Seven stories this week. One pattern. In every one, the paperwork looked clean and the underlying reality did not match. Sanctions waivers. Federal contracts. AI vendor pitches. Cable transit maps. Broker authorizations. Contractor identity docs. The systems your business runs on all assume documents track reality. The companies that audit that assumption get a quarter to prepare. The ones that wait find out from the indictment.

Gunfire in the Strait, 24 Hours After "Fully Open"

Last week we said there was no diplomatic process to end the Hormuz closure. This week there's a process that nobody in industry believes.

Friday afternoon, Iran's Foreign Minister said the Strait of Hormuz was "completely open" to commercial vessels. Brent crude dropped about ten percent on the session.

Saturday morning, Iran's joint military command declared the strait back under the "strict management and control of the armed forces." Two Indian-flagged ships came under fire in Hormuz. They were the first reported gunfire on merchants since the ceasefire began. India's Foreign Secretary met with the Iranian ambassador. BIMCO and INTERTANKO, the two largest shipping industry bodies, publicly rejected the "open" framing. Among the few successful transits this week: the Pakistan-flagged Shalamar and the Greek supertanker Atokos. Politicians say open. Shippers say otherwise.

Trump's deal terms were reported by Axios on Thursday and Friday. Twenty billion dollars in frozen Iranian funds released in exchange for Iran's enriched uranium stockpile. Trump publicly denied the money-for-uranium framing. Iran countered with a five-point demand. One of the five points: international recognition that Iran owns the Strait of Hormuz as sovereign territory. The US will not concede that.

The US sanctions waiver that let India buy Iranian crude expired Sunday. There is no extension. Banks handling Iranian oil trades starting Monday face secondary-sanctions exposure. A US-nexus bank could be cut off from dollar-clearing for processing a single trade. India has already field-tested a workaround: paying in Chinese yuan through an Indian bank's Shanghai branch. That bypasses the US dollar entirely.

Secretary of State Rubio is pushing European allies to fully enforce the UN snapback sanctions. The short version: France, Germany, and the UK triggered a clause in the 2015 Iran nuclear deal that restores the old UN sanctions on Iran. Those sanctions came back into force in September. Another US carrier group is deploying to the region.

The head of the Financial Stability Board (the international body that coordinates bank regulators) sent G20 finance ministers a letter on April 13. The Middle East conflict, combined with stress that was already building in markets outside the regulated banking system, could produce a "double or triple whammy." The financial system itself is now a pressure point, not just the oil market.

The Takeaway: Spend an hour this week writing down what breaks for your business if Hormuz stays closed for ninety days. Five things to list. Your suppliers based in the Gulf. Your suppliers whose own inputs come through the Middle East: energy, fertilizer, petrochemicals, pharmaceutical ingredients. Shipping routes you use that transit Hormuz or the Red Sea. Banks you rely on that might be processing Iranian oil trades starting Monday. Executives scheduled to travel to the region in the next two months. If you already did this once, do it again. The picture changed this weekend.

Sources: gCaptain — Iran Navy Tells Ships Hormuz Shut Again · Al-Monitor — Indian-flagged ships attacked · Axios — Iran deal terms · gCaptain — Shipping industry pushes back on "open" narrative · FSB — Bailey G20 letter

A 1940s Contract Just Became a 2026 Escape Hatch

A Louisiana jury hit Chevron with a $745 million verdict last year in one of forty-two parish coastal-damage suits filed against oil companies. Chevron wanted a related case out of Louisiana state court and into federal court. Their hook was a World War II contract. Chevron's predecessor made aviation fuel for the US military in the 1940s. That contract, Chevron argued, meant they were doing work "under federal direction" even for state-level environmental damage decades later.

The Fifth Circuit said the contract's link to the state-court case was too attenuated. SCOTUS vacated that ruling 8-0 on Thursday. Justice Thomas wrote the opinion. Justice Jackson concurred in the judgment. Justice Alito took no part.

