This week twin brothers got fired on a Teams call, forgot it was still recording, and deleted 96 government databases while talking through the whole thing out loud. Kids are beating age verification by drawing on a mustache with a makeup pencil, and it's working. Google has confirmed for the first time that hackers used AI to find and exploit a zero-day in the wild. And a stoner who lost his Bitcoin password while high in 2015 just recovered $400,000 with help from AI and possibly the greatest password ever created.
We've also got an update on the Canvas breach (Instructure paid ShinyHunters, nobody believes the data is gone), a telehealth breach that hit over 700,000 patients, a fake Claude Code installer catching developers through Google Ads, and a researcher who found that anyone who can read your Audi's VIN through the windscreen can add your car to their account.
All of that is in this weeks The Awareness Angle!
Watch or listen to the episode today - YouTube | Spotify | Apple Podcasts
Visit riskycreative.com for past episodes, our blog, and our merch.
Introducing The Awareness Practitioners
A new podcast for the people making security human.
This week on The Awareness Practitioners, I'm joined by Oli Inkley. Oli is a principal security awareness and culture lead at Marks and Spencer, and someone I've known for about four and a half years. I recruited him into his first awareness role, and since then he's built champions programmes across three major retailers.
We talk about what it's actually like coming into this career from a completely different world. Oli started on the Waitrose shop floor. No security background, no technical qualifications. He talks about how he learned to hold conversations with engineers, why every organisation needs a different approach even when they look the same from the outside, and where the human side of this work matters more than any tool.
If you're in the space, thinking about joining it, or wondering whether you need a technical background to do this job well, this one's worth 30 minutes of your time.
Listen now on Spotify, Apple Podcasts, and YouTube.
LIMITED AVAILABILITY - London Security Awareness Workshop
A free workshop for Awareness Pros on June 10th in London
Secure Culture Workshop - London, 10th June
If you work in security awareness and your Cybersecurity Awareness Month plan is still "send some phishing emails and hope for the best," this is for you. A small, practitioner-only session powered by the wonderful people at Hoxhunt . No vendor pitches, no panels, no PowerPoint. Just people who do this work every day sharing what actually works and walking out with a real plan for October.
Join Maxime Cartier and Susanna Haavisto and me in London on June 10th. There's only 50 places and we're already running low, so grab one while you can. We'll probably grab a drink after also!
Click here for more information and to register your interest.
This Week's Stories...
Twin Brothers Deleted 96 Government Databases While Still on a Recorded Teams Call
www.arstechnica.com/tech-policy/2026/05/drop-database-what-not-to-do-after-losing-an-it-job/
Twin brothers working for a federal IT contractor got fired on a Teams call after a background check turned up a prior felony conviction. One brother's access was cut immediately. The other had connected to the VPN ten minutes before the meeting and still had full access. While HR was wrapping up, he started deleting 96 government databases.
The problem? They forgot the call was still recording. The entire conversation was captured, including "People are logged out for the day, this is the perfect time" and "Don't worry about it. You don't do nothing." As we discussed on the podcast, these aren't stupid people. They could write Python scripts and manage production databases, but they forgot to hang up. Both now face potentially decades in prison.
Awareness Angles
- Access should end the second someone is fired - One brother connected to the VPN before the termination call even started and still had full access minutes after being told he was gone. Offboarding that doesn't include immediate access revocation across every system isn't offboarding at all. Send this story to your HR team and ask if this could happen where you work.
- Background checks are not optional for privileged access roles - Both brothers had prior federal convictions for computer fraud. They were hired anyway. If you're giving someone the keys to production databases, you need to know who you're handing them to.
- Everything on corporate platforms is evidence - The entire sabotage was captured because they stayed on a recorded Teams call. Anything said or done on a corporate platform can and will be used as evidence if things go wrong.
Kids Are Bypassing Age Verification With a Fake Mustache
www.techcrunch.com/2026/05/06/some-kids-are-bypassing-age-verification-checks-with-a-fake-mustache/
UK nonprofit Internet Matters surveyed around 1,300 children aged 9 to 16, and the results are roughly what you'd expect if you've ever met a child. About half said age verification checks are easy to bypass, and roughly a third said they've already done it. Methods include drawing facial hair with a makeup pencil, pointing the camera at a video game character (Death Stranding came up again from a previous episode), pulling funny faces, using fake birthdates, and borrowing a parent's ID. Only 17% said they found it difficult.
Ant had a great moment on the show where he admitted that when his son went through age verification on Roblox a few weeks ago, he genuinely thought "that's all right, they're checking his age." Even doing this every week, he fell for the sense of security it creates. That's the whole problem. Parents, regulators, and platforms all feel like the box has been ticked, while the kids it's supposed to protect are sharing workarounds at school. As Luke pointed out, they're not keeping it a secret. If one kid figures it out, the whole class knows by lunchtime.
Countries including the UK, Australia, and 25 US states now have some form of age verification law in place. The question this raises is whether the entire approach needs rethinking, or whether we're just building an expensive, privacy-invasive system that gives adults a false sense of security.
Awareness Angles
- Security theatre creates a false sense of protection - When the barrier looks real but is easily bypassed, the people relying on it believe the problem is solved. It isn't. The children know this. The adults often don't. If you work in security awareness, this is a useful parallel for any compliance exercise that's more about the checkbox than the outcome.
- Age verification collects real data from everyone - To prove you're old enough, you typically have to upload a government ID or let a camera scan your face. That's a huge amount of personal data being collected and stored by third-party verification companies, and every one of those databases is a breach target.
- Kids will always find the workaround - This has been true since the beginning of the internet. If a system relies on a child not being clever enough to beat it, that system is going to fail. The same principle applies at work. If your security controls assume people won't find a shortcut, they will.
