Canada's Expulsion From Five Eyes Would Be a Disaster

Written by

Tom Uren

Policy & Intelligence

Your weekly dose of Seriously Risky Business news is written by Tom Uren and edited by Patrick Gray . It's supported by Lawfare with help from the William and Flora Hewlett Foundation. This week's edition is sponsored by Nucleus Security .

You can hear a podcast discussion of this newsletter by searching for "Risky Business News" in your podcatcher or subscribing via this RSS feed .

The Financial Times has reported that Peter Navarro, one of President Trump's closest advisors, is pushing for the US to remove Canada from the Five Eyes intelligence alliance .

Trump has said he wants to make Canada the 51st American state amid a tariff dispute. Per the FT :

The people familiar with the situation said Navarro, who has easy access to the Oval Office due to his close relationship with Trump, is arguing that the US should increase pressure on Canada by evicting the country from the Five Eyes. 

Navarro did not respond to Financial Times requests for comment, but denied pushing the idea after the article was published. Per The Hill : 

Navarro slammed the piece to reporters, noting the Times reporting didn't name its sources.

"My view is that we should never have to comment on any story where it's based on unnamed sources," he said, adding, "We would never, ever jeopardize our national security, ever, with allies like Canada, ever."

That sounds a lot like a non-denial denial to us. 

Disrupting the Five Eyes would be extremely damaging. The Financial Times quoted a current intelligence official who said "sitting where I'm sitting and looking at the array of threats that are coming at us, we need all the partners we can get".

In addition to losing the intelligence that it provides, kicking Canada out of the Five Eyes would undermine the trust that is the bedrock of that kind of alliance.

It would also prompt other members to question America's commitment to the alliance and reevaluate their agencies' relationships abroad.

Sweden's Signal Paradox

The Swedish government is proposing legislation that would require encrypted messaging apps to archive messages so they could be provided to authorities under warrant. Even if the legislation passes, it is unlikely to have the desired effect. Small countries like Sweden do not have the political or economic heft to impose their will on global technology organisations.

The Swedish debate is a nice vignette of the ongoing encryption debate, with arguments on both sides of what we call exceptional or lawful access. Sweden's law enforcement and security agencies support the proposed bill, saying they need lawful access to catch criminals. But the country's own armed forces have recommended their personnel use Signal. They oppose the bill and wrote in a letter to the government that the bill will not be able to be implemented "without introducing vulnerabilities and backdoors that could be exploited by third parties". 

The proposal doesn't break encryption in end-to-end encrypted messaging apps per se, but effectively undermines the security guarantees that these messengers provide. 

Signal Foundation President Meredith Whittaker told Swedish media outlet SVT News that Signal would leave the Swedish market if the bill was passed. 

That's not unexpected. When it comes to smaller countries like Sweden, withdrawing services is a practical option for international tech organisations that want to avoid complying with laws they don't like. 

This week, for example, Apple announced that it would no longer offer Advanced Data Protection (ADP), a warrant-proof iCloud encryption service, in the UK. The company removed the service from Britain rather than complying with a UK government order to develop a lawful access capability for iCloud backups protected by ADP.

To date, in liberal democracies, there hasn't been the political will to try to force companies to comply with these types of orders. The UK found the political will, and this is the result.

Cryptocurrency Cockroaches Crippled, Not Killed

Financial sanctions have dented illicit cryptocurrency activities in the past year but the infrastructure supporting crime is resilient and remains active, according to a new report . 

The report, from blockchain analysis firm Chainalysis, examines how recent government actions have affected the cryptocurrency ecosystem.

In 2024 there were a series of "major crackdowns on Russian-linked crypto entities that played key roles supporting Russia’s war economy, illicit cyber activities, and organized crime networks".   

Many of these actions were focussed on Russian-linked entities. These include the sanctioning of a Russian UAV developer supplying drones to Russian forces in Ukraine, the seizure of 47 Russian-language cryptocurrency exchanges that did not observe Know Your Customer (KYC) protocols and the dismantling of a money laundering network. 

