Self‑attention sits at the heart of Transformers: for every token in a sequence, the model looks at every other token and decides how much to “attend” to it. That sounds elegant, but it causes three big issues:

Quadratic cost

For a sequence of length L, attention builds an L×L matrix that compares every pair of positions.

• Memory and computation grow like L².

• Very long inputs (long documents, code bases, videos) become expensive to process.

Huge hidden complexity

Attention is not just one matrix; it is:

• Many heads per layer

• Many layers per model
  So across the network, you get a massive “cloud” of attention tensors that is hard to summarize or reason about.

Poor interpretability

Visualizing one attention map is easy. Understanding all heads across all layers in a single coherent story is almost impossible. The paper behind Grassmann Flows argues this tensor lifting into huge high‑dimensional spaces is a major reason large Transformers feel opaque.​

So the key question becomes: do we really need attention, or do we just need some powerful way for token representations to evolve and interact over the sequence?

Core idea: geometry instead of attention

Grassmann Flows answer that question with: “you don’t need attention, you need a good geometric evolution of the hidden states.”​

At a high level, the model:

1. Works on a sequence of hidden vectors (like a Transformer).

2. Does not build an L×L attention matrix.

3. Instead, it:

   • Compresses token vectors into a smaller space.

   • Looks at local pairs of tokens.

   • Treats each pair as a 2‑dimensional subspace of that smaller space.

   • Represents that subspace using a special geometric encoding (Plücker coordinates).

   • Feeds this geometric information back into the token states with a mixing block.​

Because it works on local windows and reduced dimensions, the overall cost scales linearly with sequence length (for fixed window and reduced dimension), rather than quadratically like standard attention.

A gentle intro to Grassmann manifolds

To understand the name Grassmann Flows, we only need one basic idea: the model manipulates subspaces, not just vectors.

• A subspace is like a “flat slice” through a vector space. For example, a 2‑D plane inside 3‑D space.

• A Grassmann manifold Gr(k,r) is the set of all k‑dimensional subspaces in an r‑dimensional space.​

  • Example: Gr(2,3) is “all 2‑D planes through the origin in 3‑D space.”

In Grassmann Flows:

• For each local pair of token vectors (after reduction), the model thinks:
  “These two vectors span a 2‑D subspace in an r‑dimensional space.”

• That subspace is a point on the Grassmann manifold Gr(2,r).​

To work with these subspaces inside a neural net, the model uses Plücker coordinates:

• Given two vectors that span a plane, Plücker coordinates encode that plane as a point in a higher‑dimensional space in a way that respects its geometric structure.​

• This gives a fixed‑size vector representation of the “relationship” between two tokens, not just the tokens themselves.

So instead of learning a big attention score between each pair, the model learns to use geometric features derived from the subspace spanned by the pair.

How the Causal Grassmann layer works (in plain steps)

The proposed architecture follows a Transformer‑like encoder but replaces each self‑attention block with a Causal Grassmann mixing block. The block has three main stages:​

1. Reduce token states

   • Each token’s hidden vector (dimension d) is linearly projected to a smaller space of dimension r.​

   • This is like compressing information to a more compact representation so later operations are cheaper.

2. Build local subspaces (Grassmann part)

   • Take local pairs of tokens (for example, within a sliding window, and respecting causality so you do not peek into the future).​

   • For each pair:

     • Treat the two reduced vectors as spanning a 2‑D subspace in R^r.

     • Represent that subspace as Plücker coordinates, giving a vector in R^(r2).​

   • These coordinates describe geometric relationships like “orientation” and “volume” of the span, capturing richer pairwise structure than a scalar attention score.

3. Mix geometric features back

   • These Plücker vectors then go through a gated mixing block and a feed‑forward network.

   • Their outputs are fused back into the original token hidden states (in the large dimension d), similar in spirit to how attention outputs are added back in Transformers.​

Important aspects:

• Causal: The layer is designed so each position only depends on current and past tokens, supporting autoregressive tasks.​

• Attention‑free: At no point is an attention matrix formed or softmaxed.​

• Linear complexity: For fixed reduced dimension and local window size, the cost grows linearly with sequence length L.​

Why this might be more interpretable

The paper stress that their goal is not to kill attention, but to “de‑center” it. They argue that attention’s “tensor lifting” puts the model’s core behavior into an enormous high‑dimensional tensor space with no clean global invariants you can inspect.​

Grassmann Flows attempt to fix this by:

• Keeping the core evolution on a finite‑dimensional manifold (the Grassmann manifold) with clear geometric meaning.​

• Working with Plücker coordinates, which are mathematically structured features of subspaces, not arbitrary parameters.​

• Making it easier (in principle) to study invariants and patterns of how representations move along this manifold across layers.

This does not magically make everything interpretable, but it gives a cleaner mathematical object to analyze than a huge stack of attention maps.

How well does it work?

