The Infrastructure Crackup Is Here—And Nobody's Ready
From GPU hacks to state-sponsored router attacks, the security collapse we've been warned about isn't coming. It's already here.
The hacks aren’t getting scarier. They’re getting lazy.
That’s the real message buried in this week’s security headline pile. State-sponsored actors are now rolling into consumer routers with the enthusiasm of someone raiding a convenience store. Meanwhile, Nvidia GPUs running your machine learning workloads can be completely seized through Rowhammer attacks—a vulnerability so old it’s been public since 2014. And some random monitoring startup called Anodot just got breached, dragging down a roster of corporate customers including Rockstar Games into extortion hellscape.
This isn’t a rising tide. It’s a dam with cracks everywhere and someone’s already poking holes in the concrete to see what happens.
Photo by Cầu Đường Việt Nam / Pexels
When National Governments Treat Your Router Like Low-Hanging Fruit
Russia’s military intelligence just hacked thousands of consumer routers. Not critical infrastructure routers. Consumer routers. The kind you buy at Best Buy for $80.
Think about what that tells you. It says that state-sponsored attackers have moved past the phase where they need to prove they can hit hard targets. They can now afford to be sloppy, because the density of vulnerable devices is so absurd that spray-and-pray works. It’s the cyber equivalent of finding out your locks are so bad that burglars don’t bother picking them—they just shoulder-check the door.
Iran-linked hackers are simultaneously disrupting operations at US critical infrastructure sites. These aren’t theoretical threats in security conference slideshows. These are active operations, happening right now, against systems that keep power flowing and water running.
Here’s what kills me: we’ve known router security was trash for over a decade. The industry chose not to fix it because routers are cheap and profitable-on-volume. Firmware updates are hard. Security patches cut into margins. So millions of devices ship with default credentials and unpatched vulnerabilities, and now they’re pivot points for nation-state campaigns.
This is what happens when you optimize for quarterly earnings instead of not-getting-owned.
Photo by UMA media / Pexels
Your GPU Just Became a Vulnerability With Legs
The Rowhammer GPU attacks are the plot twist that should wake people up.
Rowhammer itself is a memory bit-flip vulnerability that’s been known since researchers published it in 2014. It exploits the way dynamic RAM refreshes itself—if you hammer one memory cell repeatedly, it can corrupt adjacent cells. For years, people thought it was a theoretical problem. You’d need physical access or extraordinarily precise timing. It seemed like something future-you could worry about.
Then people figured out how to do it remotely. Then they figured out how to do it against GPUs specifically. And now complete machine control is on the table.
This matters because GPUs are everywhere now. They’re in data centers running your LLMs. They’re in workstations training models. They’re in cloud instances processing your company’s data. And if an attacker can flip the right bits in the right GPU’s memory, they own the whole machine.
Nvidia’s put out patches. Of course they have. But how many deployments are actually running them? My read is: not enough. Companies patch when they’re forced to, and GPU patches often require system reboots that kill running workloads. So they skip them. And they stay vulnerable.
The Anodot Ripple Effect
A monitoring platform got breached. Its customers are getting extorted. This is becoming the template.
The fact that Anodot was the attack vector is almost beside the point. What matters is that Anodot’s customers—and by extension, their customers’ customers—are now in a chain where one weak link exposed everyone downstream. Rockstar Games is household-name famous. They’re presumably well-staffed on security. And they still got caught because someone upstream of them got sloppy.
This is the topology that keeps me up at night. We’ve built dependency chains so tight that a breach anywhere in the stack contaminates the whole system. Anodot didn’t even have to be in your supply chain for you to care about Anodot. You had to care because someone you depend on depends on them.
The Confounding Signals (Where I Genuinely Don’t Know)
Here’s the honest part: Trump administration officials may be encouraging banks to test Anthropic’s Mythos model—except the Department of Defense recently declared Anthropic a supply-chain risk. That’s incoherent. Either Anthropic is trustworthy enough for banking infrastructure or it isn’t.
My best guess? There’s no actual coordination happening. One part of government thinks one thing, another part thinks another, and nobody’s talking to anyone else. Which is somehow worse than active conspiracy.
The Real Story: We’re Infrastructure Frauds
Let me zoom out because the details are almost beside the point.
The US critical infrastructure runs on systems that are simultaneously over-engineered for the 1970s and criminally under-secured for 2025. We have nuclear plants running on networks that can’t be patched without a shutdown window. We have financial systems dependent on decades-old protocols. We have military supply chains trusting vendors who might also be supply-chain risks. It’s not fragile. It’s fraudulent.
Broadcom’s so-called “negative” perceptions are driving thousands of VMware migrations. People are literally running toward the exits. Why? Because they don’t trust the company stewarding their virtualization layer. When your customers start fleeing, it’s not because of PR problems. It’s because of competence problems. And now Broadcom-managed infrastructure is scattering across competitors, which creates new integration risks, new patch windows, new attack surfaces.
Roblox is introducing age-gated accounts for kids. That’s smart consumer protection. But it’s also tacit admission that the internet is unsafe enough that you need to algorithmically isolate five-year-olds from the full platform. We’ve built a world so compromised that we’re now partitioning it by age.
What This Means
I think we’re in the early stages of a security inversion. For 30 years, the assumption was that attacks were rare and expensive. Nation-states were the only actors who could pull off sophisticated stuff. Commercial hackers were scarce. But the cost curve has flipped.
Now attacks are cheap. Rowhammer is a public technique. Router exploitation is commodified. LLMs can help write exploit code. The marginal cost of attacking something is approaching zero, while the cost of defending stays high.
The math breaks. You can’t defend against infinite attacks. So organizations will stop trying to defend everything and instead focus on containment. They’ll segment networks. They’ll assume everything’s compromised and build for resilience instead of prevention. They’ll accept losses as a operating cost.
My prediction: By Q3 2025, we’ll see the first major bank publicly acknowledge that customer data was extracted and that they’re not paying the ransom. They’ll frame it as “principled.” The market will tank the stock for 72 hours. Then everyone will realize that banks can survive breaches, actually. Insurance covers it. Customers don’t leave. And that’s when the attacks accelerate, because the risk-reward finally tips.
What I’m Watching
-
DoD-Anthropic escalation clock: If Anthropic gets formally barred from government contracts within 60 days, it’s a tell that the supply-chain risk declaration wasn’t just posturing. If it doesn’t, assume it was political theater. Either way, watch for banks publicly pulling back on Mythos pilots.
-
Rowhammer patch adoption in cloud providers: Monitor AWS, Azure, and GCP’s GPU instance patches through Q2. If any of them quietly restarts fleet without announcing it, that’s them losing confidence in the vulnerability being theoretical.
-
Rockstar’s security response timeline: Do they go full transparency or radio silence? Corporate responses to extortion usually tip whether the broader industry thinks breaches are now a cost of doing business.
-
VMware’s market share collapse measured at the next quarterly earnings call. If migrations accelerate past the “negative sentiment” phase into “active exodus,” that’s the moment we’ll know that trust in infrastructure stewards is actually broken, not just bent.