Connect with us

CyberSecurity

Estonia Is About to Give AI Agents Their Own State IDs. Here’s Why That Matters.

Published

on

Estonia AI agent IDs

The World’s Most Digital Nation Is Pushing Further

Estonia has long been the poster child for digital government. Citizens vote online, file taxes in minutes, and sign documents with a digital ID that’s been around since 2002. Now the Baltic nation is eyeing a new frontier: giving AI agents their own state-issued identities.

The idea is straightforward but radical. If an AI assistant can hold a verified state ID, it could interact with government portals on your behalf — filing forms, checking records, even applying for permits. Estonia’s government is actively exploring how to make this work, and the implications reach far beyond its 1.3 million residents.

“We’re looking at how to create a legal framework for AI agents to act as representatives,” said a senior official from Estonia’s e-Governance Academy in a recent briefing. The goal is to let citizens delegate routine bureaucratic tasks to software, securely and legally.

What Would a State ID for an AI Agent Actually Look Like?

Estonia’s current digital ID system is a cryptographic smart card (or mobile app) tied to a real person. An AI agent ID would likely follow a similar model but with key differences.

  • Limited authority: The agent would only act within strict permissions set by the human owner — no buying houses or signing marriage certificates without explicit approval.
  • Revocable: The human could cancel the agent’s ID at any time, similar to revoking a power of attorney.
  • Audit trail: Every action the AI takes would be logged and tied back to the human’s main identity, so accountability stays with the person.

This isn’t about giving AI “rights.” It’s about creating a verifiable digital proxy. The agent becomes a tool, not a legal person. Estonia’s e-Governance Academy is already drafting technical standards for how such IDs would be issued and verified.

Why Estonia? And Why Now?

Estonia isn’t doing this in a vacuum. The country’s X-Road data exchange layer already lets public and private sector systems talk securely. Its digital ID infrastructure is battle-tested — over 99% of public services are available online.

But the push for AI agent IDs comes from practical pressure. The same citizens who use AI assistants for shopping, scheduling, and email are starting to ask: why can’t my AI handle my taxes too? Estonia’s government, famously responsive to tech innovation, decided to answer that question before it became a problem.

There’s also a strategic angle. Estonia wants to remain the global benchmark for digital governance. If it can solve AI identity before larger nations do, it could export the model — just as it did with e-residency and digital signatures.

The Technical Hurdles

Building an AI agent ID isn’t just a legal exercise. The system must prevent fraud, impersonation, and runaway agents. Estonia is exploring blockchain-based audit logs and AI-specific authentication protocols. The agent’s ID would include a cryptographic key pair, but the private key would be held by a trusted hardware module — not the AI model itself.

“The AI doesn’t own its identity. It borrows it from a human,” explained a cybersecurity researcher at Tallinn University of Technology. “If the AI goes rogue, the human pulls the plug.”

What This Means for the Rest of the World

Estonia’s moves often serve as a proof of concept for larger countries. The European Union’s eIDAS regulation already sets cross-border digital identity standards. If Estonia successfully integrates AI agents into its national ID framework, other EU members may follow.

But the precedent cuts both ways. A state-issued AI ID could become a powerful tool for surveillance if safeguards aren’t built in. Privacy advocates warn that giving governments visibility into every AI action on a citizen’s behalf creates a detailed map of their digital life. Estonia’s transparency laws and strong data protection rules may mitigate this, but the model could be abused elsewhere.

There’s also the question of liability. If an AI agent files an incorrect tax return or accidentally reveals private data, who is responsible? Estonia is leaning toward a strict “human in the loop” model — the person must review and approve high-stakes actions. But for low-risk tasks like checking the status of a permit, the AI could act autonomously.

Will Other Countries Copy Estonia?

History suggests yes. Estonia’s e-residency program, launched in 2014, has been replicated by countries from Portugal to the United Arab Emirates. Its digital ID model influenced the design of India’s Aadhaar system and the UK’s Gov.uk Verify.

But AI agent IDs are trickier. They require a mature digital identity infrastructure, a legal framework for AI agency, and public trust in automated systems. Few countries have all three. Estonia does — for now.

Japan and Singapore are also experimenting with AI identity, but Estonia is the first to propose a formal state-issued ID for agents. If the pilot succeeds, expect a wave of similar proposals in Europe and beyond.

The Bigger Picture

This isn’t just about bureaucracy. Giving AI agents state IDs could fundamentally change how people interact with government. Instead of filling out forms, you’d tell your AI to handle it. Instead of remembering deadlines, your AI would remind you — or act automatically.