State-court juries are generally more generous to plaintiffs than federal courts. That is the calculation behind every removal fight. The Chevron ruling broadens the "relating to" standard under the federal-officer removal statute. A federal contractor does not need to show that its federal duties strictly caused the challenged conduct. It is enough that the state-law claim is closely connected to the contractor's federal work.

Any company with federal contracts (defense primes, FedRAMP cloud providers, SaaS-to-government vendors, critical-infrastructure operators, even a supplier two tiers down a Pentagon contract) just got a stronger escape route from hostile state venues. A 1940s contract sufficed. A 2010s one certainly will.

About eleven of the forty-two Louisiana coastal-damage suits share the wartime-contractor hook and are now more likely to move to federal court. The other thirty-one remain in state court. The $745 million jury verdict from last year sits on its own appellate track. SCOTUS did not address it directly.

The Takeaway: Send your General Counsel one question by Friday: does any of our current state-court litigation involve work we performed under a federal contract, even an old one? If yes, federal-officer removal is stronger this month than last. Flip-side check for the audit committee: if your company ever sues a federal contractor in state court, the venue you wanted may no longer be available.

Sources: Supreme Court opinion 24-813 · CourtListener mirror

When an AI Company Fakes Its Customers

The Eastern District of New York unsealed a ten-count indictment Thursday against the former CEO and CFO of iLearningEngines. The charge sheet alleges they fabricated "virtually all" of the company's customer relationships and revenue over multiple years. Specific charges include Continuing Financial Crimes Enterprise, securities fraud, and wire fraud.

The company went public in April 2024 through a SPAC merger. That's a shortcut onto the Nasdaq: a shell company that's already public acquires a private company, taking it public without the full IPO process. Valuation at deal: $1.4 billion. Peak: $1.5 billion. In August 2024, Hindenburg Research (a short-seller firm) published a report questioning the customer numbers. Chapter 11 bankruptcy filing in December. Chapter 7 liquidation in March 2025.

Continuing Financial Crimes Enterprise is the charge DOJ uses when it wants to signal a pattern of criminal activity and pursue enhanced sentencing. It is not reserved for one-off accounting problems. EDNY's choice means DOJ sees a template they will use again.

The pattern has precedent. JPMorgan bought student-aid startup Frank for $175 million in 2021. Founder Charlie Javice allegedly inflated the user count from fewer than 300,000 to roughly 4.25 million before the deal. When JPMorgan asked for verification, she allegedly had a data-science contact generate a synthetic user list to match the inflated number. JPMorgan sued. SDNY prosecutors indicted her on four counts: securities fraud, wire fraud, bank fraud, and conspiracy. A jury convicted her on all four in March 2025. She was sentenced to seven years in federal prison in September. iLearningEngines is the same fraud pattern with more zeros and a different deal structure (SPAC instead of acquisition).

There is also a downstream question. What happens to real customer data when the company collapses? 23andMe filed Chapter 11 in March 2025 with the genetic data of more than 13 million customers on its servers. The fight over who could buy that data ran four months, through state attorneys general (27+ intervened), the FTC, and two rounds of bidding. In July, co-founder Anne Wojcicki bought the company back through her new nonprofit for $305 million, beating a $256 million Regeneron bid. A court order binds the buyer to the original privacy commitments. That was the good outcome. The bad outcome was on the table for four months. The same question applies to every AI vendor that holds something valuable. Customer records. Transaction histories. Chat transcripts. Training inputs. Strategy documents and contracts your own team uploaded to get work done. In a bankruptcy sale, that material moves to whoever bids highest. Your original privacy and confidentiality agreements do not automatically survive the acquirer.

