• Have thoughts, feedback or scoops to share? codebook@axios.com.
• Need to chat securely? Find me on Signal: @SamSabin.01

Today’s newsletter is 1,574 words, a 6-minute read.

Why it matters: While Musk and President Trump say the Department of Government Efficiency is focused on uncovering fraud, security experts caution that DOGE’s rapid onboarding of employees with access to sensitive government data increases the risk of both intentional and accidental security breaches.

The big picture: Former government officials, security executives and surveillance experts say DOGE’s structure and quick pace could exacerbate insider threats.

• Rapid firings and hirings across agencies may create uncertainty about who is authorized to access key systems.
• New DOGE employees — cleared through an expedited vetting process — may not fully understand the classification or sensitivity of the data they are handling.
• Some security professionals fear DOGE may be collecting vast amounts of government data, potentially creating new attack vectors for hackers or misusing information for political purposes.

Between the lines: The U.S. government has provided little transparency about which data sets DOGE is accessing, who has been granted access, and whether federal data security laws are being followed.

• Musk has dismissed concerns about data privacy, stating on X that neither he nor his team is interested in personal data.
• “I’m 1000% more trustworthy than untold numbers of deep state bureaucrats and fraudsters who may be misusing your [Social Security number] right now,” Musk posted yesterday.

Driving the news: Reports have called into question whether DOGE is prioritizing cybersecurity.

• Tom Krause, a tech executive and DOGE ally based in the Treasury Department, previously led cost-cutting and layoffs at Citrix — but those moves left the company more vulnerable to cyberattacks, former employees told Bloomberg.
• 19-year-old Edward Coristine, a DOGE employee, was fired from a cybersecurity internship for leaking company secrets and allegedly has ties to cybercriminal circles, according to media reports.
• Coristine is now listed as a senior adviser at the State Department’s Bureau of Diplomatic Technology, which handles both sensitive and nonsensitive government data, per the Washington Post.

Between the lines: Insider risk increases during both mass layoffs and rapid hiring, said Marshall Heilman, CEO of insider risk firm Dtex Systems.

• Unlike with classified networks, the federal government does not have a mandated system for monitoring insider threats on unclassified systems, he added.
• “Many people who have access to [unclassified systems] also have access to the classified networks, and so a lot of the behaviors you might see in terms of who’s intentionally going to cause harm, you’re going to see on the unclassified side first,” Heilman said.

Zoom in: Federal agencies typically follow zero-trust security protocols, which limit employee access to internal systems, a former U.S. cyber official told Axios.

• The official, who requested anonymity to avoid retaliation, said new employees typically undergo a background check going back 15 years to obtain the top-secret security clearance needed to access sensitive operations, like Treasury’s payment system.
• Once inside certain government networks, DOGE employees may have access to data on U.S. national security priorities, including Ukraine and NATO funding, nuclear defense strategies, and other intelligence of value to foreign adversaries, the official said.

What they’re saying: “I don’t know how he will use a lot of that data, I don’t know how he wants to use that data — all I know is that he is really breaking things faster than he knows how to make anything of use out of it,” Albert Fox Cahn, founder and executive director of the Surveillance Technology Oversight Project, told Axios.

What we’re watching: The long-term impact of DOGE’s reported security gaps remains unclear, but cybersecurity experts warn a breach is inevitable.

• “It’s just a matter of time before there’s a massive breach,” the former official said. “Whatever the data is that’s breached, it’s going to be embarrassing, it’s going to be more than newsworthy, it’s going to be very damaging and nobody’s ready for it.”

Why it matters: The arrests and web server seizures deal a serious blow to the ransomware gang, which has targeted organizations primarily in the U.S. and Brazil, including the United Nations Development Programme.

Driving the news: Security researchers noticed yesterday that 8Base’s dark-web data leak site had a seizure notice from law enforcement agencies in Europe, Japan, the U.S. and the United Kingdom.

• “This hidden site has been seized,” the notice reads.

Zoom in: Four suspected hackers were arrested in Thailand as part of the operation, according to Bavarian police.