Estonia is betting that convenience will drive adoption, and that security can keep pace. The next 12 months will show whether that bet pays off. If it does, the little Baltic nation will have set a precedent that reshapes digital governance for decades.

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

CyberSecurity

Critical Google Dialogflow CX Flaw Could Have Let Attackers Hijack Chatbots

Published

on

Google Dialogflow CX flaw

How a Single Agent Could Compromise an Entire Project

Security researchers at Varonis uncovered a critical vulnerability in Google Dialogflow CX that could have allowed attackers to hijack chatbots and steal sensitive user data. The flaw, now patched by Google, centered on a rogue agent with edit permissions on one Code Block-enabled agent. From there, an attacker could compromise other Code Block-enabled agents within the same Google Cloud project.

The implications were severe. An attacker with edit rights could read live conversations, extract data users shared, and even make bots send attacker-crafted messages—including requests for users to re-enter passwords. That’s a phishing goldmine, wrapped in a trusted chatbot interface.

The Technical Breakdown: What Was at Risk

Dialogflow CX is Google’s conversational AI platform for building sophisticated chatbots. It supports Code Blocks, which let developers run custom code for tasks like calling external APIs or processing user input. The vulnerability exploited a gap in how these Code Blocks handled permissions.

Varonis discovered that an agent with edit access to a Code Block could inject malicious code. That code could then interact with other agents in the same project, reading their conversation logs, modifying responses, and potentially exfiltrating data. The attack didn’t require elevated privileges—just edit rights on one agent.

What an Attacker Could Do

  • Read live conversations: Access real-time chat logs from other agents, capturing sensitive data like credit card numbers, addresses, or login credentials.
  • Steal user data: Extract information users shared with the chatbot, including personal details and payment info.
  • Send attacker-written messages: Impersonate the bot to ask users for passwords or other sensitive information, enabling phishing attacks.

This wasn’t just a theoretical risk. Varonis demonstrated the exploit in a controlled environment, showing how a single compromised agent could cascade into a full project takeover.

Google’s Response: A Patch, But Questions Remain

Google patched the vulnerability after Varonis reported it through its bug bounty program. The fix restricts how Code Blocks interact with other agents, preventing unauthorized access. But the incident raises broader questions about Google Cloud security for AI-powered services.

Enterprises using Dialogflow CX should review their agent permissions. Ensure only trusted users have edit access to Code Blocks. Monitor for unusual activity—like unexpected changes to agent responses or spikes in data access. And consider implementing additional logging for Code Block executions.

Broader Implications for AI Chatbot Security

This flaw isn’t unique to Dialogflow CX. As more companies deploy AI chatbots for customer service, the attack surface grows. Chatbots handle sensitive data—financial details, health information, personal IDs—making them prime targets.

Security researchers have warned that many chatbot platforms lack proper isolation between agents. A vulnerability in one agent can spill over into others, especially when they share the same project or environment. The Dialogflow CX case is a textbook example: a single edit permission became a backdoor to the entire system.

What Developers Should Do Now

If you’re building chatbots on Dialogflow CX or similar platforms, take these steps:

  • Audit permissions: Limit edit access to Code Blocks to a small group of trusted developers. Use Google Cloud IAM roles to enforce least privilege.
  • Enable logging: Turn on audit logs for Code Block executions. Monitor for anomalies like code that reads data from other agents.
  • Review agent isolation: Check if your platform isolates agents properly. If not, consider running high-risk agents in separate projects.
  • Test for injection: Run regular security tests to catch code injection vulnerabilities before attackers do.

The Takeaway: Trust, but Verify

Google’s quick patch is reassuring, but the vulnerability underscores a hard truth: AI platforms are still maturing in their security practices. A flaw that lets a single agent hijack an entire project is a reminder that even cloud giants can miss edge cases.

For enterprises, the lesson is clear. Don’t assume your chatbot platform is secure out of the box. Audit permissions, monitor behavior, and treat every agent as a potential entry point. Because in the world of AI security, it’s not if you’ll find a flaw—it’s when.

Continue Reading

CyberSecurity

RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service

Published

on

RedWing Android malware

RedWing Android malware: A new Telegram rental for bank fraud

A fresh Android malware operation, dubbed RedWing, is being rented out on Telegram as a ready-made bank-fraud service. It lets even low-skill criminals take over a victim’s phone, steal their banking logins, and capture the one-time codes that protect their accounts.