The paper and associated discussions report several encouraging results when comparing Grassmann Flows to Transformer baselines of similar size:​​

• On Wikitext‑2 (a language modeling benchmark), the attention‑free Causal Grassmann architecture is competitive with Transformers at 13–18M parameters.

• When plugged into a DistilBERT backbone as a classification head, Grassmann mixing slightly outperforms a Transformer‑based head on SNLI (a natural language inference task).

• The architecture has linear asymptotic complexity in sequence length for fixed reduced dimension and window size, making it attractive for longer sequences.​

These are early‑stage results on modest scales, but they show that explicit self‑attention is not strictly necessary for good sequence modeling performance.

Relation to other “attention alternatives”

Grassmann Flows are part of a larger trend trying to move beyond vanilla softmax attention for efficiency and scalability:

• Linear attention
  Many works approximate attention to get linear complexity, often by clever kernel tricks or reformulating attention as recurrent updates.​

• State Space Models (SSMs) / Mamba‑style models
  These treat sequences as signals evolving in continuous time, using state‑space equations inspired by control theory to handle very long dependencies efficiently.​

Grassmann Flows are different because they:

• Focus explicitly on geometric structure (Grassmann manifolds, Plücker coordinates) rather than just algebraic tricks.

• Provide a concrete example of a geometrically motivated sequence model that competes with Transformers without using attention at all.​

So the big message is: attention is powerful, but not uniquely necessary; other mathematically grounded mechanisms can also drive strong sequence models.

What this means for the future

From a high‑level perspective, Grassmann Flows support three important ideas for future AI systems:

• Attention is a tool, not a requirement
  The key is to have a rich way for token representations to interact over the sequence. Attention is one such mechanism; geometric flows on manifolds are another.​

• Geometry can guide architecture design
  Instead of building models purely by intuition and trial‑and‑error, one can start from a well‑understood mathematical object (like a manifold) and design layers around its structure.​

• Better scalability and interpretability are possible together
  By avoiding quadratic attention and using structured geometric features, Grassmann Flows aim to be both more scalable and easier to analyze than giant attention stacks.

References:

• Paper

• Watch

How one infected page breached Google

The story begins with a Google employee using an old Windows XP machine and Internet Explorer 6 for compatibility testing. An email or IM link led them to a malicious website that silently exploited a zero‑day vulnerability in Internet Explorer, installing a trojan known as Hydraq.

• Hydraq downloaded and launched a backdoor DLL, then wiped its own traces so normal monitoring would not notice.

• From that point on, the compromised machine kept a constant connection to a command‑and‑control server, ready to execute attacker commands, exfiltrate data, and move laterally.

• The attackers then used the victim’s MSN chat account to send more malicious links to colleagues, quickly spreading deeper into Google’s internal network.

Crucially, no amount of “good hygiene” could have fully stopped this first wave – these were genuine zero‑day exploits in mainstream products like Internet Explorer and Adobe’s Flash‑integrated PDF stack.

Zero‑days, Hydraq, and NAID: cyber “nukes”

Hydraq became the public face of Operation Aurora, but it was only part of a tailored toolkit. Security researchers later discovered:

• Hydraq actually came in two parts: one trojan to get in, one backdoor to persist.

• Development traces suggest work on Hydraq began around 2006 – years before the first detected attacks – highlighting long‑term planning.

• A second, more secret backdoor called NAID was reserved for “high value” victims, using a custom communications protocol and stolen digital certificates to blend in as legitimate software.

Zero‑day vulnerabilities – previously unknown, unpatched flaws – are often compared to nuclear weapons in cyberspace: rare, expensive, and usually reserved for state‑level actors. Aurora’s operators didn’t just use one zero‑day; over time they were linked to multiple unique exploits across Internet Explorer and Adobe products.

What the attackers really wanted

The target list reads like a who’s who of global industry: Google, Adobe, Intel, Yahoo, defense contractors like Northrop Grumman, and energy giants such as ExxonMobil and Dow Chemical. Investigations converged on several core objectives.

• Source code theft:

  • Attackers focused on software configuration management systems like Perforce, where entire codebases were accessible to many employees by design.

  • By compromising just a few lower‑privilege accounts, they could access the “crown jewels” – internal source code – across multiple companies.

  • The same group later turned up using a disproportionately high number of zero‑days, suggesting they mined stolen code to find fresh vulnerabilities systematically.

• Strategic intellectual property:

  • Targets like ExxonMobil and Dow Chemical held proprietary technology, processes, and market data invaluable to a rapidly industrializing economy.

  • Gaining access meant accelerating domestic innovation without bearing the full cost of R&D.

• Human and political targets:

  • Attempted access to Gmail accounts linked to dissidents such as artist and activist Ai Weiwei showed clear interest in surveillance of regime critics.