• Europol says law enforcement has warned more than 400 companies worldwide about ongoing or imminent 8Base ransomware attacks because of the investigation.
• Law enforcement in 14 countries, including the U.S., assisted in the investigation.

Catch up quick: 8Base has been connected to ransomware attacks as far back as 2022, and the gang is known for a double-extortion model where it pressures victims to pay twice — once for a decryption key and a second time to keep hackers from publishing stolen data.

• The gang is considered the largest affiliate of the Phobos ransomware gang, according to Bavarian police. Phobos operates under a ransomware-as-a-service model, where operators license their malware to freelance hackers for their own attacks.
• 8Base has targeted organizations in the manufacturing, technology, education, financial and transportation sectors over the years.

The big picture: Arrests of top ransomware operators are rare.

• Many ransomware hackers are based in Russia, and the Kremlin is unlikely to extradite any of them.
• This is why law enforcement also focuses on seizing servers: Taking down gangs’ online infrastructure removes the forums where they boast about attacks, recruit new members and host their malware.

Yes, but: Ransomware gangs often can bounce back from these takedowns — even though it does take some time.

Why it matters: Well-intentioned hackers say it’s still too easy to probe AI systems and tools — and if they can get in, imagine what the bad guys can do.

Driving the news: Organizers of the DEF CON hacker conference released their first “Hackers’ Almanack” last week, detailing key takeaways and findings from the summer’s annual hacker gathering.

• The report, published in partnership with the Cyber Policy Initiative at the University of Chicago, comes as top AI executives, heads of state, academics and nonprofit leaders gather in Paris this week to discuss a range of AI safety and security topics.

Zoom in: Governments around the world have been calling for AI companies to lean on red teaming — where ethical hackers try breaking into a system to help organizations — to improve AI security and safety.

• But that system doesn’t account for the “unknown unknowns” that AI model operators are constantly looking for, Sven Cattell, an organizer of DEF CON’s AI Village, wrote in the Almanack.
• Unlike traditional software security, AI vulnerabilities emerge unpredictably, making one-off red-teaming exercises insufficient.
• Instead, DEF CON organizers argue that AI security should follow the model of traditional cybersecurity, where vulnerabilities are systematically tracked and addressed similarly to the Common Vulnerabilities and Exposures system. The CVE system, run by research organization Mitre, rates the severity of a flaw found in an online system.
• “The goal of AI security is not to make it impossible to break a system, but to make any such break expensive and short lived,” Cattell wrote.

The big picture: DEF CON’s call for change comes as tech companies and the Trump administration move away from prioritizing AI safety in policy discussions.

• Google recently removed language from its AI policy that barred it from creating “technologies that cause or are likely to cause harm.”
• One of Trump’s first acts when he returned to office was to revokeformer President Biden’s AI executive order, which had several AI safety principles.

About six employees at the Cybersecurity and Infrastructure Security Agency who focused on election security were put on administrative leave last week. (Politico)

The National Security Agency was directed to scrub websites and internal network content for mentions of 27 newly banned words, including “privilege” — which is also a popular security term that describes what level of access people have to key system data. (Popular Information)

The Senate has banned DeepSeek on its networks and work devices, following a similar move in the House. (Axios Pro)

@ Industry

Meta issued a memo saying privacy teams will no longer be able to delay product releases, adding that some previous decisions were overly “risk-averse.” (The Information)

TikTok CEO Shou Chew pitched the White House on a new joint venture with U.S. investors that would oversee the app’s data security protocols. (Wall Street Journal)

@ Hackers and hacks

Apple released an update fixing a security flaw that “may have been exploited in an extremely sophisticated attack against specific targeted individuals.” (TechCrunch)

Lee Enterprises, the parent company of more than 70 daily newspapers across the U.S., says a “cybersecurity event” disrupted its daily operations last week, resulting in website failures and many newspapers not printing. (New York Times)

Curated by award-winning Axios senior media correspondent Sara Fischer and media reporter Kerry Flynn, this exclusive membership is your guide to navigating and shaping the future of media.

Join now.

See y’all Friday!

Thanks to Megan Morrone for editing and Khalid Adad for copy editing this newsletter.

If you like Axios Codebook, spread the word.