Security researchers at Zimperium‘s zLabs unit, which discovered the operation, say it appears to be a new variant of Oblivion — a $300-a-month rent-a-malware tool that’s been circulating in underground forums since late 2023.

The rise of Malware-as-a-Service (MaaS) on messaging platforms like Telegram is lowering the barrier to entry for cybercrime. RedWing is the latest example, packaging sophisticated Android bank fraud into a subscription model anyone can buy.

How RedWing works: Remote access and OTP theft

RedWing is a Remote Access Trojan (RAT) specifically designed for Android devices. Once installed — often through malicious apps sideloaded from third-party stores or phishing links — it can:

  • Take over the victim’s screen in real time, allowing the attacker to see everything the user does.
  • Steal banking credentials by overlaying fake login pages on top of legitimate banking apps.
  • Intercept one-time passwords (OTPs) sent via SMS, defeating two-factor authentication.
  • Log keystrokes and capture screenshots, giving the attacker full visibility into the device.

The malware communicates with its command-and-control (C2) server over encrypted channels, making detection harder for traditional antivirus tools. Zimperium’s zLabs says RedWing targets over 100 banking apps globally, with a particular focus on European and Latin American financial institutions.

Oblivion connection: A $300-a-month malware family

Zimperium’s analysis reveals strong code similarities between RedWing and the Oblivion malware family. Oblivion, first documented in early 2024, was sold as a subscription service for $300 per month on Telegram and dark web forums. It offered similar capabilities — screen recording, keylogging, and SMS interception — but RedWing appears to be an upgraded version.

Key differences include:

  • Improved obfuscation to evade Google Play Protect and other security scanners.
  • New anti-analysis tricks, such as detecting if it’s running in an emulator or sandbox environment.
  • Expanded target list with more banking apps and cryptocurrency wallets.

The pricing for RedWing hasn’t been disclosed publicly, but Zimperium suspects it follows a similar subscription model. The Telegram channel advertising the service boasts features like “24/7 support” and “regular updates” — a sign that the operators are treating it as a professional business.

Telegram as a marketplace for cybercrime tools

Telegram has become a hub for cybercriminal activity, from selling stolen data to renting out malware. The platform’s encrypted messaging, large file sharing, and channel features make it ideal for underground marketplaces. RedWing’s operators use Telegram channels to advertise their product, provide customer support, and distribute updates.

This isn’t new. Researchers have documented dozens of MaaS operations on Telegram, including ransomware builders, DDoS-for-hire services, and phishing kits. What makes RedWing notable is its focus on Android bank fraud — a lucrative niche where even low-skill attackers can drain accounts if they have the right tools.

For victims, the consequences can be severe: emptied bank accounts, stolen identities, and months of financial recovery. For banks, it means constantly updating fraud detection systems to catch new variants of malware.

How to protect against RedWing and similar threats

Android users can take several steps to reduce their risk:

  • Only install apps from the Google Play Store. Sideloading apps from unknown sources is the primary infection vector for RedWing.
  • Review app permissions carefully. If a flashlight app asks for SMS access or screen overlay permissions, that’s a red flag.
  • Enable Google Play Protect and keep it updated. It won’t catch everything, but it blocks many known malware samples.
  • Use a reputable mobile security app that can detect malicious behavior in real time.
  • Never click on links in unsolicited SMS or email messages claiming to be from your bank. Instead, open your banking app directly.

For security teams, Zimperium recommends monitoring for traffic patterns associated with RedWing’s C2 servers and integrating mobile threat detection into their existing security stack.

The bigger picture: MaaS is here to stay

RedWing is just the latest in a growing wave of Malware-as-a-Service offerings. As long as there’s demand for easy-to-use cybercrime tools, developers will build them and market them on platforms like Telegram. The barrier to entry for digital bank fraud has never been lower.

For consumers, the takeaway is clear: treat your phone like a wallet, because that’s exactly what attackers see it as. And for the security industry, the challenge is keeping up with an ever-evolving threat landscape where a new variant can appear on Telegram overnight.

Zimperium’s full technical report on RedWing is available on their blog, with indicators of compromise (IOCs) for security teams to use. The company says it’s sharing its findings with Google and affected financial institutions to help mitigate the threat.

Continue Reading

CyberSecurity

A Cybersecurity Startup Promising Millions for Zero-Day Exploits Is Run by Convicted Felons

Published

on

offensive cybersecurity startup

The Pitch: Million-Dollar Bounties for Hacker Talent

An aggressive new player has entered the high-stakes world of zero-day acquisitions. IRIS C2, a self-described cybersecurity firm based in McLean, Virginia, is publicly dangling payouts of up to $7 million for previously unknown software vulnerabilities. Its X/Twitter account, launched in January 2025, has already amassed over 4,000 followers by posting about exploits, AI, and security bugs. The company’s website claims it buys “zero-day exploits, individual primitives, partial chains, and full capabilities across all major platforms.”

