Documentaries, films, conference talks, and books that go deeper into the subjects covered in the archive — from the first internet worm to nation-state cyber warfare, ransomware economics, and the politics of the global vulnerability market.
Dir. Alex Gibney
An Oscar-winning director's definitive account of Stuxnet — the joint US-Israeli cyberweapon that sabotaged Iranian nuclear centrifuges at Natanz. Gibney interviews NSA officials, IAEA inspectors, and Kaspersky researchers to reconstruct the most sophisticated cyberattack ever publicly disclosed. Essential viewing for understanding Operation Olympic Games.
Dir. Laura Poitras
An Academy Award-winning film documenting Edward Snowden's 2013 disclosure of NSA mass surveillance programs, filmed in real time in a Hong Kong hotel room. Poitras captures the moment Snowden handed over PRISM, XKeyscore, and MUSCULAR documents to journalists. Provides crucial context for understanding the scope of signals intelligence infrastructure.
Dir. Brian Knappenberger
Traces the evolution of Anonymous from 4chan trolling culture to a global hacktivist collective launching coordinated DDoS campaigns against governments, corporations, and the Church of Scientology. Covers Operation Payback, Operation Tunisia, and the Arab Spring operations that blurred the line between civil disobedience and cybercrime.
Dir. Brian Knappenberger
Chronicles the life and prosecution of Aaron Swartz — programming prodigy, Reddit co-founder, and open-access activist — who faced federal charges under the Computer Fraud and Abuse Act for bulk-downloading JSTOR academic articles. His story is inseparable from the legal and ethical debates surrounding the CFAA, the same law that imprisoned Robert Tappan Morris.
Dir. Karim Amer & Jehane Noujaim
Investigates Cambridge Analytica's harvesting of 87 million Facebook profiles to micro-target voters during the 2016 US presidential election and Brexit referendum. Examines how personal data became a weapon of political manipulation and why credential and data exfiltration extends far beyond financial crime — a theme central to the LinkedIn and Operation Aurora case studies.
Dir. Fabrice Florin
A landmark early documentary filmed at the 1984 Hackers Conference in Marin County, featuring interviews with Steve Wozniak, Richard Stallman, and the earliest generation of hackers who defined the ethics and culture of computing. Understanding this original hacker ethic provides essential context for how the community fractured into nation-state operators, criminals, and security researchers.
Dir. Various
A Showtime series examining the ransomware ecosystem, dark web markets, and nation-state intrusion sets through interviews with current and former NSA, FBI, and private-sector threat intelligence analysts. Covers Colonial Pipeline, SolarWinds, and the industrialization of ransomware-as-a-service operations in detail.
Dir. Emmanuel Goldstein
A documentary chronicling the four-and-a-half years Kevin Mitnick spent in federal custody awaiting trial — including over a year in solitary confinement — and the grassroots "Free Kevin" campaign that mobilized the hacker community and civil liberties advocates worldwide. Goldstein (publisher of 2600 magazine) captures how Mitnick's prosecution became a defining moment for hacker rights, fair trial standards in digital cases, and the government's treatment of technical expertise as inherently dangerous.
Dir. Alex Winter
Alex Winter's investigation into the Silk Road takedown and the prosecution of Ross Ulbricht — the idealistic libertarian who built the dark web's first major marketplace. Winter examines the FBI's blockchain tracing methodology, the contested legal questions around the CFAA charges, and the philosophical divide over whether Silk Road was a free-market experiment or a criminal enterprise. The documentary provides essential context for understanding how law enforcement developed the cryptocurrency-forensics playbook later applied to ransomware and North Korean theft operations.
Dir. Alex Gibney
Alex Gibney's portrait of WikiLeaks traces the arc from Julian Assange's early cypherpunk idealism through the publication of the Afghan War Diaries, the Collateral Murder video, and the US State Department cables — and the subsequent manhunt, Chelsea Manning's imprisonment, and the fracturing of the whistleblower coalition. The film provides essential context for understanding how digital disclosure, espionage law, and source protection collide in the era of mass surveillance: themes that run directly into the Snowden archive and the CALEA backdoor debate.
