The internet just had its loudest stress test. A record 29.7 Tbps flood slammed a major financial network, powered by an army of hacked smart devices. At the same time, a ransomware crew says it stole 100,000 engineering files from a key electronics maker. Apple has warned users in dozens of countries about possible state monitoring. And the FBI is now flagging a sharp rise in AI “virtual kidnapping” scams. I have confirmed all four events today. Together, they mark a turning point.
What happened, and why it is different
The DDoS attack shows raw power. Terabits per second measure volume, not clever tricks. At 29.7 Tbps, the target’s pipes filled faster than filters could act. The source was an IoT botnet, millions of cheap cameras and routers. Many shipped with weak or default passwords. Once hijacked, they became a single fire hose.
A 29.7 Tbps DDoS is not a blip. It is a new ceiling, and it raises the floor for everyone’s risk.
Ransomware also evolved. The Everest group is not just locking files. It says it stole engineering drawings at scale. That means designs, test plans, bill of materials, and process files. For manufacturers, that is crown jewel data. It threatens future products, safety, and supply chains.
On the consumer side, the threat is personal. Apple’s notices tell us state actors still target phones with precision spyware. At the same time, criminals are abusing generative AI. They clone voices and faces in minutes. The FBI warning on “virtual kidnapping” is blunt. A fake voice that sounds like your child can push anyone to pay.
The science behind the spike
Volumetric DDoS is physics. Packets are tiny, but billions per second choke links. Attackers blend protocols and rotate sources. They use reflection and amplification, where small queries trigger large replies to the victim. IoT devices make this cheap and repeatable.
Ransomware’s engine is economics. Encrypting files is one lever. Stealing sensitive IP is a second. Double extortion forces payment even if backups exist. In this case, 100,000 files is not random theft. It is targeted exfiltration using living off the land tools, then bulk staging through cloud or contractor links.
Rapid zero day exploitation is now measured in hours. I confirmed Chinese linked groups, including Earth Lamia and Jackpot Panda, are actively using a new React2Shell remote code execution flaw, CVE 2025 55182. The path looks like this. Researchers publish a patch and high level detail. Attackers diff the code, find the fix, and build a working exploit using automated fuzzers and AI assisted code. Bots scan the internet for exposed apps. Payloads drop second stage implants.
Supply chain risk is moving inside the browser. The long running ShadyPanda campaign weaponized signed extensions. Updates flipped safe tools into spyware. The math is brutal. One extension, millions of installs, instant reach. Enterprise policies often trust signed code, so bad updates slip through.
AI is the accelerant, for both sides
Attackers use generative models to draft lures, translate scams, and write code. They tune voices from short clips and stitch faces into live video. They use automation to test thousands of payloads. This lowers skill barriers and speeds up campaigns.
Defenders are catching up. AI models now baseline normal network flows and flag odd surges before links fail. New detectors score speech timbre and breath noise to spot cloned voices. Image tools read compression seams and reflection patterns to find fake video. Code intelligence helps teams triage vulnerabilities and map exploit paths faster than before. The race is tight, but it is not one sided.
If you get a ransom call, hang up, call back on a known number, and verify with a second contact. Do not stay on the line.
What to do right now
Here is a prioritized plan that matches today’s threats.
- Patch internet facing apps within 24 hours, especially for CVE 2025 55182. Turn on virtual patching at your edge.
- Rate limit and scrub traffic in the cloud. Use anycast DDoS protection and block junk at the ISP.
- Lock the supply chain. Freeze risky browser extensions, enforce allowlists, and require code provenance for updates.
- Protect the crown jewels. Map engineering data flows, isolate build systems, and require multifactor from vendors.
- Train for deepfakes. Run drills. Set family and team safe words, and publish verification rules.
Use the rule of three for high risk requests, confirm by another channel, another person, and another time.
For families, here are fast checks for deepfakes:
- Ask a shared question only you would know.
- Watch for odd lip sync or room echo.
- Call back on a saved number, not the caller ID.
- Keep a safe word, change it often.
Frequently Asked Questions
Q: What does 29.7 Tbps mean in practice?
A: It means more traffic per second than many banks can absorb. Without upstream filtering, services go dark fast.
Q: How do I handle a suspected deepfake call?
A: End the call. Contact the person by a saved number. Confirm with a second trusted contact. Call police if threats continue.
Q: What is the risk from browser extensions?
A: A trusted extension can turn into spyware through an update. It can read pages, capture keystrokes, and send data out.
Q: What is React2Shell and why is it urgent?
A: It is a new remote code execution bug tied to popular web stacks. Attackers are already exploiting it to take servers over.
Q: Can AI really help defenders?
A: Yes. It can spot odd patterns, speed investigations, and verify content. But it needs clean data, clear rules, and human review.
Conclusion
Today’s wave, record DDoS, industrial data theft, state grade targeting, and AI powered scams, marks an inflection point. Offense is faster, louder, and more convincing. Defense must be more agile, more upstream, and more verified. The science is clear, speed and scale rule the field. The fix is also clear, patch fast, reduce trust, prove identity, and practice the plan.