These sanctions and disruption operations have been impactful. 

When it comes to Russian-language no-KYC exchanges, Chainalysis reports that overall inflows have declined, "reflecting the disruptive impact of US and international sanctions measures". 

It's not all good news though. Much like cockroaches after the nuclear winter, rebrands of previously dismantled exchanges rise to crawl the earth once more. There are now more no-KYC exchanges than ever before. That’s disconcerting, for sure. But they’re converting less funds, so it’s still a win (so far). 

Another cryptocurrency cockroach, Tornado Cash, features in the report. This one’s a cryptocurrency mixer that attempts to launder illicit funds by combining them with legitimate money flows. 

Tornado Cash was sanctioned in 2022 for facilitating the laundering of USD$455 million in stolen funds. However, the service is an Ethereum smart contract that, in theory, cannot be shut down and continues to operate, "despite OFAC [US Treasury] sanctions, legal action and the arrests of its developers". 

Inflows to Tornado Cash dropped nearly 90% after it was sanctioned, but it is still limping along. Chainalysis says it "still facilitates hundreds of millions of dollars in transactions each month". In 2024 about a quarter of inflows to Tornado Cash were from stolen funds.

North Korean cryptocurrency thefts, meanwhile, continue unabated. Chainalysis says that in 2023, actors affiliated with North Korea stole about USD$660 million in 20 incidents. Those numbers more than doubled in 2024, with USD$1.34 billion stolen across 47 incidents. 

Last week alone, North Korea stole USD$1.5 billion in a hack of the Bybit cryptocurrency exchange. Way to hit your KPIs, guys! Someone's getting a waffle party! (Adam Boileau and Patrick Gray discuss the details of the hack in this week's Risky Business podcast and it is covered in Risky Bulletin ).

They'll be able to turn that stolen ethereum into real money, too. North Korea has well-oiled cryptocurrency laundering processes. In a post related to the Bybit hack , Chainalysis said North Korea's processes include moving stolen assets "through a complex web of intermediary addresses"; conversion from ETH into other cryptocurrencies using decentralised exchanges, cross-chain bridges and a no-KYC instant swap service; and holding funds for a while to avoid the heightened attention immediately after a high-profile breach.

Chainalysis says that it has collaborated across the industry and has helped to freeze more than USD$40 million stolen in the Bybit hack. For those keeping count, that's only USD$1.46 billion to go.

In a way, we're glad that North Korea focuses on cryptocurrency. We'd hate to see them get involved in ransomware in a big way, where the crimes involve serious disruption. 

Watch Patrick Gray and Tom Uren discuss this edition of the newsletter:

Three Reasons to Be Cheerful This Week:

1. Gmail to ditch SMS for authentication: Google's Gmail service is planning to drop SMS codes for authentication and will replace them with QR codes. Rather than enter the code after receiving a text message, a user will be presented with a QR code that they scan with their phone. Google says this will reduce the risk of phishing, although we are not convinced. A QR code can still be phished. But it does reduce the risk of SIM-swapping. Forbes has more coverage . 
2. Ransomware group BlackBasta implodes: A member of the BlackBasta Ransomware-as-a-Service group has leaked internal Matrix chat logs on the dark web. The information is being mined by cybersecurity researchers. It seems that the group was already in its death throes already and had effectively ceased operations since the beginning of the year. More coverage in Risky Business News .  
3. Meta sues Instagram abuser: Meta claims Idriss Qibaa, a Las Vegas man, ran an online service that sold, among other things, the ability to disable and reinstate Instagram accounts and is suing him for violating Instagram terms of use. Instagram abuse is rampant, so at least Meta is trying a different approach to rein it in. The US Department of Justice has already indicted Qibaa for sending death threats by text message. 

Sponsor Section

In this Risky Business News sponsor interview, Catalin Cimpanu talks with Aaron Attarzadeh, Enterprise Security Engineer at Nucleus. Aaron goes into new concepts for the vulnerability management scene, such as asset correlation and asset linking.