Dir. John Badham
A teenage hacker accidentally connects to a NORAD war simulation AI called WOPR and nearly triggers nuclear war. WarGames directly influenced US policy: Reagan reportedly asked the Joint Chiefs "Could something like this really happen?" after viewing it, leading to NSDD-145 — the first national directive on computer security. The film's "back door" plot mechanic predates modern supply-chain attack terminology.
Dir. Iain Softley
A cult classic following a group of elite teenage hackers in New York City who stumble onto a massive corporate extortion scheme. While technically imprecise, Hackers captured the social culture, visual aesthetics, and counter-establishment ethos of 1990s hacker communities — and introduced millions to concepts like social engineering, phreaking, and zero-day exploits. Angelina Jolie and Jonny Lee Miller star.
Dir. Phil Alden Robinson
A team of security professionals is blackmailed into stealing a universal decryption device. Sneakers was technically vetted by actual security researchers and remains one of the most accurate Hollywood portrayals of social engineering, physical penetration testing, and the dual-use nature of hacking tools. Robert Redford leads an ensemble including Ben Kingsley, River Phoenix, and Dan Aykroyd.
Dir. Michael Mann
A convicted hacker is released from prison to help the FBI and Chinese authorities track down a cybercriminal who hacked a nuclear power plant and a commodities exchange. Mann hired actual security consultants to ensure technical accuracy — the film depicts real attack vectors including remote access Trojans, SWIFT transfer manipulation, and physical exfiltration, predating several real-world incidents covered in this archive.
Dir. Sam Esmail
Widely considered the most technically accurate cybersecurity drama ever produced. An antisocial security engineer joins a hacker collective targeting the corporation that controls global debt. The show's technical consultants ensured every hack was real and executable: Rubber Ducky USB drops, Kali Linux tooling, bgp hijacking, and social engineering are all depicted correctly. The Dark Army threat actor mirrors real APT tradecraft from groups profiled in this archive.
Dir. Tony Scott
A Washington lawyer becomes a target of rogue NSA operatives after accidentally receiving evidence of a political assassination. Enemy of the State offered the most detailed pre-Snowden visualization of NSA signals intelligence capabilities — satellite tracking, wiretapping, financial surveillance — that proved remarkably prescient once the PRISM disclosures revealed the agency's actual reach.
Dir. Steven Lisberger
The first major film to visualize the interior of a computer network as a physical space populated by programs as living entities. Tron established the visual language of cyberspace that influenced an entire generation of hackers and security researchers — and introduced the concept of a malicious Master Control Program consuming other programs, a metaphor that anticipates modern supply-chain attacks and living-off-the-land techniques.
Dir. Oliver Stone
Oliver Stone's dramatization of Edward Snowden's journey from CIA recruit to NSA contractor to the most consequential whistleblower in intelligence history. Stone reconstructs the architecture of PRISM, XKeyscore, and MUSCULAR with remarkable technical fidelity — consulting Snowden directly — and frames the surveillance programs as a systemic institutional failure rather than the work of rogue actors. The film is a narrative companion to the Citizenfour documentary and essential viewing alongside the Salt Typhoon archive entry, which vindicated Snowden's core argument that CALEA-mandated access points are inherently dual-use vulnerabilities.
Dir. Bill Condon
A dramatization of WikiLeaks' rise through the eyes of Daniel Domscheit-Berg, Julian Assange's former number two, covering the Afghan War Diaries, the Collateral Murder video, and the US State Department cables. While the film takes creative liberties with Assange's character, it accurately portrays the operational security practices — PGP encryption, dead drops, secure submission infrastructure — that defined the whistleblower pipeline WikiLeaks built and that subsequent organizations like SecureDrop later formalized. Benedict Cumberbatch stars.
