From Malware Hunter to Drone Hacker: The New Mission of Cybersecurity Legend Mikko Hyppönen

For over three decades, the name Mikko Hyppönen has been synonymous with the fight against digital threats. Now, this cybersecurity pioneer is applying his formidable skills to a new battlefield: the sky. After a career spent dissecting malicious code, Hyppönen has turned his attention to countering drone threats, marking a significant pivot in his lifelong mission to protect people from evolving dangers.

The Invisible War of Cybersecurity

Mikko Hyppönen often describes cybersecurity work as a perpetual game of Tetris. When you succeed perfectly, the results vanish into thin air—nothing happens, systems remain secure, and life continues uninterrupted. This means that for security professionals, success is often invisible, while failures accumulate visibly and disastrously. Building on this analogy, Hyppönen has spent 35 years making sure those failures don’t pile up, becoming one of the most recognizable and respected figures in global cybersecurity.

His journey began in the late 1980s, when terms like “malware” were scarcely used and viruses spread via floppy disks. Starting at the Finnish company Data Fellows, which later became the renowned antivirus firm F-Secure, Hyppönen honed his skills by reverse-engineering software and analyzing early computer viruses. Consequently, he witnessed the entire evolution of digital threats firsthand, from simple curiosity-driven code to sophisticated nation-state attacks.

The Evolution of Digital Threats

In the early days, virus creation was often a hobbyist’s pursuit. The Form.A virus, prevalent in the early 1990s, sometimes did little more than display a message on a screen, yet it managed to travel globally, even reaching research stations in Antarctica. However, the landscape shifted dramatically with incidents like the ILOVEYOU virus in 2000, which Hyppönen and his team were first to discover. This worm infected millions of Windows computers worldwide, heralding a new era of automated, damaging attacks.

From Hobby to High-Stakes Crime

Today, the age of benign digital viruses is firmly over. Malware is now almost exclusively the tool of cybercriminals, state-sponsored spies, and mercenary spyware developers. Landmark attacks like the WannaCry ransomware and the NotPetya campaign demonstrated how digital weapons could cripple national infrastructure. This means that the cybersecurity industry has had to professionalize rapidly, growing into a $250 billion field dedicated to defense.

Interestingly, one major victory has been the hardening of consumer technology. Modern devices like the iPhone are extremely secure, making exploits so expensive that they are often only accessible to well-resourced governments rather than common criminals. Therefore, while malware remains a persistent threat, the industry’s progress in certain areas has allowed veterans like Hyppönen to explore new frontiers of defense.

A New Frontier: The Drone Battlefield

In 2025, Mikko Hyppönen made a decisive career shift. He joined Sensofusion, a Helsinki-based company, as Chief Research Officer, focusing on developing anti-drone systems for military and law enforcement. This pivot was deeply personal. Living just two hours from Finland’s border with Russia and serving in the military reserves, Hyppönen felt a direct connection to the drone-defined warfare witnessed in Ukraine. “It’s more meaningful to work fighting against drones, not just the drones we see today, but also the drones of tomorrow,” he explains. “We’re on the side of humans against machines.”

Parallels Between Fighting Malware and Drones

At first glance, cybersecurity and counter-drone technology seem unrelated. Yet, Hyppönen identifies striking similarities in the defensive strategies. In cybersecurity, defenders use “signatures” to identify and block malicious code. In the drone world, systems are built to locate, jam, and take control of unmanned aerial vehicles by analyzing their radio frequencies and protocols.

Specifically, Sensofusion’s technology involves recording a drone’s radio frequencies—known as IQ samples—to detect its communication protocol. From there, signatures can be built to identify even unknown drones. Moreover, once you understand the protocol, you can launch cyberattacks against the drone itself, causing it to malfunction or crash. “If you find a vulnerability, you’re done,” Hyppönen notes, highlighting a more direct path to neutralization compared to traditional malware battles.

The Unchanging Cat-and-Mouse Game

Despite the new domain, the core dynamic remains unchanged. It’s still a relentless cat-and-mouse game: defenders develop a countermeasure, adversaries adapt and find a workaround, and the cycle continues. For Hyppönen, even the adversary has a familiar face. “I spent a big part of my career fighting against Russian malware attacks,” he states. “Now I’m fighting Russian drone attacks.” This continuity underscores how geopolitical conflicts now span both digital and physical realms.