  • Reports suggest the attackers probed whether US tech firms had received lawful intercept orders related to suspected Chinese spies, and even explored tampering with those wiretapping systems.

This was not random vandalism; it was a broad, coordinated intelligence operation across technology, industry, and human networks.

China’s cyberpunk doctrine and “Shi”

To understand Aurora’s logic, it helps to see it through the language of Chinese information‑warfare theory.

• Chinese military and policy thinkers in the 1990s and 2000s wrote extensively about using information warfare to offset US “hegemony.”

• A key concept is Shi – strategic advantage gained by knowing the battlefield better than the opponent, ideally to such a degree that victory comes without open conflict.

• Those writings extended the idea of “battlefield” from military spaces to everything: politics, economics, culture, and technology. Everyone is a potential adversary, every domain a potential front.

Seen through that lens, global corporations are not neutral businesses but critical terrain: they hold data, code, customers, and leverage. Breaching them becomes a way to accumulate Shi – knowledge and positioning – in a world framed as permanent, total competition.

Tracing Aurora back to China

Attribution in cyberspace is notoriously tricky, but Aurora left behind an unusual number of fingerprints. Individually, each is arguable; collectively, they are hard to dismiss.

Key indicators included:

• Code‑level artifacts:

  • Hydraq contained a specific cyclic redundancy check implementation that was obscure globally but relatively common in Chinese software.

  • Build paths in the malware revealed a folder named “Aurora Source,” a rare glimpse into how the attackers themselves labeled the operation.

• Infrastructure geography:

  • Early command‑and‑control traffic clustered inside China before steadily reaching Taiwan, the US, and Google HQ in California.

  • US government analysis later tied parts of the infrastructure to Chinese institutions like Shanghai Jiaotong University and Lanxiang Vocational School, both known for producing military‑aligned talent.

• Targeting and intent:

  • Focus on Chinese dissidents’ Gmail, interest in wiretap orders against suspected Chinese spies, and systematic theft of strategically useful IP all tightly matched Beijing’s geopolitical priorities.

Over subsequent years, follow‑on operations that reused tooling and infrastructure from Aurora were linked directly to units under the People’s Liberation Army, reinforcing the original attribution.

Google’s breaking point and a new kind of Cold War

Google’s response made Aurora a global story.

In early 2010, the company published a blog post describing:

• The discovery of a sophisticated, multi‑company intrusion campaign.

• Evidence of targeting Chinese human‑rights activists’ accounts.

• A decision to stop censoring search results in China and begin negotiating an exit from the mainland market.

This was not a quiet incident report; it was a public geopolitical statement from one of the world’s largest tech firms. It framed Aurora not just as a security story, but as a symbol of an emerging conflict where code becomes a primary instrument of state power.

Security analyst Dmitri Alperovitch, who helped analyze Hydraq, named the campaign “Operation Aurora” and later argued that it marked the beginning of a new kind of Cold War between China and the West – a conflict whose frontline runs through data centers, developer tools, and cloud platforms instead of tanks and missiles.

From cyberpunk fantasy to national doctrine

Aurora feels strangely true to the original cyberpunk fiction it echoes: misfits turning technology against powerful institutions. The twist is that in this story, the “punks” are not lone hackers but a rising state using punk tactics to challenge an established global order.

• China’s leadership once saw the country as an underdog constrained by Western rules and dominance; information warfare offered a way to bend those rules.

• Attacks like Aurora, followed by campaigns like Night Dragon and Shady RAT, became stepping stones in building a mature, aggressive cyber apparatus that now routinely targets critical infrastructure worldwide.

• What was once subculture aesthetics – neon skylines, dense networks, omnipresent surveillance – is now part of the lived reality of major Chinese cities and the digital systems that surround them.

In that sense, Operation Aurora sits at a turning point: a moment when cyberpunk stopped being just a genre and started to look a lot like state doctrine.

Why Aurora still matters in 2025 and beyond

Fifteen years later, Operation Aurora is not just an old case study – it is a template.

• It showed that zero‑day‑powered espionage against private companies is both feasible and strategically valuable.

• It demonstrated how deeply national security now depends on corporate security, from SCM permissions to how logs are analyzed.

• It normalized the idea that nations will quietly live inside each other’s networks for years, treating codebases, emails, and internal tools as contested terrain.

As critical infrastructure becomes more connected and AI systems increasingly sit on top of proprietary code and data, the logic behind Aurora only grows stronger: whoever owns, understands, or quietly copies the software that runs the world gains a decisive edge.

The unsettling lesson of Operation Aurora is simple: in a world where everything is code, the first shot in a new Cold War might be nothing more than a link, a browser, and a single unremarkable click.

A Guard at the White House

Picture this: you’re a security guard at the White House, diligently monitoring security camera feeds. Yet, you’re not just any guard — you are under continuous watch by superiors, as part of a complex security apparatus protecting the President. The entire system is designed to be watertight and foolproof. But what if someone was watching the guards? What if someone had slipped past all the protections, quietly opening a backdoor into the network itself?