Ralph Langner
The German ICS security researcher who first reverse-engineered Stuxnet's Siemens PLC payload explains in plain language how the weapon worked, who built it, and what it means for critical infrastructure security. Langner was the first to publicly identify Stuxnet's actual target as the Natanz uranium enrichment facility. Indispensable context for the Stuxnet archive entry.
CrowdStrike / FireEye
The security firms that discovered and responded to the SolarWinds SUNBURST compromise present the full technical breakdown: the SUNSPOT build-system implant, TEARDROP and RAINDROP second-stage loaders, and the sophisticated operational security that kept the campaign invisible for nine months. The RSA Conference library archives this talk with full slides at rsaconference.com.
Various (MIT, Cornell panel)
A 25th-anniversary retrospective featuring original witnesses to the 1988 Morris Worm incident, including researchers who worked through the night to stop it. Covers the technical mechanisms, the birth of CERT at Carnegie Mellon, and the legal aftermath — providing living oral history for the archive's Morris Worm and CFAA Conviction entries.
Marcus Hutchins (MalwareTech)
Marcus Hutchins, who accidentally halted the WannaCry outbreak by registering a nonsense domain hidden in the malware's kill switch, explains in technical detail how he found the mechanism, what happened when he activated it, and why the worm's architecture gave him that leverage. A first-person account from the central figure of the WannaCry incident.
ESET Research
ESET researchers who reverse-engineered NotPetya present the full kill chain: the compromised M.E.Doc accounting software update server, the MBR overwriter, the credential harvesting using Mimikatz, and the lateral movement via EternalBlue and admin shares. The talk contextualizes NotPetya within Sandworm's broader campaign against Ukrainian infrastructure.
Dmitri Alperovitch (McAfee)
The original public presentation on Operation Aurora by the McAfee researcher who named it. Covers the Internet Explorer zero-day (CVE-2010-0249), the encrypted Hydraq remote access Trojan, and the command-and-control infrastructure used to exfiltrate source code from Google and 34 other major corporations. First public attribution of a nation-state APT campaign.
Allan Liska (Recorded Future)
A comprehensive retrospective on ransomware evolution from AIDS Trojan (1989) through DarkSide, REvil, and LockBit, with detailed analysis of the ransomware-as-a-service model that enabled the Colonial Pipeline attack. Includes cryptocurrency tracing methodology, negotiation tactics, and the FBI's recovery of DarkSide's Bitcoin ransom. All DEF CON talks are archived free at media.defcon.org.
CCC / media.ccc.de
The Chaos Communication Congress (CCC) in Hamburg has produced some of the most technically rigorous public security research since 1984. The full archive at media.ccc.de contains thousands of talks on cryptography, state surveillance, exploit development, and hacker culture. Notable talks include Felix "FX" Lindner on BGP hijacking, Jacob Appelbaum on NSA toolkits, and Karsten Nohl on GSM interception.
Multiple Presenters
A post-incident technical retrospective on CVE-2021-44228, examining how a logging library feature became the most severe vulnerability of the decade. Covers the JNDI lookup chain, the 72-hour exploitation timeline from disclosure to nation-state weaponization, the supply chain dependency problem that made remediation so difficult, and the policy outcomes including SBOM mandates for federal software vendors. RSA Conference Library archives this with full slides.
Mandiant Research Team
The public release of Mandiant's landmark APT1 report — identifying PLA Unit 61398 in Shanghai as a systematic intellectual property theft operation against Western organizations — was a watershed moment in public cyber attribution. The associated presentations covered the RSA SecurID breach context, the Comment Crew's tooling and infrastructure, and the methodology used to geolocate the operators to a specific building in Pudong. Freely available on the Mandiant website.
CISA / FBI / NSA Joint Briefing
Joint briefing by CISA, FBI, and NSA officials following the February 2024 Five Eyes advisory on Volt Typhoon. Covers the detection methodology that revealed years-long Chinese pre-positioning inside US power, water, and communications infrastructure; the characteristics of living-off-the-land intrusions that evade signature-based detection; and the operational implications for critical infrastructure defenders. Provides the essential policy context for the Volt Typhoon archive entry.
