In this LABScon 25 presentation, Joe FitzPatrick explores how networked devices manufactured overseas have quietly become indispensable to everything from small-business prototyping labs to roadside infrastructure. He argues that the safeguards meant to manage the risks these devices introduce are, in practice, largely ineffective.

Starting with recent reports of undocumented cellular radios found in solar inverters used in U.S. highway infrastructure, Joe notes that adding that kind of connectivity to a device with an exposed serial port takes minutes and can be done by anyone: the manufacturer, the installer, or someone who came along later.

From there he covers the familiar mechanisms by which banned hardware finds its way into supply chains anyway, through relabeling and FCC-certified modular components, before turning to mandatory product activation in consumer devices like drones and 3D printers, and what it actually takes to use them without phoning home.

The deeper problem is that small businesses and infrastructure operators are genuinely dependent on imported hardware because it works and it’s affordable. A significant amount of it runs on devices that connect to foreign entities by default, and there’s no clean domestic alternative.

Joe concludes that import bans don’t fix problems that exist equally in domestic products, and that trade policy is the wrong tool for what is fundamentally a consumer safety problem. His preferred alternatives are right to repair with offline use guarantees, hardware and firmware bills of materials, and comprehensive privacy legislation.

This talk is essential viewing for security practitioners concerned about hardware supply chain risks, the unexpected connectivity of critical infrastructure, or the US’s deep dependence on foreign-manufactured consumer electronics.

About the Author

Joe FitzPatrick (@securelyfitz) is an Instructor and Researcher at SecuringHardware.com. Joe has spent most of his career working on low-level silicon debug, security validation, and penetration testing of CPUs, SoCs, and microcontrollers. He has spent the past decade developing and delivering hardware security related tools and training, instructing hundreds of security researchers, pen testers, and hardware validators worldwide. When not teaching Applied Physical Attacks training, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.

LABScon 2026 | Call For Papers

Submission Deadline: June 19, 2026

LABScon is a unique venue for original research to be shared among peers. The benefit of an invite-only audience of researchers is that there’s no need for long preambles or introductions – speakers are encouraged to dive right into their technical findings.

• Original content only.
• Talks are 20 minutes long + 5 minutes for Q&A.
• Workshops are 90 minutes long.
• LABScon is primarily a threat intelligence and vulnerability research conference but we keep an open-mind.

About LABScon

This presentation was featured live at LABScon 2025, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.

Keep up with all the latest on LABScon here.

In this LABScon 25 presentation, Marc Rogers and Silas Cutler explore the complex, “shadow” supply chain of ultra-cheap Chinese smart home devices, specifically focusing on video doorbells and security cameras widely sold on mainstream online shopping platforms under various rotating brand names like Eken and Tuck.

Marc, who assisted the FCC Enforcement Bureau in its investigations, and Silas reveal how these devices often share identical hardware platforms powered by Allwinner semiconductors, a company heavily subsidized by the Chinese government.

Firmware analysis uncovered hardcoded root passwords and supposed security fixes that amounted to little more than commenting out vulnerable services from startup scripts rather than removing them. Despite appearing to use local cloud services, metadata and video content are frequently routed through servers in Hong Kong and China.

Rogers and Cutler trace a network of shell companies and fictional personas entirely absent from tax and voter records. These entities use non-responsive registered agents and PO boxes specifically set up to refuse legal service, effectively shielding the actual manufacturers from regulatory oversight and making enforcement nearly impossible.

The rapid iteration of hardware versions with no long-term support mirrors distribution patterns more commonly associated with malware campaigns.

While the investigation stops short of attributing direct malice, Rogers and Cutler argue that these devices collectively form a massive, vulnerable IoT surface that can be controlled through simple configuration pushes from overseas. Consumers are drawn in by low prices and subscription features, unaware that their data ultimately resides under foreign control.

About the Authors

Marc Rogers is Co-Founder and Chief Technology Officer for the AI observability startup nbhd.ai. Marc has served as VP of Cybersecurity Strategy for Okta, Head of Security for Cloudflare and Principal Security researcher for Lookout. In his role as technical advisor on USA’s “Mr. Robot” and the BBC’s “The Real Hustle”, he helped create on-screen hacks for both shows.

