we were right.

Australian Government Bans Kaspersky

The Australian government has banned Kaspersky Lab products from its systems on security grounds.

The government's directive says Kaspersky Lab products and services present an "unacceptable security risk to Australian Government, networks and data, arising from threats of foreign interference, espionage and sabotage."

Kaspersky Lab products have to be ripped out by April 1. Australia is probably not the highest priority target for potential Russian state operations, but we are surprised this has taken so long. The U.S. and the U.K. banned the use of Kaspersky on government systems in 2017, and Canada banned it in 2023.

Risky Biz Talks

In our latest "Between Two Nerds" discussion, Tom Uren and The Grugq examine the fundamental principles of network exploitation as described in Matthew Monte's book "Network Attacks and Exploitation: A Framework" using recent hacks as case studies.

From Risky Bulletin

Italian priest targeted with spyware: An Italian priest close to the Pope has revealed he was the target of advanced spyware. Father Mattia Ferrari says he received a security alert from Meta that his account was targeted "by unidentified government entities." Father Ferrari serves as chaplain on a migrant rescue ship owned by a nongovernmental organization. The organization's founder revealed earlier this month that he was one of the 90 victims targeted with spyware made by the Israel-based company Paragon Solutions. The attacks were initially revealed by Meta's WhatsApp team. Paragon Solutions cut off the Italian government's access to its surveillance tools after several Italian activists said they received Meta's alerts about the attacks.

[additional coverage in The Guardian]

North Korean hackers steal $1.5 billion from Bybit: North Korean hackers have stolen over $1.5 billion worth of crypto assets from Bybit, the world's second-largest cryptocurrency exchange.

The incident represents the largest crypto-heist in history (and the largest heist of any kind as well) and is almost 2.5 times larger than the previous leader—the theft of $625 million from the Ronin Network in April 2022.

The hack took place on Feb. 21 and is considered one of the most complex crypto-heists ever pulled.

The attackers infiltrated Bybit's network, studied the company's internal procedures, and then identified and infected with malware the computers of all the employees who typically sign off on the movement of the company's funds.

[more on Risky Business News]

BlackBasta implodes, internal chats leak online: Internal strife and conflicts appear to have led to the implosion of another successful ransomware-as-a-service platform—this time, BlackBasta, one of last year's most active ransomware groups.

Everything came crashing down last week when one of the BlackBasta members leaked the group's internal Matrix chat logs on the dark web.

The leaker said they shared the data after one of the BlackBasta affiliates launched brute-force attacks targeting Russian banks—a move the leaker didn't agree with because they feared it would trigger an aggressive response from Russian authorities.

The internal chat leak appears to have been the last twitch of an already-dead body, according to Swiss security firm Prodaft, which first spotted the leaked files.

[more on Risky Business News, including how BlackBasta has effectively ceased operations]