Huntress / Mandiant Research
Technical post-mortem on CVE-2023-34362 and Cl0p's Memorial Day 2023 mass-exploitation campaign. Covers the SQL injection chain, LEMURLOOT web shell capabilities, the MSP amplification effect, and why Cl0p's pattern of targeting managed file transfer platforms (Accellion → GoAnywhere → MOVEit) represents a deliberate strategic preference for high-value aggregation points. Black Hat archives all talks at blackhat.com.
Multiple Presenters
Technical and policy retrospective on the ALPHV/BlackCat attack against Change Healthcare — the largest healthcare data breach and most disruptive healthcare IT incident in US history. Covers the Citrix credential theft, 9-day dwell period, the healthcare payment processing collapse affecting 67,000 pharmacies, the $22 million ransom, and the dramatic ALPHV exit scam that left the attacking affiliate unpaid and triggered a second extortion campaign by RansomHub. All DEF CON talks are archived free at media.defcon.org.
CISA / FBI Joint Briefing
Post-incident analysis of the Salt Typhoon compromise of eight or more major US telecommunications carriers, including the breach of CALEA lawful intercept infrastructure. Covers the Cisco IOS XE and Fortinet edge device exploitation methodology, the months-long dwell period inside carrier networks, and the intelligence haul that included presidential campaign communications and call detail records for tens of millions of Americans. The talk confronts the foundational question the CALEA debate had avoided: any surveillance backdoor built for government access is also a vulnerability for adversaries. RSA Conference archives talks at rsaconference.com.
Mandiant / Google Threat Intelligence
Full technical reconstruction of the Lazarus Group subgroup TraderTraitor's methodology, culminating in the February 2025 Bybit exchange theft — the largest cryptocurrency theft in history at $1.5 billion. Covers the Safe{Wallet} developer social engineering, the BYTEMITE macOS implant, the conditional JavaScript injection that modified only Bybit's signing interface, the blind signing vulnerability class that enabled the attack, and the on-chain laundering chain traced by ZachXBT and Elliptic in near real time. Includes analysis of TraderTraitor's evolution from direct exchange hacks to supply-chain compromise of trusted wallet infrastructure. Archived free at media.defcon.org.
Multiple Presenters
Policy and technical retrospective on the December 2024 PowerSchool breach — the unauthorized exfiltration of records for 70 million students and 6 million teachers across 18,000+ school districts in North America. Covers the credential-based access to the PowerSource support portal, the CSV export tool used to drain database tables over the holiday week, the FERPA/HIPAA regulatory gap that left student medical data with no security standards, and the second-wave extortion of individual school districts that followed PowerSchool's ransom payment. Examines what "permanent record" means when it lives in a vendor-hosted cloud database. Black Hat archives all talks at blackhat.com.
FTC / Privacy Advocates Panel
Post-incident policy analysis of the February 2026 Match Group breach — the OAuth token forgery that exposed the intimate personal data of 600 million users across Tinder, Hinge, OKCupid, Match.com, and twelve other platforms. Covers the Atlas PKCE logic flaw, the cross-platform identity centralization that amplified the exposure, the targeted extortion of LGBTQ users in countries where homosexuality is criminalized, and the GDPR special-category data enforcement gap between EU and US legal frameworks. Examines the Congressional momentum behind the Intimate Data Protection Act and what a federal standard for sensitive personal data would require. RSA Conference archives talks at rsaconference.com.