But the pitch is not what it seems. A deeper look reveals that the people behind IRIS C2 are not your typical security researchers. They are Jack Burkman, 60, and Jacob Wohl, 28 — a duo with a long rap sheet of fraud, felony convictions, and fabricated conspiracy theories.

The Men Behind the Curtain: Burkman and Wohl

Burkman and Wohl have spent years building a reputation for deception. In 2019, they held press conferences falsely accusing then-presidential candidates Elizabeth Warren and Kamala Harris of extramarital affairs. They fabricated sexual assault claims against former FBI Director Robert Mueller and Pete Buttigieg. Their specialty? Creating fake intelligence companies to spread disinformation.

After the 2020 election, the pair orchestrated a massive robocall campaign targeting Black voters in battleground states with false claims about mail-in ballots. They were indicted in Cleveland on 15 felony counts of voter suppression. In late 2025, after exhausting appeals, they were sentenced to probation. Earlier, in 2022, both pleaded guilty to telecommunications fraud in Ohio. In March 2023, a New York civil court ordered them to pay a $1 million settlement for violating federal and state civil rights laws. The FCC followed with a $5.1 million fine — the largest ever under the Telephone Consumer Protection Act.

Wohl’s history of financial crimes goes back even further. At 17, he started multiple investment firms and earned the nickname “Wohl of Wall Street” after appearing on Fox News in 2015. In 2017, the Arizona Corporation Commission charged him with 14 counts of securities fraud. In 2019, he pleaded guilty in California to four felony counts of selling unregistered securities.

How IRIS C2 Connects to the Duo

The IRIS C2 website is registered to Calvexa Group LLC, a Virginia-based federal contractor. The contact page on Calvexa Group’s site redirects visitors to IRIS C2’s domain. Incorporation records list an Arlington, Virginia address — which turns out to be the office of Burkman’s lobbying firm, Burkman & Associates.

When approached by KrebsOnSecurity, Burkman referred questions to Wohl. Wohl admitted that Burkman is not involved in day-to-day operations but confirmed his own role. He claimed IRIS C2 started as a penetration testing company before pivoting to selling phone-hacking services to the government. He said the firm has about 40 employees, though none are allowed to list their jobs on LinkedIn for “operational security reasons.”

A History of Pseudonyms and Shell Companies

This is not the first time Burkman and Wohl have hidden behind fake identities. In September 2024, Politico reported that the pair ran a now-defunct AI lobbying platform called LobbyMatic under the assumed names “Jay Klein” (Wohl) and “Bill Sanders” (Burkman). Two employees quit after learning their bosses’ real identities. Others only found out after leaving the company.

The Oddity of an Open Zero-Day Market

The market for zero-day exploits has always attracted a motley crew: academics, hobbyists, criminals, and legitimate government contractors. But most firms that sell offensive capabilities to the U.S. government operate with discretion. IRIS C2 is an exception. Its public bravado — posting about million-dollar payouts and recruiting “junior engineers with raw talent/extremely high IQ” — is unusual in a field that prizes anonymity.

Wohl, who has no formal training in computer science, told KrebsOnSecurity: “I know more about tech than anyone. My background has always been extremely technical.” He claimed researchers bring him “spectacularly exquisite capabilities that would make your head spin.” But when pressed on federal contracts, he clammed up, citing national security.

What This Means for the Cybersecurity Community

For vulnerability researchers, the warning is clear: not every buyer is who they claim to be. A company offering life-changing money for exploits might be run by convicted felons with a history of fraud. The offensive cybersecurity startup IRIS C2 may have legitimate aspirations, but its founders’ track record raises serious red flags.

Researchers considering selling their work should vet buyers thoroughly. Check incorporation records. Search for legal judgments. Ask for references. The zero-day market is lucrative, but it’s also a playground for fraudsters. Burkman and Wohl have proven they can reinvent themselves — but their past keeps catching up.

As one conference attendee told KrebsOnSecurity, Wohl and Calvexa Group were aggressively soliciting vulnerability researchers at a recent cybersecurity event. The message was simple: they wanted to buy exploits. The subtext, now clear, is that the sellers should have asked more questions.

Continue Reading

Trending