The Takeaway: Two questions for your CFO and audit committee this week. First: which of our AI vendors have we verified, beyond their marketing deck, actually have the customers they say they do? Pull the list of AI vendors signed in the last twenty-four months. For each, ask what the verification process was and what evidence was retained. If the honest answer is "the pitch deck," you have the same exposure JPMorgan had with Frank. Second: for each AI vendor that holds our data (customer records, transaction histories, training inputs), what happens to that data if they file for bankruptcy? That is not a question procurement can answer from the signed contract. It is a question for your General Counsel. 23andMe made this question real for 13 million customers. The next collapse could make it real for yours. And for you. All the internal material your people uploaded to an AI tool to get work done sits on that vendor's servers. Strategy documents. Pricing data. Deal terms. Internal memos. A bankruptcy sale moves it along with everything else.

Sources: DOJ EDNY — iLearningEngines indictment · DOJ SDNY — Javice indictment (2023) · NPR — Javice convicted (March 2025) · CNBC — Javice sentenced (September 2025) · 23andMe — Chapter 11 announcement (March 2025) · MedTech Dive — 23andMe/TTAM sale approved

$340 Million a Week

The DOJ created the National Fraud Enforcement Division on April 7. Eleven days later, NFED published its first weekly enforcement tally. $340 million in fraud actions across seven days. COVID relief fraud in Kentucky, Indiana, and Colorado. An $11.4 million Medicare fraud case in Florida. Oregon pandemic unemployment-insurance fraud. New Mexico identity theft. Individual sentences ran from twenty-eight months to nine years.

The same week, the Government Accountability Office (Congress's nonpartisan audit arm) dropped a report documenting fraud-control gaps in federal programs that states administer. These programs moved more than one trillion dollars in FY 2025 alone. Medicaid. SNAP. Unemployment insurance. Federal grants. GAO identified the persistent failure modes: weak controls at the state agency level, siloed data that prevents cross-checking eligibility, outdated state IT systems, and scattered federal oversight. NFED now has a fresh evidence base to expand beyond individual fraudsters and into the state-contractor layer. Managed-care organizations. State unemployment-insurance tech vendors. SNAP payment processors. Benefits outsourcers. Grant administrators. Consultants funded by federal-to-state grants.

The shift from episodic to institutional matters. Fraud enforcement used to be big case, quiet period, big case. NFED intends to publish a weekly drumbeat. Compliance teams and audit committees now get a weekly feed to track, not the occasional headline.

The Takeaway: Assume an audit is coming. Prepare for it this week. If any of your revenue touches federal money that a state administers, pull your last fraud-controls review. That category is broader than most people assume. Medicaid contracts. Pandemic-era relief administration. State unemployment-insurance processing. SNAP processing. Grant-funded consulting. Benefits outsourcing. If the last review is more than twelve months old, schedule the next one before the end of the month. Two specific items the next review should add: vendor oversight controls mapped against GAO's named weaknesses, and a reconciled log of every federal-to-state transaction you've processed for the last five years, with supporting documentation pulled and organized. That's the reach of most federal fraud investigations. If you're exposed to False Claims Act cases, go back ten.

Sources: DOJ OPA — NFED weekly enforcement summary · GAO-26-109093 — State-administered programs fraud report

The Arsonist Owns the Fire Department

In March 2026, HMN Technologies (the successor to Huawei Marine, now owned by Hengtong Group) finished splicing 6,300 kilometers of new submarine cable across the Indian Ocean, extending the Pakistan-Egypt-Marseille PEACE system into Singapore. Three weeks later, on April 11, Chinese state-backed researchers tested a deep-water cable cutter rated to 3,500 meters. Same actor. Same body of water. Same month.

Most coverage this week was about the test. The relationship is the story. China is now both the alternative cable provider for countries the West will not sell to (Pakistan, Kenya, Egypt, increasingly the Gulf) and the demonstrated capability to sever cables at depths reaching most global traffic. Same hands. Both ends.

Two distinctions matter for the test itself. The earlier Russian playbook in the Baltic used dragged anchors at shallow depths, with deniability built into every incident. A purpose-built 3,500-meter cutter is a different category of tool: intentional, attributable, and reaching the depths where most intercontinental traffic actually runs. And the tool is a cutter, not an interceptor. It severs cables. It does not tap them. The strategic difference is denial of service versus collection of intelligence. China demonstrated the first.