Blockchain Security Researchers
Full technical reconstruction of the March 2026 Drift Protocol oracle manipulation exploit — the largest single-event loss in DeFi history. Covers the six-week preparation period including oracle calibration tests, the $340 million DRIFT spot sell that drove the Pyth price feed 45.7% in 34 seconds, the liquidation cascade that depleted the $47 million insurance fund in under four minutes, the socialized loss mechanism that distributed $733 million in losses across the LP base, and the post-exploit attribution analysis linking wallet infrastructure to Lazarus Group / TraderTraitor. Includes the policy aftermath: CFTC DeFi jurisdiction claims, oracle liquidity mismatch reform across the Solana ecosystem, and the DeFi perpetuals risk parameter debate. Archived free at media.defcon.org.
Mandiant / FDA / CISA Joint Briefing
Technical and policy retrospective on the January 2026 Sandworm attack against Stryker's SmartLink medical device management infrastructure — the first confirmed nation-state attack to physically wipe connected medical devices at scale. Covers the spear-phishing initial access, the lateral movement through Stryker's GitLab CI/CD environment, the HSM signing agent access that allowed legitimate-certificate signing of a malicious firmware wiper, the 4:00 AM detonation that wiped 34,000 devices at 340 hospitals in 90 minutes, the 4,800 cancelled surgeries, and the six FDA adverse event filings. Examines the FDA Emergency Guidance 2026-01, the Protecting Medical Devices from Cyberattack Act, and why the SmartLink attack is the medical device equivalent of NotPetya: one compromised update infrastructure, unlimited blast radius. Black Hat archives all talks at blackhat.com.
Ron Deibert / Citizen Lab
The Citizen Lab team presents their 10-month investigation into GhostNet — a China-linked cyber-espionage network that compromised 1,295 computers in 103 countries, including the offices of the Dalai Lama, embassies, and foreign ministries. Deibert covers the GhostRAT implant's capabilities, the command-and-control infrastructure traced to Hainan Island, and the political and ethical challenges of attributing state-sponsored cyber operations when evidence is circumstantial. The talk launched a new paradigm for civil society digital threat research. Citizen Lab research is archived at citizenlab.ca.
Kevin Mitnick
Mitnick traces the direct lineage from his own 1980s–90s social engineering playbook — pretexting, impersonation, physical access manipulation — through the sophisticated human-targeting techniques used by modern nation-state APT groups. The talk demonstrates that despite decades of technical security improvement, the human attack surface remains as exploitable as it was when Mitnick was calling Pacific Bell impersonating a senior engineer. All DEF CON talks are archived free at media.defcon.org.
Kaspersky Lab
The first public technical disclosure of the Carbanak campaign — Kaspersky Lab's researchers present the full attack chain: the spear-phishing lure exploiting CVE-2012-0158, the Carbanak RAT's screen capture and video recording capabilities, the months-long reconnaissance inside bank networks, and the three cash-out vectors (ATM jackpotting, SWIFT manipulation, and account inflation). The presentation, delivered at the Security Analyst Summit, revealed that the attackers had stolen up to $1 billion from over 100 banks in 30 countries — making it the largest bank robbery in history. Kaspersky research is archived at securelist.com.
Neel Mehta / OpenSSL Security Team
The Google Security researcher who discovered CVE-2014-0160 — the OpenSSL Heartbeat extension buffer over-read that exposed private keys, session tokens, and plaintext from two-thirds of HTTPS servers on the internet — presents the technical root cause: a missing bounds check in the Heartbeat TLS extension that allowed an attacker to read 64KB of server memory per request with no trace in server logs. The talk covers the coordinated disclosure that involved every major cloud provider simultaneously, the systematic scanning that revealed millions of unexpatched servers months later, and the long-term lesson that auditing of cryptographic library internals cannot be treated as a volunteer effort. Black Hat archives all talks at blackhat.com.
Citizen Lab / Lookout Security
The Citizen Lab and Lookout researchers who discovered NSO Group's Pegasus spyware present the three-zero-day iOS exploit chain — Trident — used to silently jailbreak and implant surveillance software on the iPhone of UAE human rights defender Ahmed Mansoor. Covers the full Pegasus capability set: iMessage/WhatsApp zero-click delivery, ambient audio and camera activation, GPS tracking, and encrypted exfiltration that impersonates legitimate traffic. The talk established Pegasus as the most capable commercial spyware ever publicly analyzed and directly contributed to Apple's rapid iOS patching. Citizen Lab research is archived at citizenlab.ca.
