In partnership with
Today's briefing:
FBI flags extortion crew sending fake IT staff into offices.
US strikes Iran after drone hits ship in the Strait of Hormuz.
Montreal officer and civilian killed in ambush by 911 call.
Welcome to your weekly briefing.
As protectors, we like to think we would see trouble coming. We train ourselves to read a room, clock the person who does not belong, and trust that itch at the back of the neck when something is off. But what happens when the threat does not look like a threat at all? When it walks up to the front desk with a clipboard and a confident smile, or hides inside a quiet week that convinces us the pressure is finally off?
That is the awkward ground we are working on right now. The people testing our clients and our buildings have worked out that the surest way past a good operator is to look like they belong there. Learning to catch that, before it costs you a client or your hard-won reputation, is fast becoming one of the most valuable things you can bring to the job.
This week On the Circuit, we look at where it is happening, and what it takes to stay a step ahead of it.
Don’t have time to read? Watch 👇
TOP STORY
He Said He Was IT
A man arrives at a law firm in a polo shirt and says he is the IT contractor here to service a machine. Reception is busy. He is calm, specific, and expected to be exactly this dull. Someone walks him back, he plugs a small storage device into a paralegal's computer, copies what he came for, and is gone before anyone thinks to confirm who sent him.
That is the scene the FBI described in a May 26 alert on the Silent Ransom Group, also tracked as Luna Moth, a crew that has worked US law firms since 2023 and has now added in-person entry to its remote playbook. The method is deliberately mundane. There is no malware for a firewall to catch, because the theft happens at the keyboard, behind every digital control the firm paid for.
The group never encrypts anything. It takes the data and threatens to leak or sell it, then calls staff and clients to apply pressure. Google's threat researchers watched operators move from access to staged, stolen files in under an hour. The targets are not hardened data centers. They are the data-rich, walk-in-friendly offices of law, finance, and professional services, chosen because the front door is the soft spot.
What stands out is the fix. The controls Google's analysts recommend are not network controls. They are reception controls: confirm every outside technician with the vendor's parent company out of band, log photo identification at the desk, check the visit against a real work order, and escort service personnel the entire time they are inside.
Our Take
This one affects us. For years, cyber has been treated as someone else's problem, a headache for the IT department, nothing to do with the people watching the door. Silent Ransom Group is betting we still think that way, and they are counting on a busy reception, a guard who waves through anyone with a confident manner and a work order, and a front desk that never thinks to ring the vendor and check.
The tables have turned and the firewall is no longer the first and last line of defense.
Escort every visitor, verify every contractor before they touch a machine, and ensure they leave with nothing they didn't bring.
Like it or not, this has become an access control and physical security concern, so ensure your protocols are watertight.
READER POLL
The stranger at the door says he's contractor here for scheduled maintenance. What's your protocol?
This week’s briefing is brought to you in partnership with:
Wake Up Smarter About AI.
Most AI news is a waste of time. The Future Today is a daily 5-minute read focused on what actually matters.
You’ll get exclusive interviews with the CEOs, researchers, and builders shaping AI. Plus top stories broken down simply and practical advice you can immediately apply.
Read the newsletter trusted by teams at NVIDIA, Google, Anthropic, Meta, Dell, and Salesforce.
MEANWHILE
How Long Does a Truce Last?
Nine days, this time. On June 25 an Iranian one-way attack drone struck the Singapore-flagged container ship Ever Lovely as it transited the Strait of Hormuz southeast of Oman. President Trump said Iran fired four drones at Strait shipping and that three were intercepted before the fourth struck; no crew were injured and the vessel continued its voyage. A day later US Central Command struck Iranian missile and drone storage sites and coastal radar, released declassified footage of the operation, and said it had concluded. Iran said a projectile hit a pier at its southern port of Sirik and claimed its Revolutionary Guard navy had struck US positions in the region.
The exchange came nine days after the Islamabad memorandum, signed June 17 by President Trump and Iranian President Masoud Pezeshkian, which opened a 60-day window to reopen the Strait and negotiate Iran's nuclear program. That agreement had paused an International Maritime Organization plan to evacuate 11,000 sailors from the area. Both governments now accuse the other of breaking it.