The Western response capacity is already broken. Globally, 22 cable ships are dedicated to maintenance. Eight of them are younger than 18 years. One Finnish vessel is from 1978. SubCom, one of four global tier-1 cable operators, is exiting the maintenance business to focus on laying. TeleGeography estimates the West needs $3 billion through 2040 just to sustain current service levels. The Asia-Pacific specifically needs five additional ships beyond global replacements. None of them exist. None of them are ordered.

Vietnam already showed what this looks like. In 2023, all five of Vietnam's international cables were down simultaneously. Restoration took eight months. Repair vessels in the South China Sea now wait up to four months for Chinese permits that previously took ten days. Chinese coast guard vessels have intercepted Vietnamese repair crews inside Vietnam's own EEZ. The kill chain runs on permits Beijing already controls.

Taiwan has been hardening for the past year. Ten days before the cutter test, Taiwan's Ministry of Digital Affairs announced shallow-water cable armoring and microwave backup links. Two days later, Beijing demonstrated a tool for the depth Taiwan's hardening does not reach. The timing is a reply.

The audience sits in three capitals that already had cable-security spending in motion: Brussels (€347 million committed in February), Tokyo (subsidizing half the $300 million cost of new cable-laying ships), and Canberra (A$450 million for Pacific cable connectivity, framed by Australia's Chief of Navy as protecting "our lifelines"). All three packages locked before April 11. The cutter test arrived as a reply on top of them. Whatever the West spends, the ceiling moves. Either spending accelerates in panic, locking in another billion. Or it does not, and the demonstration was the answer.

The Takeaway: Pull your DR plan this week and answer one question with your Cloud Architect: what is our recovery time if three Pacific cables are cut simultaneously? If the answer assumes a one-month repair window, your plan is calibrated to a system that no longer exists. Vietnam took eight months in 2023, and the repair-fleet bottleneck is worse now than it was then. The follow-up is harder and slower. Send your CFO and General Counsel a memo asking which regulated data flows currently transit cables laid or operated by HMN Tech, particularly through Africa, the Middle East, Central Asia, or, as of March, Singapore. For financial services, healthcare, and defense contracting, that is a governance question your transit carriers can answer in writing. The next Pacific outage will be the repair queue, not the test.

Sources: SCMP — China tests submarine cable cutter at 3,500-metre depth · Submarine Networks — PEACE Cable Singapore extension · DCD — PEACE Singapore extension complete (March 2026) · TeleGeography — The Future of Submarine Cable Maintenance · Light Reading — Aging subsea cable fleet needs $3B · Stars and Stripes — South China Sea cable repair delays · Taipei Times — Taiwan MODA cable reinforcement (Apr 9, 2026) · EU Commission — €347M Cable Security Toolbox (Feb 2026) · CSIS — China's Underwater Power Play

Your Load Didn't Get Stolen. It Got Rerouted.

Fleet-management firm Geotab published its 2025 cargo-theft report in March. North American cargo theft hit $6.6 billion last year. Incidents rose 18 percent year over year. The average theft value climbed 36 percent to roughly $274,000 per event. Strategic theft (fraud, identity theft, falsified paperwork) is displacing traditional smash-and-grab crews. Geotab surveys show about a quarter of fleet professionals now cite strategic theft as their top threat.

Separate research published by Proofpoint and reported this month in The Record describes the digital playbook. Organized rings compromise freight brokers' and carriers' systems, often through remote-access tools. They hijack load assignments and redirect shipments to pickup points they control. The fraudulent pickups use the legitimate broker's authorization. By the time anyone notices a load did not arrive where it was supposed to go, the truck is gone, the goods are liquidating on secondary markets, and the digital trail looks like a routine reassignment the broker now swears they did not authorize.

Which insurance policy pays for this loss? Cargo insurers point to authorization: the goods left the shipper's control because someone issued instructions to move them. Cyber insurers point to the loss itself: physical property, not data or business interruption. Broker-defense and coverage attorneys are reporting the same pattern. Cargo carrier points to cyber policy. Cyber carrier points to cargo policy. The insured sits in the middle for months.