By Kim Zetter
The definitive book on Stuxnet — from the initial discovery by Symantec and Kaspersky researchers through the full reconstruction of the weapon's architecture, its deployment via infected USB drives, and the geopolitical decisions that authorized it. Zetter's reporting remains the most exhaustive public account of Operation Olympic Games.
By Andy Greenberg
Wired journalist Andy Greenberg tracks Sandworm — the GRU hacking unit responsible for NotPetya, the BlackEnergy attacks on Ukrainian power grids, and Olympic Destroyer — from their first attacks through the $10 billion NotPetya catastrophe. Essential companion reading to the NotPetya archive entry and the most detailed account of Russian offensive cyber operations available in the public domain.
By Nicole Perlroth
New York Times cybersecurity reporter Nicole Perlroth investigates the global market for zero-day vulnerabilities — the exploits governments buy to weaponize against adversaries. The book traces how NSA-developed zero-days like EternalBlue leaked to criminal groups and became the backbone of WannaCry and NotPetya, and examines the brokers, buyers, and moral hazards of the vulnerability market.
By Cliff Stoll
An astronomer at Lawrence Berkeley National Laboratory discovers a 75-cent accounting error that leads him to expose a KGB-sponsored hacking ring selling US military secrets to the Soviets. Written the same year as the Morris Worm, this is the founding text of threat hunting — the first documented example of a defender manually tracing an intrusion through network logs to attribution.
By Kevin Mitnick
Kevin Mitnick's memoir covers his decade-long career evading the FBI — breaking into Nokia, Motorola, Sun Microsystems, and Pacific Bell using a combination of social engineering and technical exploitation. Mitnick's techniques, particularly his mastery of pretexting and impersonation, remain the canonical examples of the human attack surface that underpins every intrusion in this archive.
By Kevin Mitnick
A collection of first-person hacker accounts assembled by Mitnick covering casino slot machine exploitation, corporate espionage, military system penetration, and ATM network fraud. Each case study is accompanied by the defender's perspective and security lessons. Provides historical context for the tactics later industrialized by nation-state APT groups.
By Kevin Mitnick
Mitnick's foundational text on social engineering — written after his release from prison — uses composite case studies to show how impersonation, pretexting, and trust exploitation can bypass any technical security control. The book codified "the human element" as the primary attack surface in enterprise security and remains the most-referenced work on social engineering in the field. Essential companion reading to the Kevin Mitnick archive entry.
By Kevin Poulsen
Wired senior editor Kevin Poulsen chronicles the rise and fall of Max Butler (aka "Iceman"), who built and then seized control of the carding underground's largest marketplace, Cardersmarket, in a brazen hack of rival criminal forums. The book traces the financial crime ecosystem — from dump shops to money mules — that contextualizes the LinkedIn credential theft and Mt. Gox cases.
By Jon Erickson
The technical foundation text for understanding the exploit development that underlies every case in this archive. Erickson covers buffer overflows, heap corruption, format string vulnerabilities, shellcode writing, and network protocol exploitation with working C code and a live Linux environment. The Morris Worm's sendmail debug and fingerd buffer overflow exploits are explained in this framework.
By P.W. Singer & Allan Friedman
A policy-oriented primer covering the technical, legal, and geopolitical dimensions of cybersecurity written for a general audience. Singer and Friedman contextualize the transition from criminal hacking to nation-state cyber warfare — tracing the policy evolution from the CFAA to Stuxnet to the Tallinn Manual — making this the ideal companion for understanding the legal and diplomatic frameworks surrounding the operations documented in this archive.