Shorts

Full Speed Ahead for US Cyber Operations

Current Pentagon leadership wants changes that will unshackle Cyber Command while at the same time its former head thinks that more aggressive cyber operations are needed.

According to The Record , the Pentagon is looking to remove barriers preventing cyber operations:

…the Pentagon asked Cyber Command to compile a list of authorities it needs to be more effective, as well as any regulations that hinder its ability to conduct operations online, according to a former U.S. official, who spoke on the condition of anonymity.

Secretary of Defense, Pete Hegseth, has also asked that work on a US Cyber Command restructuring plan, dubbed 'Cyber Command 2.0' be accelerated. 

So, within the Pentagon, leadership wants a more capable Cyber Command, quickly.

Retired General Paul Nakasone, the former head of Cyber Command and NSA, also thinks US Cyber Command needs to be more aggressive in cyberspace. He told CyberScoop the US is "increasingly behind" its adversaries in cyberspace and that more aggressive cyber operations are required. 

Back in November last year we wrote to "expect more covert action under [President] Trump". It looks like we were right.

Australian Government Bans Kaspersky

The Australian Government has banned Kaspersky Lab products from its systems on security grounds.

The government's directive says Kaspersky Lab products and services present an "unacceptable security risk to Australian Government, networks and data, arising from threats of foreign interference, espionage and sabotage".

Kaspersky Lab products have to be ripped out by April 1. Australia is probably not the highest priority target for potential Russian state operations, but we are surprised this has taken so long. The US and the UK banned the use of Kaspersky on government systems in 2017 and Canada banned it in 2023. 

Risky Biz Talks

You can find the audio edition of this newsletter and other fine podcasts and interviews in the Risky Biz News feed ( RSS , iTunes or Spotify ).  

In our last "Between Two Nerds" discussion Tom Uren and The Grugq examine the fundamental principles of network exploitation as described in Matthew Monte's 'Network Attacks and Exploitation: A Framework' book using recent hacks as case studies. 

Or watch it on YouTube!

From Risky Bulletin :

Italian priest targeted with spyware: An Italian priest close to the Pope has revealed he was the target of advanced spyware. Father Mattia Ferrari says he received a security alert from Meta that his account was targeted "by unidentified government entities." Father Ferrari serves as chaplain on a migrant rescue ship owned by an NGO. The NGO's founder revealed earlier this month that he was one of the 90 victims targeted with spyware made by the Israel-based company Paragon Solutions. The attacks were initially revealed by Meta's WhatsApp team. Paragon Solutions cut off the Italian government's access to its surveillance tools after several Italian activists said they received Meta's alerts about the attacks. 

[Additional coverage in The Guardian ]

North Korean hackers steal $1.5 billion from Bybit: North Korean hackers have stolen over $1.5 billion worth of crypto assets from Bybit, the world's second-largest cryptocurrency exchange.

The incident represents the largest crypto-heist in history (and the largest heist of any kind as well) and is almost 2.5 times larger than the previous leader—the theft of $625 million from the Ronin Network in April 2022.

The hack took place on Friday, February 21, and is considered one of the most complex crypto-heists ever pulled.

The attackers infiltrated Bybit's network, studied the company's internal procedures, identified, and then infected with malware all the employees who typically sign off on the movement of the company's funds.

[ more on Risky Business News ]

BlackBasta implodes, internal chats leak online: Internal strife and conflicts appear to have led to the implosion of another successful Ransomware-as-a-Service platform—this time, BlackBasta, one of last year's most active ransomware groups.

Everything came crashing down last week when one of the BlackBasta members leaked the group's internal Matrix chat logs on the dark web.

The leaker said they shared the data after one of the BlackBasta affiliates launched brute-force attacks targeting Russian banks—a move the leaker didn't agree with because they feared it would trigger an aggressive response from Russian authorities.

The internal chat leak appears to have been the last twitch of an already dead body, according to Swiss security firm Prodaft , which first spotted the leaked files.

[ more on Risky Business News , including how BlackBasta has effectively ceased operations]