Silas Cutler is a Principal Security Researcher at Censys, with over a decade of experience tracking threat actors and developing methods for pursuit. Before Censys, he worked as Resident Hacker for Stairwell, Reverse Engineering Lead for Google Chronicle, and as a Senior Security Researcher on CrowdStrike’s Intelligence team.

LABScon 2026 | Call For Papers

Submission Deadline: June 19, 2026

LABScon is a unique venue for original research to be shared among peers. The benefit of an invite-only audience of researchers is that there’s no need for long preambles or introductions – speakers are encouraged to dive right into their technical findings.

• Original content only.
• Talks are 20 minutes long + 5 minutes for Q&A.
• Workshops are 90 minutes long.
• LABScon is primarily a threat intelligence and vulnerability research conference but we keep an open-mind.

About LABScon

This presentation was featured live at LABScon 2025, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.

Keep up with all the latest on LABScon here.

In this LABScon 25 talk, Andrew MacPherson dives deep into the high-stakes world of crypto crime, which has amassed approximately $9 billion in illicit funds. Andrew demystifies the technical landscape and exposes the sophisticated attack vectors plaguing the decentralized finance (DeFi) space.

The talk begins with an explanation of the core concepts necessary to understand crypto-related security threats, including definitions of blockchains, wallets, and smart contracts. Andrew explains that a key point in the architectural difference of many crypto applications is that they typically rely solely on frontends, with all interactions happening in the browser via the wallet extension.

The talk then moves on to focus on attack patterns. Crypto thieves target every weak point, from applications and code to the developers and executives themselves. The speaker details the largest crypto heist to date, the $1.5 billion loss from Bybit. This attack involved infecting a developer’s machine, gaining access to production JavaScript code, and modifying it to authorize a full wallet drain during a multi-signature transaction. The talk also covers supply chain risks like typo-squatting, exploitation of personal servers like Plex to compromise GitHub accounts, and the rise of “drainers as a service” that simplify crypto theft.

Andrew also covers the challenges attackers face in laundering stolen funds, and how they leverage techniques such as cross-chain swaps, using mixers like Tornado Cash, and non-KYC platforms for conversion to cash. Despite the fact that all blockchain logs are public and permanent, the presentation also discusses the challenges threat intel analysts face in tracking these rapidly moving funds.

Andrew’s presentation is essential viewing for anyone interested in cryptocurrency and cybersecurity, especially those looking to understand the technical realities of financial crime in the decentralized era.

About the Author

Starting at Paterva, Andrew Macpherson spent more than 10 years creating Maltego before moving to the US for security roles at BitMEX (IR), Robinhood (IR/D&R), Uniswap (Head of Security), and now Privy (Principal Security Engineer). He’s spoken at Black Hat, DEF CON, DSS, EthCC and countless others, teaching courses and drinking malibu on the way.

About LABScon

This presentation was featured live at LABScon 2025, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.

Keep up with all the latest on LABScon here.

In this talk, Phobos Group’s Dan Tentler evolves his previous work on hotel room security by demonstrating a fully portable security system built on Home Assistant, Z-Wave devices, CO2 sensors, and millimeter wave radar. What began as basic physical security measures has transformed into a tactical deployment platform capable of detecting human presence through walls, triggering automated alerts, and providing comprehensive situational awareness in temporary accommodations.

Dan walks through the technical fundamentals of each component, explaining how mmWave radar units can detect movement and presence in neighboring rooms or hallways, how CO2 sensors reveal occupancy patterns, and how Home Assistant ties everything together into an automation framework. The system can send alerts, capture images, or trigger any action Home Assistant supports, all deployed and configured rapidly in unfamiliar environments.

The presentation covers real-world use cases that demonstrate the system’s capabilities beyond traditional hotel rooms. For security professionals, researchers, and anyone concerned with physical security while traveling, this talk reveals how consumer automation technology can be repurposed into a sophisticated portable security platform.

About the Author

Dan Tentler is the Executive Founder and CTO of Phobos Group, a boutique information security services and products company. Having been on both red and blue teams, Dan brings a wealth of defensive and adversarial knowledge to the security landscape. Dan has spent time at Twitter, British Telecom, Websense, Anonymizer, Intuit and Sempra Energy and has a strong background in systems, networking, architecture and wireless networks.

About LABScon

This presentation was featured live at LABScon 2025, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.

Keep up with all the latest on LABScon here.