By Andy Greenberg
Andy Greenberg follows a generation of blockchain forensics investigators — from Chainalysis to the IRS Criminal Investigation unit — as they unmask the architects of Silk Road, BTC-e (Alexander Vinnik), and the North Korean Lazarus Group's cryptocurrency theft operations. Vinnik's BTC-e exchange was the destination for a significant portion of the Mt. Gox stolen Bitcoin; this book provides the forensic methodology that traced it.
By Bruce Schneier
Security technologist Bruce Schneier dissects the surveillance economy — governments and corporations collecting, buying, and weaponizing personal data at massive scale. Required reading alongside the OPM and Equifax case studies: Schneier's framework for understanding the value of aggregated personal data explains precisely why Chinese intelligence invested years in harvesting SF-86 files, health records, and financial histories. The 2015 publication date is prescient — written as the OPM breach was unfolding.
By Scott J. Shapiro
Yale Law School professor Scott Shapiro examines five landmark hacking episodes — from the Morris Worm through WannaCry — through the lens of philosophy, history, and law. Shapiro's account of the WannaCry outbreak and the Morris Worm is technically rigorous while accessible to non-specialists; his legal analysis provides essential context for how hacking law evolved from the CFAA's first conviction through modern international cyber conflict.
By Tsutomu Shimomura & John Markoff
Tsutomu Shimomura — the security researcher whose systems Kevin Mitnick broke into in 1994 — recounts the months-long manhunt that ended in Mitnick's arrest in Raleigh, North Carolina. The book is a product of 1990s hacker culture, covering IP spoofing, session hijacking, and the social engineering techniques that defined early criminal hacking. Essential companion reading for the Citibank 1994 case study: both incidents illustrate the thin boundary between curiosity and crime in the pre-public-internet era.
By Brian Krebs
KrebsOnSecurity journalist Brian Krebs goes inside the Russian underground that industrialized spam, carding, and payment card fraud — the same criminal ecosystem that Albert Gonzalez operated within before and during the Heartland breach. Krebs traces the rise of carder markets, bulletproof hosting, and the organized criminal networks that turned stolen card data into a global financial crime industry.
By Nick Bilton
Nick Bilton chronicles the rise and fall of Ross Ulbricht — the idealistic libertarian who built Silk Road, the dark web's first major marketplace. While focused on narcotics, the Silk Road investigation created the FBI, DEA, and IRS methodologies for dark web tracing and cryptocurrency forensics that were later applied to ransomware investigations like Colonial Pipeline and MOVEit. The playbook for following money through Tor to a real identity was written here.
By Jacob Helberg
Former Google News policy director Jacob Helberg examines the global contest between the United States and China for control of the technology infrastructure that underlies the modern world — from 5G networks to submarine cables to cloud platforms. The book provides essential strategic context for understanding Volt Typhoon's pre-positioning inside US critical infrastructure: Helberg argues that the infrastructure layer is the front line of the competition, and that control of it determines the outcome of future conflicts.
By Edward Snowden
Edward Snowden's account of his years inside the NSA's global surveillance architecture, the programs he exposed, and the decision to leak them. The memoir is essential context for the Salt Typhoon story: Snowden's PRISM and XKeyscore disclosures revealed the same CALEA-adjacent infrastructure that Chinese hackers penetrated a decade later. His observations about mandated surveillance backdoors as inherent security liabilities — dismissed at the time as alarmist — were vindicated when Salt Typhoon walked through the lawful intercept portal that US carriers were legally required to maintain.
By Zeke Faux
Bloomberg investigative reporter Zeke Faux travels from the FTX headquarters in the Bahamas to a Cambodian scam compound, tracing how the cryptocurrency boom enabled fraud, money laundering, and geopolitical crime at an unprecedented scale. The book's chapters on North Korean cryptocurrency theft — covering TraderTraitor's methodology of targeting crypto developers, exchanges, and bridge protocols — provide essential narrative context for the Lazarus Group operations profiled in the Bybit, Bangladesh Bank, and WannaCry archive entries. Faux's central argument: blockchain's radical transparency does not prevent theft, it only makes the evidence permanent.
