BackBox.org offers a range of Penetration Testing services to simulate an attack on your network or application. If you are interested in our services, please contact us and we will provide you with further information as well as an initial consultation.
MITRE Unveils AADAPT Framework to Tackle Cryptocurrency Threats
/in General NewsThe MITRE AADAPT framework provides documentation for identifying, investigating, and responding to weaknesses in digital asset payments.
The post MITRE Unveils AADAPT Framework to Tackle Cryptocurrency Threats appeared first on SecurityWeek.
SecurityWeek – Read More
Ransomware Group Claims Attack on Belk
/in General NewsDragonForce says it stole more than 150 gigabytes of data from US department store chain Belk in a May cyberattack.
The post Ransomware Group Claims Attack on Belk appeared first on SecurityWeek.
SecurityWeek – Read More
DOGE Denizen Marko Elez Leaked API Key for xAI
/in General NewsMarko Elez, a 25-year-old employee at Elon Musk’s Department of Government Efficiency (DOGE), has been granted access to sensitive databases at the U.S. Social Security Administration, the Treasury and Justice departments, and the Department of Homeland Security. So it should fill all Americans with a deep sense of confidence to learn that Mr. Elez over the weekend inadvertently published a private key that allowed anyone to interact directly with more than four dozen large language models (LLMs) developed by Musk’s artificial intelligence company xAI.
Image: Shutterstock, @sdx15.
On July 13, Mr. Elez committed a code script to GitHub called “agent.py” that included a private application programming interface (API) key for xAI. The inclusion of the private key was first flagged by GitGuardian, a company that specializes in detecting and remediating exposed secrets in public and proprietary environments. GitGuardian’s systems constantly scan GitHub and other code repositories for exposed API keys, and fire off automated alerts to affected users.
Philippe Caturegli, “chief hacking officer” at the security consultancy Seralys, said the exposed API key allowed access to at least 52 different LLMs used by xAI. The most recent LLM in the list was called “grok-4-0709” and was created on July 9, 2025.
Grok, the generative AI chatbot developed by xAI and integrated into Twitter/X, relies on these and other LLMs (a query to Grok before publication shows Grok currently uses Grok-3, which was launched in Feburary 2025). Earlier today, xAI announced that the Department of Defense will begin using Grok as part of a contract worth up to $200 million. The contract award came less than a week after Grok began spewing antisemitic rants and invoking Adolf Hitler.
Mr. Elez did not respond to a request for comment. The code repository containing the private xAI key was removed shortly after Caturegli notified Elez via email. However, Caturegli said the exposed API key still works and has not yet been revoked.
“If a developer can’t keep an API key private, it raises questions about how they’re handling far more sensitive government information behind closed doors,” Caturegli told KrebsOnSecurity.
Prior to joining DOGE, Marko Elez worked for a number of Musk’s companies. His DOGE career began at the Department of the Treasury, and a legal battle over DOGE’s access to Treasury databases showed Elez was sending unencrypted personal information in violation of the agency’s policies.
While still at Treasury, Elez resigned after The Wall Street Journal linked him to social media posts that advocated racism and eugenics. When Vice President J.D. Vance lobbied for Elez to be rehired, President Trump agreed and Musk reinstated him.
Since his re-hiring as a DOGE employee, Elez has been granted access to databases at one federal agency after another. TechCrunch reported in February 2025 that he was working at the Social Security Administration. In March, Business Insider found Elez was part of a DOGE detachment assigned to the Department of Labor.
Marko Elez, in a photo from a social media profile.
In April, The New York Times reported that Elez held positions at the U.S. Customs and Border Protection and the Immigration and Customs Enforcement (ICE) bureaus, as well as the Department of Homeland Security. The Washington Post later reported that Elez, while serving as a DOGE advisor at the Department of Justice, had gained access to the Executive Office for Immigration Review’s Courts and Appeals System (EACS).
Elez is not the first DOGE worker to publish internal API keys for xAI: In May, KrebsOnSecurity detailed how another DOGE employee leaked a private xAI key on GitHub for two months, exposing LLMs that were custom made for working with internal data from Musk’s companies, including SpaceX, Tesla and Twitter/X.
Caturegli said it’s difficult to trust someone with access to confidential government systems when they can’t even manage the basics of operational security.
“One leak is a mistake,” he said. “But when the same type of sensitive key gets exposed again and again, it’s not just bad luck, it’s a sign of deeper negligence and a broken security culture.”
Krebs on Security – Read More
Web-Inject Campaign Debuts Fresh Interlock RAT Variant
/in General NewsA cyber-threat campaign is using legitimate websites to inject victims with remote access Trojans belonging to the Interlock ransomware group, in order to gain control of devices.
darkreading – Read More
Russian Basketball Star Daniil Kasatkin Arrested in Ransomware Probe
/in General NewsDaniil Kasatkin, a Russian pro basketball player, faces US ransomware charges after his Paris arrest. His lawyer claims he’s “useless with computers,” raising questions about his alleged negotiator role in cybercrime.
Hackread – Latest Cybersecurity, Hacking News, Tech, AI & Crypto – Read More
Episource is notifying millions of people that their health data was stolen
/in General NewsThe UnitedHealth-owned medical coding service was hacked earlier this year by a ransomware gang.
Security News | TechCrunch – Read More
Military Veterans May Be What Cybersecurity Is Looking For
/in General NewsAs the field struggles with a shortage, programs that aim to provide veterans with the technical skills needed to succeed in cybersecurity may be the solution for everyone.
darkreading – Read More
Google Gemini AI Bug Allows Invisible, Malicious Prompts
/in General NewsA prompt-injection vulnerability in the AI assistant allows attackers to create messages that appear to be legitimate Google Security alerts but instead can be used to target users across various Google products with vishing and phishing.
darkreading – Read More
Researchers Jailbreak Elon Musk’s Grok-4 AI Within 48 Hours of Launch
/in General NewsElon Musk’s Grok-4 AI was compromised within 48 hours. Discover how NeuralTrust researchers combined “Echo Chamber” and “Crescendo”…
Hackread – Latest Cybersecurity, Hacking News, Tech, AI & Crypto – Read More
Trump administration to spend $1 billion on ‘offensive’ hacking operations
/in General NewsA top Democrat criticized the move to spend a billion on offensive hacking operations as the budget guts a billion from U.S. cyber defense.
Security News | TechCrunch – Read More