This LABScon talk explores how hacktivist activity is strategically leveraged by nation-states and mercenary groups to obscure intent, destabilize targets, and weaponize public narratives. SentinelLABS’ Jim Walter draws on his decades of malware research and threat intelligence experience to decode the hacktivism ecosystem through a unique tooling-based analysis.

Using a four-tier framework for categorizing hacktivist groups, Jim describes a pyramid-shaped ecosystem that ranges from “commodity craptivism” at its bottom, characterized by high noise and low signal, to sophisticated state-front operations at the top, responsible for attacks with physical consequences timed to real-world events.

Jim explains why state-level threat actors increasingly adopt hacktivist personas. The motivations include plausible deniability, narrative control, and strategic influence operations designed to erode confidence in target regimes.

Through examples like Anon Sudan, Belarusian Cyber Partisans, NullBulge, and state-linked operations such as MeteorExpress and Handala, the talk reveals the distinguishing traits that separate top-tier actors from the rest. These indicators include consistent multi-year messaging, willingness to forego financial gain, sophisticated prepositioning capabilities, and measured communications crafted by professional writers.

The presentation concludes that most high-impact hacktivism reported today is actually “fictivism”, state-sponsored proxy operations masquerading as grassroots activism. With state actors leveraging this increasingly chaotic landscape to advance geopolitical objectives while maintaining deniability, this talk is essential viewing for anyone interested in the current hacktivist threat landscape.

About the Author

Jim Walter is a Senior Threat Researcher at SentinelLABS focusing on evolving trends, actors, and tactics within the thriving ecosystem of cybercrime and crimeware. He specializes in the discovery and analysis of emerging cybercrime “services” and evolving communication channels leveraged by mid-level criminal organizations. Jim joined SentinelOne following ~4 years at a security start-up, also focused on malware research and organized crime. Previously, he spent over 17 years at McAfee/Intel running their Threat Intelligence and Advanced Threat Research teams.

About LABScon

This presentation was featured live at LABScon 2025, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.

Keep up with all the latest on LABScon here.

Between late 2024 and early 2025, the United States government issued indictments or sanctions against three Chinese information security firms – i-SOON, Sichuan Silence, and Integrity Tech – alleging their support for or links to malicious cyber groups targeting US government and critical infrastructure systems.

In this talk, Mei Danowski and Eugenio Benincasa discuss their research in which they found that all three companies serve as a key seedbed for nurturing China’s offensive cyber talent with cyber range services, which train cybersecurity professionals through “attack-defense live-fire” (攻防实战) exercises.

The speakers explain how, alongside hacking contests and crowdsourced bug bounty programs, attack-defense live-fire exercises are one of the primary mechanisms leveraged by the Chinese government to enhance its cyber capabilities, with support from a rapidly growing private cybersecurity industry with more than 4000 products and services providers.

The presentation goes on to focus on the development of attack-defense exercises and commercial cyber ranges in China, areas that have received relatively little attention to date, examining how this ecosystem shapes China’s offensive cyber capabilities.

The presentation is based on an upcoming research report that draws on Chinese-language sources – including company directories, public business data, job postings, university websites, and interviews in obscure publications – to map China’s cybersecurity industry. This unique talk discusses 120 companies identified as providers of attack-defense exercises and cyber range services, and profiles several of these key companies to assess their role in supporting state-linked cyber operations.

About the Authors

Mei Danowski is co-founder and principal of Natto Thoughts, a provider of cyber threat intelligence research and analysis with a specialization in geopolitical, economic, social, cultural, and linguistic perspectives. Mei’s research areas include strategic threat intelligence and East Asian political, military, economic, and strategic affairs.

Eugenio Benincasa is a Senior Cyberdefense Researcher at the Center for Security Studies (CSS) at ETH Zurich. Prior to joining CSS, Eugenio worked as a Threat Analyst at the Italian Presidency of the Council of Ministers in Rome and as a Research Fellow at the think tank Pacific Forum in Honolulu, where he focused on cybersecurity issues.

About LABScon

This presentation was featured live at LABScon 2025, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.

Keep up with all the latest on LABScon here.

This presentation explores the emerging threat of LLM-enabled malware, where adversaries embed Large Language Model capabilities directly into malicious payloads. Unlike traditional malware, these threats generate malicious code at runtime rather than embedding it statically, creating significant detection challenges for security teams.

