The Year Tech Security Actually Broke

We’re not in a security crisis anymore. We’re past that. Crisis implies things could still go back to normal. What’s happening now is just the steady state of getting hacked.

In the last few weeks, the evidence piled up like a server room fire: Russian military hackers have compromised thousands of consumer routers. New attacks can seize complete control of machines running Nvidia GPUs. Iran-linked groups disrupted US critical infrastructure. A vulnerability called OpenClaw gave hackers yet another reason to panic. Sweden’s blaming Russian actors for attempting destructive cyberattacks on thermal plants. This isn’t scattered incidents. It’s a coordinated revelation that our digital infrastructure is Swiss cheese.

What gets me is the quiet part nobody’s discussing: most companies have already given up on preventing breaches. They’re now just trying to survive them.

A sleek smartphone with modern smart home devices on a minimalist gray background. Photo by Jakub Zerdzicki / Pexels

The GPU Grab Nobody Saw Coming

Here’s the one that should’ve been front-page everywhere: Rowhammer attacks now give attackers complete control of machines running Nvidia GPUs. For those who don’t track this stuff closely, Rowhammer is an old exploit—researchers found it back in 2014. It works by deliberately triggering bit flips in DRAM through repeated memory access. You basically hammer the same memory location over and over until a bit flips and corrupts the system.

Until now, it was mostly theoretical for GPUs. Now it works. That’s bad in a way that’s hard to overstate.

Why? Because GPUs are everywhere now. Data centers use them for AI training. Financial institutions use them for modeling. Research labs use them for simulation. And suddenly, the physical properties of RAM itself are a valid attack vector on machines you thought were secure. You can’t patch your way out of this. You can’t update firmware. The vulnerability sits at the hardware level, in the physics of how memory cells decay.

I’ve covered tech security for twelve years, and I remember when people actually believed encryption would save us. That was cute. Now we’re discovering that the actual silicon running the encryption can be flipped bit-by-bit into submission.

The real question: how many organizations know they’ve been compromised this way? The answer is probably “fewer than should be panicking.”

Close-up of hands holding a smartphone displaying 'Announcing Grok 3' on a dark background. Photo by UMA media / Pexels

When Thousands of Routers Become Weapons

Russia’s military has hacked thousands of consumer routers. Not fancy enterprise firewalls. Just regular boxes sitting in people’s homes and small businesses. The kind you buy at Best Buy and forget about for five years.

This is old doctrine applied at scale. You don’t need to break into the Pentagon when you can compromise the infrastructure underneath it. A hacked home router becomes an entry point to a small business network. A small business network becomes a pivot point to a larger network. A larger network becomes access to something that matters.

The calculus here is brutal: consumer routers have terrible security because there’s no incentive to fix them. Manufacturers push out a device, it works for a few months, and they move on. Patches come late or not at all. Users don’t update because updates are scary and inconvenient. So you’ve got millions of unpatched, unmaintained devices sitting at the edge of every network in the country.

For an attacker, it’s like finding a parking lot full of cars with the keys in the ignition.

The Supply Chain Is Already Compromised

Sweden reported Russian hackers attempting destructive attacks on thermal plants. Iran-linked groups disrupted US critical infrastructure operations. These aren’t probes anymore. They’re active, ongoing campaigns against systems we depend on.

What kills me is that we knew this was coming. We’ve known it for years. But knowing something and doing something are different activities. Most critical infrastructure runs on systems that are fifteen years old, patched sporadically, and managed by people who are overworked and underpaid. There’s no budget for ripping out legacy systems. There’s only budget for band-aids.

Here’s my honest take: I think we’re going to see a major outage in the next eighteen months that’ll be traced back to a successful cyberattack on infrastructure. Not a small one. Something that actually disrupts power or water or communications across a region. And when it happens, we’ll all act surprised, even though the warning signs are already here.

How Companies Are Responding: With Lawsuits

Meanwhile, Motorola is suing dozens of content creators and social media platforms over posts it says are defamatory. This is fascinating not because it’ll work—it probably won’t—but because it shows how companies respond when they can’t control the narrative. You can’t sue your way out of being hacked. You can’t litigate a zero-day vulnerability.

But you can try to suppress the conversation. You can make it expensive for people to talk about your failures. Whether that’s the intent here or not, that’s what happens.

The Layoffs Nobody’s Connecting

Snap is cutting 16% of its workforce. The company cites AI advancements as the reason. This is corporate speak for “we built an AI that can do some of what our humans were doing, and we’re going to pocket the delta instead of reinvesting it.” But here’s what I’m watching: as companies cut security and infrastructure teams to fund AI initiatives, they’re actually increasing risk.

You can’t automate your way out of Rowhammer attacks. You can’t use a chatbot to manage zero-day patches. Cutting 1,000 people and claiming AI efficiency sounds good in an earnings call. It’s actually a calculation that security is expensive and therefore optional.

The One Bright Spot (And It’s Weird)

Allbirds, the shoe company, is pivoting to AI servers after selling off its shoe business. They’re rebranding as NewBird AI with $50M in funding. This is either the best or worst decision in recent tech history, and I genuinely can’t tell which yet. But at least someone’s trying something different. At least they’re not just doing layoffs and calling it innovation.

Airwallex, valued at $8 billion, is launching a physical point-of-sale product to compete with Stripe. This one’s straightforward: payments infrastructure is still fragmented, and someone with capital can win by solving actual problems. No AI required. Just good engineering.

Meanwhile, VMware customers are voting with their feet, migrating away in thousands because of “negative” views of Broadcom. This is healthy. It’s the one sign that competition still functions.

Glowing digital globe display at night in Dubai Expo, showcasing illuminated continents. Photo by Denys Gromov / Pexels

What This Actually Means

The security apparatus we built in the 2010s is broken. Not bent. Broken. Routers are compromised. GPUs are compromised. Infrastructure is compromised. And our response is to sue people on the internet, cut security teams, and hope AI fixes it.

I think we’re going to see a bifurcation: organizations that take security seriously will survive and thrive. Everyone else will get hacked repeatedly and keep acting shocked about it. The worst part is that “taking security seriously” now means spending more money than most businesses can justify, maintaining legacy systems longer than they should, and accepting that you’ll probably still get breached—you’re just hoping to catch it before catastrophe.

The year isn’t going to get safer. The vulnerabilities we’re discovering now have been there for years. They’re just finally being weaponized at scale.

What I’m Watching

GPU Rowhammer exploitation timeline: Track whether vendors release microcode patches and how long actual deployments take to apply them. If we hit Q3 2025 and most data centers still haven’t patched, we’ll know mitigation failed.
Critical infrastructure outage attribution: The next time power or water goes down in a major region, watch whether the attack is attributed to hostile nation-states and whether the response is anything other than “we’re investigating.” This will tell us if consequences actually exist.
VMware migration velocity: Broadcom’s customer defection is the only metric showing real market discipline. If migration slows down, it means customers gave up fighting back. If it accelerates, it means the pain is actually exceeding switching costs—that’s your early warning signal.
Security team hiring vs. AI team hiring: Watch job postings at major tech companies through Q2. If security hiring flatlines while ML hiring soars, we’ve officially decided vulnerabilities are acceptable losses. That’s the moment things get serious.