This backdoor was real. It gave attackers unrestricted access to the White House network monitoring system for months, enabling them to see everything they wished — unnoticed.

The Breach Beyond the White House

The horrifying reality was that the White House was just one of many victims. This backdoor affected every branch of the US government, the military, and thousands of major companies worldwide. The common factor? SolarWinds software. This attack, now known as one of the most notorious cyber espionage events ever, showed how deeply intertwined modern software supply chains are. The software you rely on often comes via a chain of thousands of companies and contractors — and any weak link compromises the whole chain.

The Complexity of Supply Chains

Think about the phone or computer you’re using now. Its components were crafted in factories run by different companies, built piece by piece by countless subcontractors. The same goes for software — behind every app are layers of software dependencies from various companies.

So what if one link in this intricate chain is infiltrated by attackers? The problem quickly cascades downstream, affecting everyone relying on that product, no matter how secure they try to be.

This is the essence of a supply chain attack — and it’s as insidious as it sounds. In many cyber breaches, the root cause lies far upstream from the final victim.

Why SolarWinds?

SolarWinds, based in Texas, might not be a household name, but it plays an outsized role in enterprise IT. Its software, designed for specialized network management, is used by 425 of the Fortune 500 companies, every major US telecom provider, all branches of the US military, and even the White House itself.

That customer list was a goldmine for attackers — a roadmap into some of the most sensitive networks on Earth.

The Attack Unfolds

Though the exact way attackers initially breached SolarWinds remains unclear, it likely involved zero-day vulnerabilities and carefully crafted phishing campaigns. One plausible scenario involved an employee clicking a legitimate-looking LinkedIn message link that silently exploited a Safari browser bug, stealing credentials.

With these keys in hand, hackers explored SolarWinds’ network over months. Then the real damage began. They targeted SolarWinds’ Orion IT management software. Orion updates were poisoned with a Trojan backdoor, signed and distributed just like any normal update — trusted implicitly by thousands of critical clients.

The Trojan Within: How SUNBURST Worked

his malicious update included a trojanized DLL file that established a hidden communication line to attacker servers. After lying dormant for up to two weeks, it executed commands to transfer files, profile the system, and disable security tools — all while masquerading as legitimate SolarWinds traffic.

If the attacker found the victim valuable, they would deploy further custom malware designed for stealthy espionage or data theft.

Reaching Every Corner

The cleverness of the supply chain attack meant that in one stroke, thousands of networks were infected. Rather than laboriously hacking each target individually, the attackers compromised the update supply channel itself — a singular vulnerability with wide-reaching consequences.

Selective Stealing

Despite the broad infection, the attackers were surgical in what data they stole. From 300,000 SolarWinds customers, about 33,000 installed the compromised Orion updates. Among these, only a few dozen appear to have had sensitive data extracted — mostly among the highest echelons of government like the Department of Defense, NSA, and the White House.

The Discovery

Surprisingly, it wasn’t a government agency that uncovered the breach but FireEye, a cybersecurity contractor. Their engineers traced suspicious activity to SolarWinds software, uncovering the supply chain backdoor. Working fast, FireEye collaborated with Microsoft and others to sinkhole the attackers’ command servers — halting the spread before public awareness even caught up.

The Fallout

The attack, dubbed SUNBURST, quickly became front-page news. SolarWinds’ reputation was shattered as the world learned how one software vendor’s compromise shook the foundations of US cybersecurity.

Criticism mounted over SolarWinds’ lax security and their slow response even after the breach was discovered. Attempts to scapegoat an intern with a weak password were widely ridiculed, missing the point that this was a highly sophisticated nation-state operation.

Who Was Behind It?

Almost unanimously, security agencies and private firms traced the attack back to Russian intelligence operatives, particularly the APT29 group known as Cozy Bear. Their brutal efficiency and suite of advanced tools matched previous espionage campaigns attributed to them.

A Second Wave: Supernova

At the same time as SUNBURST, another attack, Supernova, was discovered — linked to Chinese state-sponsored hackers using different tactics. The attackers exploited the chaos to steal even more credentials from SolarWinds networks.

Conclusion

The SolarWinds hack remains a sobering reminder of the risk posed by supply chain attacks — threats that transcend individual companies and impact entire national security ecosystems. It has galvanized efforts for stronger cybersecurity, improved software supply chain hygiene, and better collaboration between public and private sectors worldwide.

North Korea has transformed from a technologically isolated nation into one of the world’s most sophisticated cybercriminal organizations, generating billions of dollars annually through cryptocurrency theft and cyber warfare. Despite severe economic sanctions and technological limitations, the Democratic People’s Republic of Korea (DPRK) has strategically leveraged its unique socio-political structure to build a formidable hacking apparatus that serves dual purposes: funding the regime’s nuclear and military ambitions while projecting power on the global stage.

