Adversary Universe Podcast

How do you take down a cybercriminal? Last month, we explored that question through the lens of Operation Endgame. Today, we ask Shawn Henry, former Executive Assistant Director of the FBI and current Executive Advisor to the Founder and CEO of CrowdStrike.

In some ways, it’s similar to taking down criminals in the physical world. But the speed and scale of cybercrime operations exacerbate the challenge of stopping them. While infrastructure can be dismantled, the impact is now short-lived as adversaries pivot to other setups. While law enforcement considers how to replicate successful operations, cybercriminals are thinking about how they can adapt and stay ahead.

For those pursuing adversaries, speed and scale are difficult to achieve. As Shawn explains, successful takedowns require collaboration among dozens of groups; among them law enforcement agencies, international partners, intelligence analysts, reverse engineers, prosecutors, and private sector organizations that have visibility into adversary infrastructure.

“A takedown isn’t a single door-kick moment. It’s a monthslong choreography of legal process and infrastructure mapping and partner synchronization,” he says. Are there ways to accelerate the process? He has a few ideas.

Tune in as Shawn joins Adam and Cristian to share a behind-the-scenes take on stopping cybercrime. Learn the key challenges law enforcement faces, how a takedown comes together, why arrests alone aren’t enough to stop adversaries, and where there is still an opportunity to have real impact.

This was a busy year for the Adversary Universe podcast. We covered the emergence of new adversaries, the weaponization of AI, critical CrowdStrike research, and how cyberattacks look in different regions of the world.

To recap 2025, we’re revisiting the topics that resonated most with our listeners to share year-end updates. Adam and Cristian cover the I-Soon data leaks, evolution of China as a nation-state threat, re-emergence of SCATTERED SPIDER, and the latest in ransomware-as-a-service. Tune in to learn the factors that may shape Chinese cyber operations in 2026 and why SCATTERED SPIDER activity looks different now compared to its summer of cybercrime. As a bonus, Adam shares some of the latest eCrime stats his team is seeing as we close out 2025 and explains why he believes we’ll see “an explosion of zero-days” in the months ahead.

The adversary never slows down — and neither do we. We look forward to bringing you more information on the newest cyber threats in 2026.

For more information:
• I-Soon episode: See You I-Soon: A Peek at China’s Offensive Cyber Operations
• Blog post: Unveiling WARP PANDA, a New Sophisticated China-Nexus Adversary
• Blog post: CrowdStrike Services Observes SCATTERED SPIDER Escalate Attacks Across Industries

In November 2025, a major public-private sector collaboration took down three significant malware networks. Operation Endgame involved law enforcement agencies from six EU countries, Australia, Canada, the U.K., and the U.S., along with Europol and 30 private sector partners, including CrowdStrike. The dismantled infrastructure consisted of hundreds of thousands of infected computers containing several million stolen credentials.

Operation Endgame was a critical disruption of adversary operations — but it wasn’t the first. Law enforcement has for years sought to take down adversary infrastructure and often partners with private sector organizations like CrowdStrike to inform their operations. By disrupting the tools and processes threat actors rely on, these takedowns raise the cost for adversaries and make it harder for them to operate.

As Adam and Cristian discuss in this episode, takedowns require careful planning and constant innovation. Adversaries are always finding new techniques and tools, and law enforcement must do the same. While disruption may slow them down, threat actors are often quick to pivot and find new ways to achieve their goals.

In this episode, we examine how law enforcement takedowns disrupt adversary operations, how adversaries respond, where the private sector provides support, and what this all means for organizations facing modern threats.

Not all cybercrimes are resolved. Some threat groups disappear completely, and some malware is never seen again. But sometimes, a long-dormant case is cracked open and elusive answers are found.

Tillmann Werner, VP of Intelligence Production at CrowdStrike, has been a member of the CrowdStrike Intelligence team since 2012 and has analyzed many of these cold cases. In this episode, he joins Adam to chat about unresolved cyberattacks, the adversaries behind them, and cases that remained inactive for years before new technology or data allowed experts to close them. While it’s frustrating to close a file without success, Tillmann says, the evolution of technology and proliferation of data often help solve old cases that have collected dust.

Tune in to hear Adam and Tillmann look back at decades-old eCrime and nation-state campaigns, some of which now have answers — and others that remain a mystery.

CrowdStrike research into AI coding assistants reveals a new, subtle vulnerability surface: When DeepSeek-R1 receives prompts the Chinese Communist Party (CCP) likely considers politically sensitive, the likelihood of it producing code with severe security flaws increases by up to 50%.

Stefan Stein, manager of the CrowdStrike Counter Adversary Operations Data Science team, joined Adam and Cristian for a live recording at Fal.Con 2025 to discuss how this project got started, the methodology behind the team’s research, and the significance of their findings.

The research began with a simple question: What are the security risks of using DeepSeek-R1 as a coding assistant? AI coding assistants are commonly used and often have access to sensitive information. Any systemic issue can have a major and far-reaching impact. 

It concluded with the discovery that the presence of certain trigger words — such as mentions of Falun Gong, Uyghurs, or Tibet — in DeepSeek-R1 prompts can have severe effects on the quality and security of the code it produces. Unlike most large language model (LLM) security research focused on jailbreaks or prompt injections, this work exposes subtle biases that can lead to real-world vulnerabilities in production systems.

Tune in for a fascinating deep dive into how Stefan and his team explored the biases in DeepSeek-R1, the implications of this research, and what this means for organizations adopting AI.