By Shoshana Zuboff
Harvard Business School professor Shoshana Zuboff's landmark analysis of how Google, Facebook, and the data economy transformed human experience into a raw material for behavioral prediction and modification. The book's framework for understanding institutional data aggregation provides the theoretical underpinning for why the PowerSchool breach matters beyond identity theft: decades of children's behavioral, psychological, medical, and disciplinary records constitute exactly the behavioral surplus Zuboff describes — and the FERPA regulatory gap she implicitly anticipates. Essential reading alongside the OPM and PowerSchool archive entries.
By Samczsun / Paradigm Research
A technical reference for understanding the exploit categories that have defined DeFi security failures since 2020 — from flash loan attacks and reentrancy bugs through the oracle manipulation class that the Drift Protocol exploit elevated to a $780 million event. Covers the Pyth Network oracle architecture, liquidation cascade mechanics, insurance fund sizing theory, and the oracle liquidity mismatch problem that made Drift's DRIFT-PERP market vulnerable. Includes post-Drift reform proposals for maximum open interest caps, circuit-breaker mechanisms, and the CFTC's evolving position on DeFi market manipulation jurisdiction. A practical companion to the Drift Protocol and Bybit archive entries for readers seeking the underlying protocol mechanics.
By Multiple Authors
A post-Stryker examination of the medical device cybersecurity crisis — from the first FDA cybersecurity guidance in 2014 through the January 2026 Sandworm firmware wipe that took 34,000 devices offline at 340 hospitals. The book covers the over-the-air update architecture that became a single point of failure, the regulatory gap that allowed CI/CD pipelines to share access with production code-signing HSMs, the historical pattern of nation-state pre-positioning in healthcare infrastructure, and the policy response: FDA Emergency Guidance 2026-01 and the Protecting Medical Devices from Cyberattack Act. Essential reading alongside the Stryker Device Wipe and NotPetya archive entries, as NotPetya's attack on pharmaceutical manufacturing (Merck: $870M in losses) and Stryker's firmware wipe represent two nodes on the same threat continuum.
By Glenn Greenwald
Guardian journalist Glenn Greenwald — one of the two reporters Edward Snowden chose to receive the NSA document archive — provides the authoritative first-person account of the disclosure: the Hong Kong meetings, the decisions about what to publish, the government pressure to suppress the stories, and the detailed technical content of the programs themselves. Where Citizenfour captures the moment and Permanent Record reconstructs Snowden's biography, No Place to Hide is the operational history of the disclosure and the most complete single-volume account of what the NSA's mass surveillance architecture actually collected. Essential companion reading to the Salt Typhoon and CALEA entries.
By David Sanger
New York Times national security correspondent David Sanger draws on years of reporting and off-the-record briefings to reconstruct the full arc of American cyber warfare doctrine: from Olympic Games and Stuxnet through the Sony hack, the OPM breach, the DNC intrusion, and the emergence of Sandworm. Sanger's central argument — that the United States pioneered offensive cyber operations without adequately considering the blowback of establishing norms that rivals would exploit — provides the strategic context for understanding why EternalBlue leaked from NSA to fuel WannaCry and NotPetya. The most comprehensive single account of how the US government simultaneously built and lost control of the most consequential cyber capabilities in history.
By Joseph Menn
Reuters cybersecurity journalist Joseph Menn traces the history of cDc — the Lubbock, Texas hacker collective that created Back Orifice (the first widely-used remote access tool), pioneered responsible disclosure, coined the term "hacktivism," and produced an unlikely concentration of later tech-industry and policy figures including Beto O'Rourke. Menn's history of cDc is also a history of the hacker ethic as it evolved into professional security research: how the original phone-phreak ethos fractured into nation-state operators, criminals, and the security establishment — the same fracture the Zero Day Collective archive documents at the operational level.