Darknet Diaries 174: Pacific Rim
350 snips
May 5, 2026 
Craig Jones, a former Sophos security leader, and Andrew Brandt, a veteran threat researcher, unpack a six-year cyber war with suspected Chinese operators. They cover stolen firewall source code, mass exploitation of 80,000 devices, emergency remote hotfixes, covert countermeasures, domain seizures, targeted APAC intrusions, and the chilling discovery of a possible UEFI bootkit.
AI Snips
Chapters
Transcript
Episode notes
Transparency Became Part Of Sophos's Defense Strategy
- Sophos argued transparency mattered because every firewall vendor seemed to be facing similar zero-day pressure, even if others stayed quiet.
- Jack Rhysider framed the ethical test as disclosure, limits, and accountability when vendors touch customer devices.
Sophos And Dutch Police Took Over The Attack Infrastructure
- Sophos seized attacker lookalike domains through court action and worked with Dutch authorities to gain live access to the C2 server in the Netherlands.
- Craig Jones saw scanning scripts, stolen outputs, and Chinese notes directly on the server during screen-shared analysis.
The Baja Attack Showed The Adversary Could Adapt Fast
- Within weeks, the attackers reversed the first hotfix, launched a new exploit called Baja, and learned how to disable hotfix features.
- This round used web shells for direct access instead of relying on separate command-and-control servers.