SentinelLABS’ Alex Delamotte and Gabriel Bernadett-Shapiro present their team’s research on how LLMs are weaponized in the wild, distinguishing between various adversarial uses, from AI-themed lures to genuine LLM-embedded malware. The research focused on malware that leverages LLM capabilities as a core operational component, exemplified by notable cases like PromptLock ransomware and APT28’s LameHug/PROMPTSTEAL campaigns.

The presentation reveals a fundamental flaw in the way much current LLM-enabled malware is coded: despite their adaptive capabilities, these threats hardcode artifacts like API keys and prompts. This dependency creates a detection opportunity. Delamotte and Bernade-Shapiro share two novel hunting strategies: wide API key detection using YARA rules to identify provider-specific key structures (such as OpenAI’s Base64-encoded identifiers), and prompt hunting that searches for hardcoded prompt structures within binaries.

A year-long retrohunt across VirusTotal identified over 7,000 samples containing 6,000+ unique API keys. By pairing prompt detection with lightweight LLM classifiers to assess malicious intent, the SentinelLABS researchers successfully discovered previously unknown samples, including “MalTerminal”, potentially the earliest known LLM-enabled malware.

The presentation addresses implications for defenders, highlighting how traditional detection signatures fail against runtime-generated code, while demonstrating that hunting for “prompts as code” and embedded API keys provides a viable detection methodology for this evolving threat landscape. A companion blog post was published by SentinelLABS here.

About the Authors

Alex Delamotte is a Senior Threat Researcher at SentinelOne. Over the past decade, Alex has worked with blue, purple, and red teams serving companies in the technology, financial, pharmaceuticals, and telecom sectors and she has shared research with several ISACs. Alex enjoys researching the intersection of cybercrime and state-sponsored activity.

Gabriel Bernadett-Shapiro is a Distinguished AI Research Scientist at SentinelOne, specializing in incorporating large language model (LLM) capabilities for security applications. He also serves as an Adjunct Lecturer at the Johns Hopkins SAIS Alperovitch Institute. Before joining SentinelOne, Gabriel helped launch OpenAI’s inaugural cyber capability-evaluation initiative and served as a senior analyst within Apple Information Security’s Threat Intelligence team.

About LABScon

This presentation was featured live at LABScon 2025, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.

Keep up with all the latest on LABScon here.

In this LABScon25 talk, Dreadnode’s Martin Wendiggensen and Brad Palm explore how AI is changing Cyber Threat Intelligence and the research practices that support it.

Analytical tradecraft and shared standards have transformed Cyber Threat Intelligence from a niche discipline into a collaborative industry-wide research endeavor. Researchers and analysts now routinely build on each other’s work, creating a foundation of trust and shared methodology.

That ecosystem is being disrupted as teams increasingly hand off data preparation, analysis, and entire workflows to AI assistants. These tools boost productivity, but they introduce new costs. You might have confidence in your own AI-assisted process, but how much can you rely on another researcher’s prompts or agentic workflow?

Given concerns over reliability and transparency, the CTI community will need to adapt its research methodology and develop a new joint understanding of the promises, pitfalls, and probabilities inherent in AI-assisted work.

Wendiggensen and Palm present a case study to illustrate their approach. They created an LLM-driven agentic system to analyze Russian internet content leaked by Ukrainian cyber activists. The speakers’ detail the system’s architecture and show how it performs across tasks from straightforward data collation to complex analytical pipelines used to track adversaries. They then explain how to assess the technology’s strengths and limits and, crucially, how to communicate those judgments to peers and wider audiences to preserve both accountability and transparency.

This engaging talk lays the groundwork for discussions not only in threat intelligence but in any collaborative discipline seeking to navigate the challenges of integrating agentic systems into their data analysis and decision-making pipelines.

About the Authors

Martin Wendiggensen is an AI Research Scientist at Dreadnode and PhD candidate at Johns Hopkins AIST. His research focuses on how AI is shifting the Cybersecurity Offensive-Defensive Balance.

Brad Palm is the COO at Dreadnode. Previously, he was a VP of Services and Technology for Pathfynder and the Managing Director of Software at Ascent, where he focused on SOC automation and the integration of CTI in the delivery of managed services.

About LABScon

This presentation was featured live at LABScon 2025, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.

Keep up with all the latest on LABScon here.