The Decoy Call
On June 22, at about 11:35 a.m., a 911 caller reported a gun protruding from a window at the Hilton Garden Inn in Montreal's Côte-des-Neiges neighborhood, along with the sound of gunshots. Officers from the Service de police de la Ville de Montréal who responded were met with rifle fire from a fixed position. Constable Mohamed Lamine Benredouane, 34, was killed, along with a civilian the Israeli Consulate identified as longtime Montreal resident Michel Mizrahi, 68. A second officer was critically wounded, and the gunman was shot dead by responding officers.
It was the first SPVM officer killed in the line of duty in 24 years. Police ruled out terrorism and warned of copycats, though the shooting took place in a neighborhood with a large Jewish community, and said they were examining a possible manifesto linked to the gunman.
Sound even smarter:
Silent Ransom Group is not new. It broke away from the Conti ransomware syndicate in March 2022, formed by the BazarCall operators who had supplied initial access for Conti and Ryuk, and it runs a professional English-speaking call center, which is why its people hold up as IT on the phone and at the front desk.
The walk-in is the latest of three escalations. The group ran fake-invoice callback phishing from 2022, shifted to phone calls impersonating internal IT in March 2025, then added in-person entry this year, registering dozens of look-alike help desk domains that spoof named US law and finance firms. Its ransom demands have run from one to eight million dollars.
SNAPSHOTS
🇿🇦 South Africa. Acting police minister Firoz Cachalia has enlisted private security firms and redirected R600 million ahead of nationwide anti-immigration marches planned for June 30.
🇧🇪 Belgium. Seven people were detained over the March bombing of the Great Synagogue of Liège, with investigators describing those held as paid hands acting for unnamed handlers.
🇷🇺 Russia. Ukraine's heaviest drone barrage yet set a major southern oil refinery ablaze on June 28, killing at least one and closing arterial roads toward Yaroslavl.
🇨🇴 Colombia. An activist investigating forced disappearances was abducted and tortured in Cartagena, the second such attack in a month, as Australia holds a "Do Not Travel" advisory on the Cauca region.
EXTRA INSIGHT
REGULATION. New York City's Aland Etienne Safety and Security Act (Local Law 061 of 2026) takes effect July 28, forcing private firms to pay prevailing wages to more than 60,000 guards under a tiered structure, with triple damages for underpayment.
HOSTILE SURVEILLANCE. A University of Glasgow student pleaded guilty to photographing "Doomsday" and reconnaissance aircraft at Offutt Air Force Base, the headquarters of US Strategic Command. The case began when a passerby reported a man with a long lens.
NEW RESOURCE FOR PREMIUM SUBSCRIBERS
The EP Business Case
Most security companies are one good operator and a phone that never stops.
The reputation that won the work belongs to the same person standing the detail, answering the client at midnight, and invoicing on Sunday. The business runs because of them. That is exactly why it never grows, and why so many founders end up with less money and less freedom than they had as employees.
We put real numbers on the jump from operator to owner:
What it actually costs to open a protection firm, plus the reserve nobody plans for.
The cash-flow gap that closes good companies in year one, while the order book is full.
The pricing mistake almost every new owner makes, and why pricing off your old day rate builds a business that can never afford to replace you.
Where the first real clients come from when protection is bought on trust, not ads.
It comes with a downloadable year-one operating model: startup cash, a pricing calculator, and a 12-month cash-flow projector that flags the month your account turns positive.
The thing that gets through is usually the thing you waved past, because it looked like it belonged. The practical question this week is who in your operation is actually allowed to verify a stranger, and whether they do it when they are busy. Walk your own front desk like you were the one trying to talk your way in. Most of the time, the gap is findable before anyone exploits it. The person who finds it first should be the one working for you.
See you next week.
– On The Circuit
If you found this useful, forward it to someone who needs to read it. If someone forwarded this to you, subscribe at circuit-magazine.com
To give or receive feedback, hit reply.
PREVIOUS POLL - RESULTS
Q: You're routing a principal through a major international airport where an insider threat has been reported. What's your call?
🟨🟨🟨🟨🟨⬜️ A. Abort and route through an alternate airport (33%)
🟨🟨🟨⬜️⬜️⬜️ B. Continue with heightened awareness at processing (24%)
🟩🟩🟩🟩🟩🟩 C. Divert to private terminal if available (43%)
⬜️⬜️⬜️⬜️⬜️⬜️ D. Something else. Let us know → (0%)
Your Comments:
TT: “A threat needs timing and resources to activate an attack, and not all attacks are life-threatening. So it depends on how badly the P needs to be in that airport on his itinerary.”
***