The Paradox of North Korean Cyber Excellence

The notion that North Korea—a country plagued by widespread poverty, food shortages, and technological backwardness—could orchestrate some of the world’s most sophisticated cyberattacks initially seemed implausible. This apparent contradiction lies at the heart of North Korea’s strategic deception. While the general population lives in conditions comparable to Afghanistan, lacking basic amenities like consistent electricity and internet access, an elite cadre of hackers operates with cutting-edge technology and global reach.

This dichotomy is not accidental but rather a carefully cultivated facade. The regime benefits from being perceived as technologically inept while simultaneously deploying advanced cyber capabilities. This strategic misdirection allows North Korean hackers to operate with reduced scrutiny while their attacks are often initially attributed to other actors.

The Ideological Framework: Juche and Songbun

Juche: Self-Reliance as Criminal Enterprise

North Korea’s founding ideology of juche (self-reliance) creates the fundamental contradiction that drives its cybercriminal empire. While juche theoretically demands complete isolation from capitalist nations and their “evil” influences, the regime requires foreign currency, advanced technology, and international resources to maintain power. Cybercrime provides the perfect solution to this ideological paradox—generating foreign revenue without officially abandoning isolationist principles. The regime has extended juche principles to its cyber operations, with hacking groups expected to fund themselves through criminal activities rather than rely on central government resources. This approach aligns with North Korea’s broader economic model where various organizations must generate their own operational funding.

Songbun: The Social Hierarchy Enabling Cyber Operations

The songbun class system divides North Korean society into three distinct tiers:

Hostile Class: The lowest tier, comprising those deemed unworthy of even knowing the leader’s name, restricted to manual labor and basic survival.

Wavering/Middle Class: The majority of the population living in poverty with limited access to technology, subjected to rationed electricity and mandatory propaganda broadcasts.

Core Class: The elite upper class with access to modern technology, international travel, and luxury goods typically obtained through black market channels.

The Recruitment and Training System

Identifying Mathematical Prodigies

North Korea’s cyber program begins with systematic identification of gifted children, particularly those showing exceptional mathematical and scientific aptitude. The regime monitors students across all social classes, selecting talented individuals regardless of their family’s songbun status. This meritocratic element within an otherwise rigid class system ensures the best minds are recruited for cyber operations.

Selected students undergo rigorous training with severe punishment for failure but significant rewards for success. This approach has produced internationally competitive performance in mathematics, science, and technology competitions, creating a pool of world-class technical talent.

Elite Training Institutions

Institutions like Kim Il-sung University provide advanced technical education exclusively to selected individuals. These programs focus heavily on computer science, cybersecurity, and related technical fields. Students receive access to international technology and knowledge typically forbidden to ordinary citizens, creating a distinct cyber elite class.

International Operations

The most talented graduates are deployed overseas to countries with weak border controls, particularly China and Russia, where they operate under false identities. These overseas teams work from locations like the infamous “Hacker Hotel” in Shenzhen, China—a budget hotel that served as both a legitimate accommodation and a base for North Korean cyber operations.

Organizational Structure

Reconnaissance General Bureau (RGB)

The primary umbrella organization for North Korean cyber operations is the Reconnaissance General Bureau, established in 2009 to consolidate various intelligence and special operations agencies. The RGB manages most known North Korean cyber capabilities and operates six bureaus with specific functions.

Bureau 121: The Cyber Warfare Division

Bureau 121, created in 1998, serves as North Korea’s primary cyberwarfare agency and the main unit within the RGB. This organization employs approximately 1,800 hackers conducting operations under what the regime calls the “Secret War”. Bureau 121 maintains overseas teams that provide lucrative positions for elite hackers, enabling them to bring their families to prestigious areas like Pyongyang.

Known Hacking Groups

North Korean cyber operations are carried out by multiple specialized groups, each with distinct capabilities and objectives:

Lazarus Group: The most prominent North Korean hacking collective, responsible for major attacks including the 2014 Sony Pictures hack and the $625 million Ronin Bridge theft. Also known as Guardians of Peace, APT38, or Diamond Sleet.

APT43: A sophisticated operator that combines espionage with cybercrime to fund its own operations, aligning with juche ideology. Unlike other groups, APT43 appears to be self-funding rather than generating revenue for the central regime.

Andariel/Onyx Sleet: Operates under RGB 3rd Bureau, primarily targeting defense, aerospace, and nuclear entities to obtain classified technical information. This group funds espionage activities through ransomware operations against U.S. healthcare entities.

Kimsuky: Focuses on intelligence gathering and has been linked to operations involving foreign operatives, potentially marking the first known case of direct foreign participation in DPRK cybercrime.