APT40 used CTFs at Hainan University to recruit hackers and source software vulnerabilities for operations. Jiangsu MSS received vulnerabilities from the Tianfu Cup. iSoon hosted their own CTF before their files were leaked on Github. Chinese intelligence cutouts tried to pitch US participants at RealWorldCTF. The list goes on.

A diverse ecosystem of CTFs exists in China and it has, until now, been largely ignored. Since 2017 when the PRC government issued rules to bolster cybersecurity competitions, incorporate them into talent cultivation and training programs, and limit the amount of money to be paid out in rewards, China’s security ecosystem has launched more than 150 unique competitions. Including competitions that are held annually, the number of events since 2017 exceeds 400.

Not all these competitions are software vulnerability competitions like Tianfu Cup—in fact, few are. Most are aimed at talent cultivation and recruiting, and many are hosted by the military, the intelligence services, or other arms of the state.

This talk explores the diversity of China’s CTF ecosystem, its major leagues and events, and the annual number of participants across society. It highlights competitions held expressly by the Ministry of State Security and the PLA—delving into the competitions’ particulars. Defenders with appropriate CTI collection capabilities will better understand how to target their collection efforts on specific individuals in China.

About the Authors

Dakota Cary is a strategic advisory consultant at SentinelOne. His reports examine artificial intelligence and cybersecurity research at Chinese universities, the People’s Liberation Army’s efforts to automate software vulnerability discovery, and new policies to improve China’s cybersecurity-talent pipeline. Prior to SentinelOne, he was a research analyst at Georgetown University’s Center for Security and Emerging Technology on the CyberAI Project.

Eugenio Benincasa is a Senior Cyberdefense Researcher at the Center for Security Studies (CSS) at ETH Zurich. Prior to joining CSS, Eugenio worked as a Threat Analyst at the Italian Presidency of the Council of Ministers in Rome and as a Research Fellow at the think tank Pacific Forum in Honolulu, where he focused on cybersecurity issues. He also worked as a Crime Analyst at the New York City Police Department (NYPD).

About LABScon

This presentation was featured live at LABScon 2024, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.

Keep up with all the latest on LABScon 2025 here.

Kryptina RaaS is a Linux-focused RaaS platform & service that started life as an unsellable giveaway. However, large-scale ransomware operations are now adopting the platform to extend their reach into Linux and cloud environments.

In this talk, Jim Walter reveals how a recent leak from a Mallox ransomware-affiliated actor’s staging server provided insight into how Kryptina has been adapted for use in enterprise attacks.

The presentation focuses on recent developments and provides an understanding of why threat actors are attracted to the Kryptina platform, and what this means in the context of victims and targeting.

Jim also dissects what was included in the May 2024 Mallox leak and improvements and modifications that threat actors have made to the Kryptina platform.

About the Author

Jim Walter is a Senior Threat Researcher at SentinelOne focusing on evolving trends, actors, and tactics within the thriving ecosystem of cybercrime and crimeware. He specializes in the discovery and analysis of emerging cybercrime “services” and evolving communication channels leveraged by mid-level criminal organizations.

About LABScon

This presentation was featured live at LABScon 2024, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.

Keep up with all the latest on LABScon 2025 here.

In this exclusive interview at LABScon 2024, award-winning investigative journalist Kim Zetter and Microsoft Corporate VP Enterprise and OS Security David Weston discuss Microsoft kernel security, the CrowdStrike outage, AI, and how Microsoft plans to improve the resilience and security of the Windows ecosystem.

As the world’s data has increasingly become associated with Microsoft infrastructure and exposed to Microsoft products, threat actors have focused their efforts on exploiting security weaknesses in the vendor’s operating system. Weston and Zetter explore how this has led Microsoft to raise the priority of security at the engineering level, even at the expense of curtailing operating system features.

In addition, the conversation ranges over how the CrowdStrike outage of 2024 led Microsoft to a new focus on resilience and to the development of a user mode API to restrict access to the kernel to third party products. Weston also discusses the need for security vendors to implement secure deployment practices to better protect customers from rogue updates and tackles questions around the use of AI and the controversial Windows Recall feature.

About the Authors

David Weston is Corporate Vice President, Enterprise and OS Security at Microsoft where he is responsible for the security engineering of Windows, Azure Linux, XBOX, Windows Server, the Azure OS as well as the Offensive Security Research & Engineering Team.