Claude AI Recovers Stoner's $400K Bitcoin After 11-Year Search
www.theregister.com/offbeat/2026/05/14/claude-reunites-stoner-with-bitcoin-after-losing-password/
A man bought 5 Bitcoin in 2015 at a Starbucks for around $1,250 total, changed the password while high, and then completely forgot what he'd set it to. He spent 11 years trying to recover access, including brute-forcing 3.5 trillion password combinations using btcrecover on rented GPU time. After finding an old mnemonic seed phrase in a college notebook, he dumped his entire old college computer into Claude as a last resort.
Claude found an old wallet backup file from 2019 that predated the password change, spotted a bug in how btcrecover was combining the passwords and keys, and the mnemonic phrase was able to decrypt the backup. The password turned out to be "lol420fuckthePOLICE!*:)". As Ant said on the show, it does technically meet most password complexity requirements. It's got uppercase, lowercase, numbers, special characters. Just maybe don't set it while you're stoned.
To be clear, and Ant was very keen to stress this on the show, Claude didn't crack Bitcoin encryption. It didn't break any cryptography. What it did was sort through a messy archive of old files, find a forgotten backup that still worked with older credentials, and spot a configuration error in the recovery tool. It's a digital forensic assistant, not a master hacker. But it's a genuinely useful illustration of what AI is actually good at: pattern-matching across large, disorganised datasets that a human would take months to sift through. The 5 BTC is now worth just under $400,000. The man vowed to name his child after Anthropic CEO Dario Amodei.
Awareness Angles
- AI didn't crack anything, it organised chaos - The man already had everything he needed spread across old files and notebooks. Claude's value was connecting the dots across years of messy data. That's what large language models are genuinely good at, not breaking encryption, but finding patterns humans miss.
- Think before you upload sensitive data to AI - He uploaded his entire college computer into Claude, including wallet files and private keys. If you're handing that kind of material to any AI service, you need to understand who can see it and what happens to it. He transferred the Bitcoin out immediately, which was smart.
- Password management is not a joke - The password was "lol420fu**thePOLICE!*:)". Set while high. Forgotten immediately. That cost him 11 years of access to what became nearly $400,000. Use a password manager. Please.
This Week's Discussion Points
Canvas pays ShinyHunters, nobody believes the data is gone Watch | Read
716,000 patients exposed in OpenLoop Health data breach Watch | Read
Fake Claude Code installer stealing developer credentials through Google Ads Watch | Read
Google confirms hackers used AI to find a zero-day for the first time Watch | Read
Anyone who knows your VIN can add your Audi to their account Watch | Read
Scam letters are back: Amy shares a $60.5 million Nigerian prince letter that arrived through the post Watch | LinkedIn
Annual corporate training be like (click, click, click, click, click) Watch | Watch on TikTok
UK banks storing your biometric data for large payments Watch | Watch on TikTok
Waymo recalls 3,800 self-driving cars because they drive into floods Watch | Read
And Finally...
Scammers have gone back to posting letters. Amy Stokes-Waters , CEO at The Cyber Escape Room Co. ®, shared a letter her dad received this week from a "Mr. Kenji Tahara, Director & Executive Officer" at the Hachijuni Nagano Bank. The letter claims a deceased oil industry entrepreneur named Smith Waters deposited $60.5 million before tragically passing away at the onset of the Russia-Ukraine conflict, and because Amy's dad shares the surname, he's been selected as the next of kin to claim the estate. The split? 50% for the scammer (which will go towards "helping refugees from Ukraine war through various NGOs around Europe," obviously), 45% for the victim, and 5% set aside for "expenses incurred during the cause of securing this deposit." Five percent of $60.5 million for expenses. That's a hefty admin fee.
The best line? "I assure you that the operation is 100% legal and risk-free if and only if you adhere strictly to my instructions." As we said on the podcast, the old ways still work. In the age of AI-generated phishing and deepfake video calls, someone is still printing letters, buying stamps, and posting Nigerian prince scams through the Royal Mail. And if it didn't work, they wouldn't bother.
Worth sharing with your teams as a reminder that not every scam arrives in your inbox. Sometimes it lands on your doormat.
Annual corporate training be like - If you've ever sat through mandatory training and just clicked next, next, next, next without reading a single word, this TikTok will feel personal. Shared by Liam Stock-Rabbat , it's a man sat in front of a screen doing exactly that for a solid minute. As we discussed on the show, if you look at the completion times on your training platform, you can tell exactly who's done this. And if the only question at the end is so simple you don't need to watch the video, or so obscure you'd never remember the answer anyway, what's the point? Great one to share with your compliance team next time they ask why completion rates are high but behaviour hasn't changed. Watch | Watch on TikTok
UK banks storing your biometric data for large payments - Luke shared a TikTok from Jamie's Finance asking questions about UK banks collecting and storing facial biometric data for high-value transactions. The comments were split. Some said biometric data never leaves your phone, others pointed out there's a separate process for large payments where banks do store that data server-side. As Ant mentioned on the show, having worked with three large retailers recently, every single one handles it differently. Worth a look if you bank with NatWest, Lloyds or any of the others mentioned, and worth understanding the difference between using Face ID to unlock your app and giving your bank a facial scan they store on their infrastructure. Watch | Watch on TikTok
Thanks for reading! If you’ve spotted something interesting in the world of cyber this week, a breach, a tool, or just something a bit weird, let us know at hello@riskycreative.com. We’re always learning, and your input helps shape future episodes.
Ant Davis and Luke Pettigrew write this newsletter and podcast.
The Awareness Angle Podcast and Newsletter is a Risky Creative production.
All views and opinions are our own and do not reflect those of our employers.