Major Cyber Operations

Sony Pictures hack(2014)

he 2014 Sony Pictures attack marked a significant evolution in capabilities, demonstrating advanced understanding of both technical and social engineering aspects of hacking. This attack, attributed to the Guardians of Peace (later identified as Lazarus Group), showcased North Korea’s ability to conduct complex, politically motivated cyber operations with global impact.

The Ronin Bridge Hack (2022)

The March 2022 attack on Axie Infinity’s Ronin Network exemplifies North Korean cyber sophistication. Hackers stole $625 million by compromising the private keys of five validator nodes required to approve transactions. The attack went undetected for six days, only discovered when users reported withdrawal difficulties.

The operation demonstrated advanced social engineering capabilities, with attackers targeting Sky Mavis engineers through fake job postings on LinkedIn. The FBI officially attributed this attack to North Korea’s Lazarus Group, with stolen funds traced to regime-controlled wallets.

WazirX Exchange Breach India (2024): North Korean hackers stole $235 million from India’s largest cryptocurrency exchange, demonstrating global reach and targeting.

Bybit Hack (February 2025): The theft of approximately $1.5 billion from one of the world’s largest cryptocurrency exchanges. The FBI quickly attributed this attack to North Korean TraderTraitor actors, who began rapidly laundering funds across multiple blockchains.

The IT Worker Infiltration Scheme

“Job by Proxy” Operations

Beyond direct hacking, North Korea has developed sophisticated schemes to infiltrate legitimate technology companies through remote workers operating under false identities. These operations involve North Korean nationals securing employment at U.S. and European companies while concealing their true identities and locations.

Operational Mechanics

The infiltration scheme operates through several coordinated steps:

1. Identity Theft: North Koreans acquire stolen or fabricated American identities, often with assistance from U.S.-based facilitators.

2. Profile Creation: Fake LinkedIn profiles and professional personas are developed to network with recruiters.

3. Technical Infrastructure: “Laptop farms” managed by American accomplices receive company equipment and maintain the illusion of domestic work locations

4. AI-Enabled Deception: Advanced tools including face-masking software and voice modification technology help maintain cover during video conferences.

Revenue Scale

Conservative estimates suggest North Korea has stolen over $5 billion worth of cryptocurrency since 2017. The regime’s cyber operations now represent a significant portion of its foreign currency earnings, directly funding nuclear and missile development programs.

Conclusion

North Korea’s transformation into a cyber superpower represents one of the most significant developments in modern international security. By exploiting the intersection of its unique political system, talented workforce, and global technological vulnerabilities, the regime has created a sustainable model for sanctions evasion and power projection.

The success of North Korean cyber operations demonstrates how authoritarian regimes can leverage asymmetric capabilities to achieve strategic objectives while maintaining the facade of technological backwardness. As cryptocurrency and digital assets become increasingly central to global finance, North Korea’s cyber capabilities will likely continue expanding, posing growing challenges to international security and financial stability.

Understanding this sophisticated operation requires recognizing that North Korea’s cyber empire is not an accident of technological advancement but a deliberate strategic creation designed to serve the regime’s survival and expansion goals. Only by acknowledging the true scope and sophistication of these operations can the international community develop effective countermeasures to this evolving digital threat.

Ever found yourself stuck in a loop of endless thoughts, trying to predict every possible outcome or replaying conversations over and over? You’re not alone. Overthinking is a modern epidemic—an exhausting habit that drains our energy and peace, all because our minds crave control and certainty. But what if the secret to breaking free isn’t about gaining more control, but about letting go? The ancient wisdom of the Bhagavad Gita, paired with insights from modern psychology, offers a powerful roadmap to transform our relationship with overthinking.

In this post, we’ll explore why we overthink, how it impacts us, and practical strategies—rooted in the Gita—to reclaim your mental peace and engage with life more fully.

Understanding Overthinking: The Mind’s Addiction to Control

Overthinking is more than just “thinking too much.” It’s a chronic mental habit where we replay scenarios, analyze every detail, worry about the future, and try to predict or control outcomes. Why do we do this? At its core, overthinking is the mind’s attempt to avoid uncertainty and discomfort by seeking control.

The Roots of Overthinking

• Attachment to outcomes: We want things to go a certain way, so we obsess over how to make it happen.

• Fear of uncertainty: The unknown feels threatening, so we try to plan for every possibility.

• Perfectionism: Mistakes or “wrong” decisions feel intolerable, so we analyze endlessly.

• Restless mind: The Gita describes the mind as chanchala—naturally restless and prone to wandering.

Real-World Analogy

Think of the mind as a smartphone with dozens of apps running in the background. Each app represents a thought, worry, or scenario. The more apps you keep open, the slower and more exhausted your phone (mind) becomes. Overthinking is like leaving every app open, hoping you’ll have everything under control.

The Cost of Overthinking: Psychological and Physiological Impact

Chronic overthinking doesn’t just steal your peace—it affects your body and decision-making, too.