The Takeaway: If your business ships or receives freight at any scale (retail, manufacturing, pharmaceuticals, grocery, automotive parts, industrial supply), ask your risk manager one question before next quarter's renewal: if a load of ours disappears because the company that actually handles our shipping was hijacked, which of our policies pays? If the honest answer is "we would argue with both carriers for six months," that is the coverage gap to close this year. Then send the same question to your shipping vendors. The companies you contract for warehousing and distribution rely on freight brokers, who match loads to truckers. Most hijackings happen at the broker layer. Ask each vendor what controls they have on who can change a load assignment, and when they last audited those controls. This pattern is not on most risk registers. It should be.

Sources: The Record — Cargo-thieving hackers running sophisticated campaigns · Geotab 2025 cargo theft report

Tony, Danny, and Eighty People Who Were Not There

State of the Threat readers have followed this story all year. February 21: we covered the shift from fake LinkedIn profiles to stolen real identities. March 8: nearly every Fortune 500 CISO admitting they had unknowingly hired at least one DPRK IT worker. March 22: Treasury sanctions on the facilitators. This week, the prosecutions arrive.

Two US nationals were sentenced Tuesday in the District of Massachusetts. Kejia "Tony" Wang got 108 months. Zhenxing "Danny" Wang got 92 months. Both used Americanized first names in their day-to-day business. From 2021 through October 2024, they ran "laptop farms" out of New Jersey homes (literally rooms full of company-issued laptops, all logged in remotely by North Korean workers using virtualization software to mask their location).

The North Korean workers themselves applied for jobs using the stolen identities of more than 80 actual US citizens. One hundred-plus US companies, many Fortune 500, hired what they thought were US-based IT workers. The Wangs and four other US facilitators split nearly $700,000. The DPRK netted more than $5 million. Hiring companies absorbed at least $3 million in damages. The Wangs are ordered to forfeit $600,000.

What's bigger about this case is the chart of co-defendants around them. The same indictment names eight Chinese nationals and two Taiwanese nationals. DOJ is no longer prosecuting laptop-farm operators in isolation. They are prosecuting the cross-border facilitation network. Separately, Ukrainian national Oleksandr Didenko was sentenced in February for providing the stolen US identities themselves. Different layer, same scheme.

At least one hiring company was a California defense contractor whose ITAR-controlled technical data (ITAR governs who can see US weapons-related technology) was exposed before the scheme was caught. US HR verified the paperwork. Social Security number, bank account, address, all clean. Nobody verified the person on the other end of the laptop.

Pull back from the names for a moment. The mechanic is what should worry you. Whatever your verification process is, if it stops at documents, it does not catch the person who is not there.

The Takeaway: More than 80 Americans had their stolen identities used to apply for jobs at the companies in this case. Your HR may have cleared one of those applications without knowing it, full-time or contract. Take two questions to your team this week. First, to your HR lead: does our onboarding for any remote role in IT, software engineering, or finance, employee or contractor, include a live video verification of the person submitting the documents? If the answer is no, you have the same gap as the defense contractor in this indictment. Second, to your General Counsel: if a remote hire turns out to be a stolen-identity DPRK worker, what is our exposure to the customers whose data they touched, the partners whose systems they reached, and OFAC for the wages we sent to Pyongyang? Verify-and-clawback language in employment and contractor agreements is one answer. Insurance is another. Negligent-hiring liability to a customer is a third, and it does not require us to have known.

Sources: DOJ D.Mass press release · The Record — New Jersey men sentenced · BleepingComputer — laptop farm sentencing · The Register — Nork IT worker facilitators sentenced

Got this forwarded to you? Subscribe at stateofthethreat.com/subscribe — one email per week, no tracking, no spam.

Know someone who needs this? Forward this email. The threats they don't know about are the ones that hurt.

Read past briefs at stateofthethreat.com