Kim Zetter is an award-winning investigative journalist who has covered cybersecurity and national security for more than a decade, most notably for WIRED, where she wrote for thirteen years, and more recently for the New York Times Magazine, Politico, Washington Post, Motherboard, and Yahoo News. She has been voted one of the top ten security journalists in the country by security professionals and her journalism peers.

About LABScon

This presentation was featured live at LABScon 2024, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.

Keep up with all the latest on LABScon 2025 here.

Who really owns America’s farmland, and why does it matter? In this deep dive into the secretive world of foreign investment in U.S. agricultural land, Kristin Del Rosso and Madeleine Devost explore the growing trend of foreign ownership, which has surged by 50% since 2017, and its profound implications for national security. Using the USDA’s data, the presenters shed light on how these investments could potentially impact everything from local economies to national defense.

The talk dives into the complexities of the USDA’s data collection methods, revealing how manual processes and outdated systems obscure the true extent of foreign ownership. It also discusses the critical role of the Committee on Foreign Investment in the United States (CFIUS) in safeguarding national interests, and the urgent need for improved data sharing and automation between CFIUS and the USDA.

Through real-life examples, including controversial land purchases near sensitive military sites, Kristin and Madeleine illustrate the potential risks and propose actionable recommendations to enhance transparency and security.

About the Authors

Kristin Del Rosso is co-founder and managing director of DevSec, a research firm that provides advanced analytics blended with cyber investigation techniques to support analytics, investigations, and intelligence enrichment in novel ways. Prior to DevSec, she worked as the Public Sector Field CTO at Sophos, and has a background in security product management, threat intelligence, and reverse engineering.

Madeleine Devost is an intelligence analyst at Nisos focusing on open-source investigations. Prior to Nisos, she worked as a threat intelligence and investigations consultant for a number of firms including Excivity, RiskIQ and Microsoft.

About LABScon

This presentation was featured live at LABScon 2024, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLABS.

Keep up with all the latest on LABScon 2025 here.

Chinese foreign direct investment should trigger American national security concerns, but much of it doesn’t. In this ‘behind closed doors’ talk at LABScon 24, Elly Rostoum reveals why and what can be done to improve our understanding of the influence of Chinese FDI.

Chinese foreign direct investment (FDI) enabled the technology revolution in China and set China as a strategic competitor to the United States. It opened new global markets, redrew trade routes, tapped into intellectual property, allowed for opportunities in industrial espionage, reshaped supply chains, and allowed for technological breakthroughs in genomics, quantum computing, artificial intelligence, and other critical and emerging technologies that are quite simply re-imagining the world.

But who exactly owns the Chinese firms undertaking this FDI?

The research presented by Elly Rostoum in this LABScon 2024 keynote address tracks the incorporation structures and ownership of the 672 Chinese firms undertaking FDI globally.

Taking the audience on a journey from how Chinese FDI triggers – and sometimes fails to trigger –  American national security concerns to the complex ownership structure of Chinese businesses operating within the U.S., Elly Rostoum reveals how the Chinese government has been able to evade American national security reviews by instrumentalizing investment through 3rd & 4th+ level subsidiaries, private equity, and holding companies.

While much policy and attention has been focused on the investments of Chinese state-owned enterprises, Elly Rostoum argues that the real threat is “within” and buried in the details: seemingly “American” businesses that are ultimately owned by Chinese investment companies.

About the Author

Elly Rostoum is a former U.S. Intelligence Analyst and National Security Council staffer at the White House. She is the Managing Director of the Alperovitch Institute for Cybersecurity Studies at Johns Hopkins University, where she teaches courses on national security vulnerabilities of critical and emerging technologies, intelligence, public policy, strategic studies, and energy markets; with a regional expertise covering China and the Middle East.

About LABScon

This presentation was featured live at LABScon 2024, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.

Keep up with all the latest on LABScon 2025 here.

AI disinformation, deep fakes, armies of lying bots, and automated deception is the biggest threat to our elections, or so we’ve been told. But looking at Taiwan’s 2024 election, none of these nightmare scenarios materialized. The deafening silence of effective AI disinformation from China, America’s most advanced opponent, was surprising. Even more so given the focus on the election at the highest levels of the Chinese government.

