At the Tuscany Lightning Summit 2026 in Viareggio, our CTO Francesco Baccaro stood in front of some of the most paranoid engineers in the Bitcoin ecosystem and told them their cryptography wasn’t the problem. The $1.46B Bybit heist, the rise of Permit and EIP-7702 phishing, and a hard truth the crypto industry keeps ignoring.
Two breaches. Eight months. Same group. ShinyHunters tore through Instructure again: 3.65 TB, 275 million records, 9,000 institutions. Device Code Flow plus a phone call. Passkeys don’t help. Here’s the playbook and the defenses.
[email protected] sent the phishing email. DKIM, SPF, DMARC all green. The attacker never spoofed anything โ they got Robinhood to deliver the payload for them. Here is the chain, the code, and why your awareness training is now obsolete.
A โฌ5 gadget. A postcard. 24 hours of real-time tracking on a โฌ500 million NATO frigate. The trust model wasn’t hacked โ it was never there. Full technical breakdown and defensive tools inside.
Between December 2025 and February 2026, one attacker breached nine Mexican government organizations using a dual-AI workflow: Claude Code for live exploitation, GPT-4.1 for post-exploitation reconnaissance at scale. 75% of remote command execution was AI-generated. RCE on a federal server in 40 minutes. This is the PacketHunters breakdown, including defensive scripts and what the forgery system built afterward means for your incident response assumptions.
Mandiant’s M-Trends 2025 confirms it. Voice phishing surged. Email phishing collapsed. Your stack is not the problem. The person who picked up the phone is. And nobody tested them.
Smart contract exploits are declining. Human-layer attacks are not. In 2025, phishing led all crypto attack categories by incident count. We reconstructed three anonymized breach patterns (an exchange, a DeFi protocol, a Web3 startup) and built detection scripts around the OSINT surface each one exposed before the attack landed.
Your job postings just told an attacker which VPN you run. Your engineers’ LinkedIn certs identified your EDR. Certificate transparency logs exposed your internal subdomains. This is the recon phase โ and it happens entirely before anyone touches your network.
Before a phishing email is written, attackers already understand your company. Using OSINT sources like LinkedIn, GitHub, and public infrastructure data, they map employees, tools, and internal patterns to craft believable attacks. This PacketHunters analysis explores how exposure fuels modern phishing reconnaissance.
Before a phishing email is written, your company has already been profiled. Names, roles, email patterns, VPN portals, cloud providers โ all gathered through open sources in under 20 minutes. In this PacketHunters breakdown, we map real organizational exposure using OSINT and Python, and show why phishing defense starts long before the first malicious link is sent.