Psychological Effects

• Anxiety and worry: Constantly anticipating problems increases anxiety.

• Depression: Persistent rumination can lead to feelings of helplessness.

• Indecisiveness: Overanalyzing makes even simple decisions feel overwhelming.

• Mental exhaustion: The brain tires from constant activity, reducing focus and productivity.

Physiological Effects

• Sleep disturbances: Racing thoughts make restful sleep elusive.

• Increased stress hormones: The body remains in a state of “fight or flight.”

• Physical symptoms: Tension headaches, digestive issues, and fatigue.

What the Bhagavad Gita Teaches About the Mind

The Bhagavad Gita, offers profound insights into the nature of the mind and how to master it—not by suppression, but by transformation.

The Restless Mind and Addiction to Control

In the Gita, Arjuna confesses to Krishna:

“The mind is restless, turbulent, powerful, and obstinate. To control it is, I think, more difficult than controlling the wind.” (Gita 6.34)

Krishna doesn’t suggest suppressing thoughts, but rather transforming the mind:

• Awareness: Observe the mind’s patterns without judgment.

• Acceptance: Accept uncertainty and imperfection as part of life.

• Detachment: Let go of attachment to outcomes and desires.

• Mindful action (Karma Yoga): Focus on your actions—not the results.

Transforming Overthinking: Gita-Inspired Strategies

Let’s break down the Gita’s approach to conquering overthinking into actionable steps.

1. Awareness: Observe Your Thoughts

Before you can change a habit, you need to notice it. Start by observing your thoughts as they arise, like watching clouds pass in the sky.

Tip: Set aside 5 minutes a day to sit quietly and notice what your mind is doing. No judgment—just observation.

2. Acceptance: Embrace Uncertainty

Instead of fighting uncertainty, practice accepting it. The Gita teaches that life is full of change and unpredictability. Trying to control every outcome is like trying to stop the tide with your hands.

• Affirmation: “I accept what I cannot control.”

• Practice: When faced with uncertainty, pause and remind yourself that discomfort is natural.

3. Detachment: Let Go Without Indifference

Detachment, or vairagya, doesn’t mean you stop caring. It means you stop clinging. Imagine holding sand—grip too tightly, and it slips away; hold gently, and it stays.

• Detach from results: Focus on your effort, not the outcome.

• Detach from perfection: Allow yourself to be imperfect and make mistakes.

4. Mindful Action: Karma Yoga

Karma Yoga is the practice of acting with full presence and sincerity, without obsessing over results. This is the Gita’s antidote to overthinking.

Practical Steps:

1. Set clear intentions for your tasks.

2. Do your best—but let go of the need to control the outcome.

3. Reflect at the end of the day: Did I act with presence? Did I let go of results?

Practical Examples: Real-Life Transformations

Example 1: The Corporate Manager

A corporate manager struggled with anxiety and insomnia, constantly worrying about sales targets. After learning about Karma Yoga, she shifted her focus to effort and process, rather than outcomes. Within weeks, her anxiety dropped, and her sleep improved.

Example 2: University Students

Students attending Gita-inspired mindfulness workshops reported less rumination and better academic performance. By practicing acceptance and detachment, they found it easier to cope with exam stress and stop obsessing over grades.

Example 3: Counselors and Clients

Counselors using Gita-based techniques helped clients reduce chronic worry by teaching them to accept negative thoughts and focus on present-moment action. Clients reported greater emotional resilience and less distress.

Benefits of Breaking Free from Overthinking

Transforming the mind through awareness, acceptance, and mindful action leads to tangible improvements:

• Reduces anxiety, insomnia, and exhaustion

• Improves decision-making, focus, and productivity

• Cultivates emotional resilience and inner peace

• Promotes acceptance of uncertainty and greater well-being

Use Cases

• Workplace: Better stress management and teamwork.

• Academics: Improved focus and learning.

• Relationships: More patience, empathy, and presence.

• Personal growth: Enhanced self-awareness and growth.

Common Challenges and How to Overcome Them

1. Consistency Is Hard

Transforming mental habits takes time. Solution: Start small—5 minutes of mindfulness daily. Celebrate progress, not perfection.

2. Discomfort with Letting Go

Letting go of control can feel scary. Solution: Remind yourself that discomfort is temporary; peace follows acceptance.

3. Misunderstanding Detachment

Detachment isn’t indifference. Solution: Practice “active acceptance”—engage fully, but don’t cling to outcomes.

4. Cultural or Personal Resistance

Some may resist Gita-inspired practices due to beliefs. Solution: Focus on universal principles—awareness, acceptance, and mindful action are valuable for everyone.

Actionable Tips: Integrating Mindfulness and Detachment

• Set a daily “awareness alarm”—pause hourly to check in with your thoughts.

• Journal your worries—write down your concerns, then highlight what you can control.

