Some Wins for the Blue Team
5–27–2025 (Tuesday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Tuesday, May 27, 2025, and I hope that everyone is easing gingerly into things coming off of the Memorial Day holiday here in the US and the Spring bank holiday in the UK. Canada had their May Long the weekend prior, so everyone should be good and refreshed.
Some Wins for the Blue Team
In a surprising turn, we’ve got some news of threat actors being arrested and taken down, and I think it’s worth covering here for a number of reasons.
First, we saw an article late last week that a US teenager agreed to plead guilty to the PowerSchool hack from last year. According to reporting from TechCrunch, “Matthew D. Lane, 19, is accused of using stolen login credentials to access the network of an unnamed software company, which serves schools across North America and elsewhere, to steal the personal information of more than 60 million students and 10 million teachers.”
“Prosecutors say Lane worked with an unnamed co-conspirator who lived in Illinois to extort the education software maker for about $2.85 million in cryptocurrency, according to the criminal complaint.”
While it’s absolutely a win that this person has been found, arrested, charged, and looks like will take a plea and forfeit their ill-gotten gains, it’s still wild to me that one teenager can wreak this kind of havoc on a company this large. It just goes to show the challenges in proportionality of both defending and understanding attackers in this day and age.
But the DOJ wasn’t done last week.
We also saw, in conjunction with partners at Microsoft, and the EU as well as Japan, the infrastructure for the LummaC2 malware get taken down. Microsoft’s announcement notes that “Between March 16, 2025, and May 16, 2025, Microsoft identified over 394,000 Windows computers globally infected by the Luma malware. Working with law enforcement and industry partners, we have severed communications between the malicious tool and victims. Moreover, more than 1,300 domains seized by or transferred to Microsoft, including 300 domains actioned by law enforcement with the support of Europol, will be redirected to Microsoft sinkholes. This will allow Microsoft’s DCU to provide actionable intelligence to continue to harden the security of the company’s services and help protect online users. These insights will also assist public- and private-sector partners as they continue to track, investigate, and remediate this threat. This joint action is designed to slow the speed at which these actors can launch their attacks, minimize the effectiveness of their campaigns, and hinder their illicit profits by cutting a major revenue stream.”
Again, this is - without question - a win for the defenders and proof that we can fight back against these types of attacks and attackers.
That said, details on how this takedown happened are light from the DOJ, and at least one blog has called out statements from the Lumma crew noting that the “takedown” was actually more of a “hack back” - where the governments involved managed to exploit a vulnerability on the server hosting the Lumma infrastructure, wipe the backups, wipe the server, and setup a phishing page to capture credentials and IPs of those trying to login and resolve the issue.
As always, there’s more than meets the eye, and we don’t get as much clarity into operational details - for understandable reasons - but these takedowns aren’t always as neat and tidy as the DOJ press releases would like us to believe.
Lumma also notes that they are still active, have migrated to new portals, and will continue to operate.
Still, this type of action on behalf of the government is worth supporting as it deters and disrupts the threat actors. Unfortunately, we also saw reporting today that most of the regional leaders at CISA have either already left or will leave by the end of this month, during a critical time for this agency and its function.
Still, let’s take the wins where we get them and keep the pressure up on the threat actors.
Fundraising
From a fundraising perspective this week, we saw more modest numbers, with $6.6B in total capital committed, which is still a tremendous amount.
With several funds announcing over $1B, we might assume that things will tick back up in June before slowing over the summer.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://www.documentcloud.org/documents/25950428-matthew-lane-charges-powerschool/
https://theravenfile.com/2025/05/23/lumma-stealer-still-active-after-fbi-crackdown/
https://www.cybersecuritydive.com/news/cisa-senior-official-departures/748992/