The Lasting Impact of a Cybersecurity Career

Mikko Hyppönen’s shift from malware to drones is not an abandonment of his past work but an evolution of it. The principles of analysis, defense, and adaptation remain central. His career arc mirrors the trajectory of modern security threats—constantly evolving, crossing domains, and demanding innovative responses. As drones become increasingly prevalent in conflict and crime, the need for experts who understand both the technology and the tactics of intrusion has never been greater.

Ultimately, whether the threat arrives via email or from the sky, the mission is the same: to protect. Hyppönen’s new chapter demonstrates that the skills honed in decades of digital warfare are precisely what’s needed to secure our physical world. For more insights on the evolution of cyber threats, explore our analysis on the future of cyber warfare or read about recent advances in anti-drone technology.

Major EU Data Breach: How Hacking Gangs TeamPCP and ShinyHunters Compromised Commission’s Cloud

The European Union’s cybersecurity landscape has been rocked by a significant incident. In a detailed report, the EU’s Computer Emergency Response Team (CERT-EU) has formally attributed a massive data breach affecting the bloc’s executive body to coordinated actions by two distinct cybercriminal groups. This EU data breach underscores a growing trend of sophisticated, multi-stage attacks targeting critical infrastructure.

The Anatomy of the Attack: A Two-Gang Operation

According to the agency’s findings, the incident was not the work of a single entity. Instead, it involved a chain of events initiated by one group and capitalized on by another. The initial intrusion is credited to a group known as TeamPCP. This group managed to compromise a critical Amazon Web Services (AWS) account used by the European Commission. From this account, they exfiltrated approximately 92 gigabytes of compressed data.

This stolen data, which included sensitive personal information such as names, email addresses, and the contents of emails, was later published online. However, the publication was carried out by a separate, notorious entity: the ShinyHunters hacking group. This dual attribution for a single breach event is a notable development in cyber threat analysis, highlighting complex digital crime ecosystems. A member of ShinyHunters later claimed they had obtained and leaked data that TeamPCP had stolen in earlier operations.

Exploiting the Supply Chain: The Trivy Tool Compromise

So, how did the attackers gain their initial foothold? The breach traces back to March 19. CERT-EU’s investigation reveals that hackers first targeted an open-source security tool named Trivy. Following a compromise of the Trivy project itself, the European Commission inadvertently downloaded a tainted version of this very tool meant to protect its systems.

This compromised tool contained malicious code that allowed TeamPCP to steal a secret API key. Possession of this key was the master stroke. It granted the attackers direct access to the Commission’s AWS cloud infrastructure, specifically the Europa.eu platform used to host official websites and publications. Consequently, they could pivot freely within the system to locate and steal vast amounts of data. For more on securing development tools, read our guide on open-source security best practices.

The Scope and Impact of the Data Exposure

The ramifications of this EU data breach are extensive. The 92GB cache of data is just the starting point. CERT-EU warns that the breach potentially affects the cloud infrastructure of at least 29 other EU entities. Dozens of internal European Commission clients may also have had their data stolen.

Within the published data, analysts found close to 52,000 files containing sent email messages. While many of these are automated system emails with little sensitive content, a significant risk remains. Emails that bounced back with delivery errors likely contain the original user-submitted content in full. This poses a direct and serious risk of personal data exposure for countless individuals who interacted with EU institutions.

A Pattern of Malicious Activity

This incident is not an isolated event for the involved groups. Security researchers, including Aqua Security (the developer of Trivy) and Palo Alto Networks Unit 42, have linked TeamPCP to a broader campaign of supply chain attacks. Their modus operandi involves compromising open-source security projects to gain access to the developers and organizations that use them.

By stealing credentials and API keys from developers, these hackers gain keys to far more sensitive systems. As Unit 42 noted, this access provides them “the ability to hold compromised organizations for ransom, demanding extortion payments,” linking their activities to ransomware and crypto-mining campaigns. Understanding these supply chain threats is crucial for modern defense.

Response and Ongoing Analysis

In the wake of the breach, what is being done? CERT-EU has confirmed it is actively engaged with all affected organizations to manage the fallout and bolster defenses. The agency continues to analyze the full dataset that was leaked online to understand the complete scope of the exposure.

Meanwhile, a spokesperson for the European Commission stated the body was closed at the time of the report and would provide further comment later. This incident serves as a stark reminder of the vulnerabilities inherent in complex digital supply chains, where a single compromised tool can cascade into a continent-scale data disaster.

Ultimately, this breach illustrates a critical evolution in cyber threats. It’s no longer just about breaking in; it’s about manipulating the very tools of defense to enable the theft. For EU institutions and organizations worldwide, the lesson is clear: vigilance must extend beyond perimeter security to encompass every link in the software development and deployment chain.

