Prosecutors announced the seizure of more than 503 domains used to defraud U.S. victims and unsealed complaints charging two Chinese nationals with managing forced‑labor scam compounds in Southeast Asia.
U.S. Charges Jiang Wen Jie and Huang Xingshang
Federal prosecutors unsealed criminal complaints and arrest warrants for Jiang Wen Jie and Huang Xingshang, who are being held in Thailand and charged with wire fraud conspiracy for allegedly managing scam compounds that used forced labor in Myanmar. Prosecutors say Jiang directly supervised workers at a compound known as Shunda Park in the village of Min Let Pan before it was seized in November 2025 by a regional militia. The pair are accused of targeting Americans; the FBI says Americans lost at least $7.2 billion in 2025 to romance and investment scams, a figure prosecutors describe as a significant underrepresentation of total losses. The complaints also disclose seizure of a Telegram channel used to recruit trafficking victims to a scam compound in Cambodia.
GreyNoise: Pre‑disclosure Reconnaissance Surges a Median of 10–11 Days
Threat‑intelligence firm GreyNoise reports that surges in malicious internet traffic commonly precede CVE disclosures by a median of about 10 to 11 days. The analysis examined nearly 148 million sessions over a 103‑day period across 18 major network and edge device vendors. GreyNoise found structured probing tied to vulnerabilities that had not yet been publicly announced; in more than half of identified cases a related vulnerability was disclosed within three weeks of the spike. Examples in the study include escalating probing around a Cisco flaw and three distinct surge events before a SonicWall CVE announcement. GreyNoise argues session volume — not merely the count of attacking IP addresses — is the clearest early signal of coordinated pre‑exploitation activity.
Anthropic's Mythos, Mozilla's Testing, and CISA's Access Question
Anthropic has extended controlled access to its Claude Mythos Preview model to more than 40 organizations, including Amazon, Microsoft, Apple, Cisco and Mozilla, yet the U.S. Cybersecurity and Infrastructure Security Agency did not receive model access despite briefings on its capabilities. The National Cyber Director, Sean Cairncross, is negotiating broader civilian access, and other U.S. agencies such as the NSA and the Commerce Department's Center for AI Standards and Innovation have testing arrangements. Mozilla used Anthropic's Mythos in testing and said the model identified 271 vulnerabilities in Firefox that were patched in Firefox 150. Mozilla described software flaws as “finite” and reported finding “no category or complexity of vulnerability that humans can find that this model can't.”
Apache ActiveMQ CVE‑2026‑34197 Is Under Active Exploitation
Researchers at Horizon3.ai warned that a high‑severity flaw in Apache ActiveMQ, tracked as CVE‑2026‑34197, is being actively exploited. The issue stems from the product's use of Jolokia, a JMX‑over‑HTTP interface, and can be abused to achieve remote‑code execution by invoking management operations (for example, addNetworkConnector) with a crafted discovery URI that causes the broker to fetch and execute remote configuration. The warning notes that default or weak credentials lower the barrier to exploitation, and that ActiveMQ versions 6.0.0 through 6.1.1 are further weakened by CVE‑2024‑32114, which can expose Jolokia without authentication — effectively making CVE‑2026‑34197 an unauthenticated RCE on those builds. The issue has been added to CISA's Known Exploited Vulnerabilities catalog.
France's National Agency for Secure Documents: ~12 Million Accounts Potentially Affected
France's Interior Ministry disclosed a security incident detected on April 15 affecting the National Agency for Secure Documents portal. Authorities said data linked to approximately 12 million user accounts may have been compromised; exposed fields include names, email addresses, login identifiers, dates of birth and account IDs, with some records containing postal addresses, places of birth and phone numbers. The ministry said supporting documents submitted during administrative processes were not affected and that the exposed data cannot be used to directly access user accounts. A threat actor using the handle “breach3d” claimed responsibility and alleged possession of up to 19 million records.
What this means for technologists, policymakers, and affected users
- Technologists and security teams should monitor reconnaissance session volume as an early indicator of pre‑disclosure exploitation, and prioritize patching and credential hygiene for Jolokia‑exposed ActiveMQ brokers — particularly on versions 6.0.0 through 6.1.1 where unauthenticated access has been documented.
- Policymakers and civilian cyber authorities face a practical tension: Anthropic's Mythos is in limited testing with industry and some agencies, while CISA has been briefed but lacks access; the National Cyber Director is negotiating broader access, a step that may influence vulnerability discovery and coordination after tools like Mythos reveal large numbers of defects.
- Affected French portal users should note the Interior Ministry's assessment that supporting documents were not exposed and that the compromised fields cannot directly log into accounts; still, the scale — roughly 12 million accounts — makes notification and identity‑monitoring dynamics a matter for public administrators and privacy officials to manage.
Across these items — law enforcement seizing hundreds of scam domains and charging compound managers, intelligence showing attackers strike before public disclosure, AI models surfacing hundreds of vulnerabilities, and active exploitation of messaging middleware — the common thread is speed. The record reported here ties rapid attacker reconnaissance to fast‑moving operational and legal responses; how well defenses, policy access and public notice keep pace with that speed is the question left on the table.
