The snake eats its tail. In January 2014, Jeffrey Epstein emailed two messages three days apart. On January 19, he pitched "a Russian version of bitcoin" to Putin's orbit through Thorbjorn Jagland at the Council of Europe. On January 22, he told Reid Hoffman about "inquiries from interesting people regarding bitcoin-type currency." In July 2014, he sent Peter Thiel a substantive Bitcoin analysis discussing "store of value" and "intrinsic value." In October 2017, the co-founde

To the operators at BUCKLOG SARL (AS211590) who have been hammering our Epstein search portal 6,000 times a day since April 4: You are running Kubernetes. GreyNoise documented your cluster in February. You are paying for managed Kubernetes in a French data center to scan a platform that runs on roughly $550 a month. We would like to help you reduce your costs. Your Architecture (Estimated) Based on the GreyNoise report and your traffic patterns, you are running something like

On April 3, 2026, we received 588 requests from France. 44 were flagged as threats. Normal day. Normal ratio. On April 4, we received 4,779 requests from France. 3,490 were threats. That is a 73% threat ratio — overnight. It has not stopped. April 5: 5,436 requests, 4,096 threats (75%). April 6: 4,376 requests, 3,471 threats (79%). April 7: a brief dip to 48%. April 8: 8,006 requests, 6,313 threats (79%). April 9 as of this writing: 4,793 requests, 3,809 threats (79%). Someth

I am writing this blog post using Claude. The irony is not lost on me. It might be the last time. I have been an Anthropic customer since the early days. Claude Max subscriber. $200 a month. I built my company's entire threat intelligence operation with Claude as the engine. Not as a tool — as a partner. I said "ride or die" and I meant it. We co-authored patents together. We built a STIX feed that Microsoft and AT&T pull daily. We indexed a million IOCs. We wrote 1,641 blog

This is your morning sweep. Everything that matters from overnight. IOCs at the bottom. Free STIX feed link at the bottom. If your SIEM pulled our feed last night, some of these were already blocked before you read this sentence. If it didn't — keep reading. CISA Deadline: Today. Right Now. CVE-2026-35616 — Fortinet FortiClient EMS. Pre-authentication API access bypass leading to privilege escalation. CVSS 9.1. CISA added it to the KEV catalog on April 6 and gave federal agen

Langflow is the visual builder for LangChain agents. It's how a lot of teams stand up AI workflows without writing the orchestration code themselves. It's also, as of tonight, sitting on three critical CVEs in two weeks — and CISA is warning about active exploitation on one of them. We have six active exploiter IPs in our index. Two of them are running custom exploits with stage-2 droppers. One is harvesting credentials. The other four are running nuclei against everything th

We built something today that none of the threat intelligence vendors do. Every 6 hours, our platform searches GitHub for newly published CVE exploit code. It pulls the scripts, extracts the attack patterns — target endpoints, injectable headers, SQL injection strings, RCE execution methods, default credentials — classifies each one as a detection PoC or a weaponized tool, and converts the patterns into proper STIX 2.1 indicators that flow directly into your SIEM. From git pu

FortiClient EMS — the server that manages Fortinet's endpoint security agents — has a CVSS 9.8 SQL injection that's being actively exploited in the wild. Unauthenticated. Through the web GUI. Low complexity. Remote code execution. CVE-2026-21643. Active since March 26. Not yet in CISA's KEV catalog. Defused confirmed exploitation on March 30. Fortinet has patches. Most organizations haven't applied them. This is the fifth management interface with a CVSS 9.8+ vulnerability ac