The Storm Infostealer: A New Era of Remote Credential Theft

A dangerous evolution in credential theft has emerged from the digital shadows. Security analysts at Varonis have identified a sophisticated new Storm infostealer that operates with a chilling efficiency. Instead of risking detection by decrypting stolen data on a victim’s computer, this malware quietly packages everything and ships it off to the attacker’s own servers. This fundamental shift makes traditional endpoint defenses far less effective, marking a significant escalation in the cybercrime arms race.

How Storm Infostealer Evades Detection

To understand Storm’s threat, we must first look at what came before. Historically, information stealers worked locally. They would infiltrate a system, load libraries to access browser databases, and decrypt saved passwords and cookies right there on the victim’s machine. This activity, however, left clear footprints—processes accessing sensitive files, unusual network calls—that modern security tools learned to recognize and block.

Then, the landscape changed. Building on this, major browsers like Google Chrome introduced stronger, app-bound encryption. This made local decryption incredibly difficult, forcing malware authors to find new methods. Initial workarounds involved complex code injection or abusing debugging features, but these too left traces for vigilant security software to find.

The Remote Decryption Advantage

Therefore, the creators of Storm adopted a radically different approach. The malware acts as a sophisticated collector. It harvests encrypted credential files, session cookies, autofill data, and even credit card information directly from the browser’s secure storage. Crucially, it does not attempt to crack them open locally. Instead, it transmits the encrypted loot back to a command server controlled by the attacker. The decryption happens safely in the attacker’s own environment, completely bypassing the victim’s antivirus and endpoint detection systems. This server-side processing is a core reason why the Storm infostealer is so concerning to experts.

What Does the Storm Infostealer Steal?

The breadth of data targeted by Storm is comprehensive, designed to give attackers maximum leverage. After infection, it systematically collects a victim’s entire digital identity. This includes saved passwords, active session cookies, browsing history, and Google account tokens. Furthermore, it captures autofill data and stored credit card details. One compromised browser can hand an attacker the keys to corporate SaaS platforms, internal tools, and cloud environments without ever triggering a single password alert.

In addition to browser data, Storm casts a wider net. It scours user directories for documents, captures system information and screenshots, and extracts session data from popular messaging apps like Telegram, Signal, and Discord. Perhaps most alarmingly for some, it specifically targets cryptocurrency wallets, pilfering data from both browser extensions and dedicated desktop applications. According to researchers, all this activity runs directly in the computer’s memory to minimize its footprint and further reduce the chance of detection.

Automated Session Hijacking and Criminal Economics

Beyond mere data collection, Storm automates the next critical step: exploitation. Most stealers simply dump raw logs into a buyer’s panel, requiring manual effort to sift through and use the stolen credentials. Storm changes this equation. It automatically feeds stolen Google Refresh Tokens into its operator panel. Simultaneously, it provides a geographically matched SOCKS5 proxy. This combination allows the criminal to silently restore the victim’s authenticated session from a location that appears legitimate, enabling seamless account takeover and fraud.

On the criminal marketplace, this capability comes at a price. Varonis reports that access to the Storm infostealer is sold for less than $1,000 per month, making it an accessible tool for a wide range of threat actors. During their investigation, the company’s threat intelligence team identified 1,715 victim entries in Storm’s panel, with connections originating from countries including the United States, India, Brazil, Indonesia, Vietnam, and Ecuador. The diversity of network sources suggests active, widespread malicious campaigns.

High-Value Targets and the Broader Threat

The credentials stolen by Storm are not random. They are focused on high-value platforms that offer direct financial or strategic payoff. This includes major social media and communication giants like Facebook and Twitter/X. On the financial front, the malware aggressively targets leading cryptocurrency exchanges and services such as Coinbase, Binance, Blockchain.com, and Crypto.com.

Consequently, this stolen data fuels a thriving underground economy. Credentials are packaged and sold on dark web marketplaces, where they are used for everything from straightforward financial fraud and account resale to serving as the initial foothold for more advanced, targeted attacks against individuals and organizations. For more on protecting against such initial access threats, read our guide on endpoint security best practices.

Ultimately, the emergence of Storm signals a troubling trend toward more resilient and automated cybercrime tools. By moving the decryption process off the victim’s machine, attackers have found a way to neutralize a key defensive detection method. This development underscores the need for a layered security approach that includes robust network monitoring, user education on phishing threats, and advanced threat-hunting capabilities to identify anomalous data exfiltration, even when it’s encrypted. For deeper insights into the malware landscape, explore our analysis of the evolution of information stealers.