In this highly-engaging talk, Martin Wendiggensen details how he set out to study the election and collected tens of thousands of hours of footage from YouTube and television as well as hundreds of thousands of news articles, blog posts, and social media content. This collection was then analyzed with a multi-modal AI pipeline. The results indicated that the small amount of AI-content received no engagement and had no impact.

Instead, Taiwanese billionaires earning most of their money in China mounted a concerted effort to buy or set up local news outlets in Taiwan in the run-up to the election. Conducting a large-scale analysis of these outlets’ output uncovered interesting results. Their viewership, numbering in the millions, presented slanted narratives aligned with the Beijing-friendly KMT and a new emergent third party. While losing the presidential election, these two parties managed to wrest control of Taiwan’s parliament and are set to have a major impact on the country’s foreign and domestic policies.

This presentation guides the audience through Chinese and local disinformation efforts in the Taiwanese election, highlighting the main lessons that can be drawn from them to safeguard future elections. Along the way, Martin explains the research methodology and toolbox that leverages open-source AI to fight disinformation.

About the Author

Martin Wendiggensen is a PhD candidate and lecturer at the Alperovitch Institute, focusing on Great Power Competition in Cyberspace, especially competition around AI and state-sponsored information operations. He has conducted research at NATO as well as the University of Mannheim, and applied his knowledge in Artificial Intelligence at his own small startup, which won contracts to monitor electoral environments. Currently, he is conducting research on AI-generated content using Advanced Research Computing at Johns Hopkins SAIS.

About LABScon

This presentation was featured live at LABScon 2024, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.

Keep up with all the latest on LABScon 2025 here.

In his Keynote talk at LABScon 24, Max Smeets explores how ransomware operators build a unique relationship between themselves and their victims. In contrast to most other threat actors, ransomware operators rely on and leverage public visibility into their activities. Unlike APTs and other threat actors that prize stealth, ransomware gangs seek to publicize their attacks in order to convince future victims that they are trustworthy enough to deliver on their promises – providing a decryptor and deleting stolen data – if paid.

In ‘The Ransomware Trust Paradox’, Max observes that this notion of trust is not only a prerequisite for ransomware gangs’ profitability but also relies on media and security vendor reporting. Detailing the mechanisms by which ransomware operators establish trust, build brand awareness, and foster a reputation for reliability, this talk is essential viewing for anyone reporting on crimeware activities.

Max calls for the establishment of a reporting code of ethics for threat intelligence and the media, and a shift in policy to undermine the trust dynamics between threat actors and their victims.

About the Author

Max Smeets is the author of Ransom War: How Cyber Crime Became a Threat to National Security and No Shortcuts: Why States Struggle to Develop a Military Cyber Force. Max is Co-director of Virtual Routes and Senior Researcher at ETH Zurich.

About LABScon

This presentation was featured live at LABScon 2024, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.

Keep up with all the latest on LABScon 2025 here.

Ransomware is doing more to change the security landscape than the last 20 years of Secure Development Lifecycle, DevSecOps, Zero Days, Breaches, or any corporate memo. Pair this with predatory pricing models from software vendors that sell security features as add-on products in premium or enterprise tier licenses, and you’ve got a perfect storm that hits small and medium sized businesses (SMBs) the hardest.

In this hard-hitting talk, Kymberlee Price reveals the technical chaos facing the US’s largest employment sector: SMBs. With restricted budgets, a lack of expertise, no access to consumer reports by which to clearly compare products, and a SaaS industry that makes basic security features like SSO a premium add-on, many businesses remain easy pickings for threat actors in a rapidly expanding crimeware landscape.

Why should we care about this, is it really a national threat, and what can a bunch of security engineers do about it?

About the Author

Kymberlee Price is a dynamic engineering leader and public speaker known for developing high-performing multidisciplinary teams responsible for the security and integrity of software products, services, and infrastructure. A recognized expert in the information security industry, she has extensive experience in product security incident response and investigations, coordinated vulnerability disclosure and bug bounties, Secure Development Lifecycle (SDL), and Open Source Security strategy. Kymberlee speaks regularly at conferences around the world and is currently on the content review board for Black Hat USA and LocoMocoSec.

About LABScon

This presentation was featured live at LABScon 2024, an immersive 3-day conference bringing together the world’s top cybersecurity minds, hosted by SentinelOne’s research arm, SentinelLabs.

Keep up with all the latest on LABScon 2025 here.