• Practice “effort over outcome”—after completing a task, reflect on your effort instead of the result.

• Try guided meditation—apps like Headspace or Insight Timer offer detachment and acceptance practices.

• Use affirmations:

  • “I am present in my actions.”

  • “I accept uncertainty as part of life.”

  • “I let go of what I cannot control.”

Conclusion: Transforming the Mind, Not Suppressing It

Overcoming overthinking isn’t about gaining more control—it’s about transforming the mind through acceptance, mindfulness, and detached action. The Bhagavad Gita’s teachings, backed by modern psychology, show us that freedom comes not from fighting thoughts, but from observing, accepting, and letting them pass. By applying these strategies, you can break the addiction to control, reclaim your mental peace, and engage with life more fully.

Next Steps: Start Your Journey Today

1. Observe: Spend 5 minutes daily watching your thoughts.

2. Accept: When uncertainty arises, practice active acceptance.

3. Detach: Focus on your effort, not the outcome.

4. Engage: Bring mindful presence to every action.

5. Repeat: Progress comes with patience and consistency.

Remember: You don’t have to suppress your mind—you have to transform it. The journey may be challenging, but every step brings you closer to inner peace and clarity.

“Peace comes not from controlling the mind, but from understanding and transforming it.”

Ready to break free from overthinking? Start observing your thoughts today, and let the wisdom of the Gita guide you to a calmer, more resilient mind.

If you enjoyed this post, share your experiences or questions in the comments below. Let's support each other in the journey to mental freedom!

• The earliest confirmed intrusions began July 2006, targeting a South Korean construction firm via a spear-phishing email embedding a remote access Trojan.

• By January 2010, the longest-running breach—of an Asian Olympic committee—had persisted for 28 months.

• McAfee identified 71 distinct victims across 14 countries, including Canada, India, South Korea, Taiwan, the United States, and Vietnam.

The operation’s hallmark was persistent access. Rather than “smash-and-grab,” attackers “loitered” inside networks, moving laterally to siphon new data continuously, then exfiltrating it via unencrypted FTP directly to servers in China.

Victims and Stolen Data

Victim Profile

Operation Shady RAT’s targets spanned a broad spectrum:

Types of Data Stolen

• Intellectual Property: Technology blueprints, proprietary manufacturing processes, design schematics (e.g., F-35 Lightning II stealth fighter plans)

• Strategic Documents: Business plans, negotiation memos, emails of senior leadership, bidding proposals.

• Government & Military Intelligence: Diplomatic cables, defense planning documents, Olympic security protocols.

McAfee estimated that the stolen data provided China with a technology transfer windfall that fueled its rapid economic growth and military modernization, achieving four-fold GDP growth over the following decade.

Attribution to PLA Unit 61398 (APT1)

In February 2013, cybersecurity firm Mandiant (later FireEye) linked the operation to Advanced Persistent Threat 1 (APT1)—a specific PLA unit designated 61398, based in Pudong, Shanghai.

Unit 61398 Profile

• Embedded in the PLA General Staff Department’s Third Department, Second Bureau.

• Housed hundreds (possibly thousands) of personnel with expertise in network operations, malware development, linguistics, and reconnaissance.

• Supported by dedicated China Telecom fiber-optic infrastructure ostensibly for “national defense”.

• Operating over 1,000 command-and-control servers across four Shanghai network blocks.

Evidence of Chinese State Sponsorship

• Malware and phishing campaigns used Chinese-registered domains and IP addresses without traffic obfuscation for years.

• Attack infrastructure resilience and scale required government backing for facilities, logistics, and operator training.

• Public indictments by the FBI of PLA officers connected to Unit 61398 in May 2014 underscored official Chinese military involvement.

High-Profile Impact: The F-35 Theft

One of the most consequential breaches was against Lockheed Martin, where attackers exfiltrated designs for the F-35 Lightning II stealth fighter beginning in 2007 . Within years, China unveiled its Shenyang FC-31 (J-35), bearing striking resemblance to the F-35, prompting widespread allegations of technology theft.

• U.S. officials confirmed in 2009 that Chinese hackers had accessed multiple terabytes of F-35 data, including radar design parameters and engine cooling schemes.

• In March 2016, Chinese national Su Bin pled guilty in U.S. courts to conspiring with PLA contacts from 2008–2014 to steal F-22 and F-35 secrets, resulting in a 46-month prison sentence.

• The FC-31’s aerodynamic features (serpentine inlets, internal weapons bays, sawtooth edges) mirror U.S. fifth-generation stealth design philosophies.

Evolution of Chinese Cyber Espionage

After 2013’s public exposure and diplomatic reprimands, APT1 tactics evolved:

• Transition to redirectors: routing attacks through compromised third-party networks for plausible deniability.

• Use of non-state proxies and encryption to mask origins.

• Focus shifted from broad intellectual property theft to maintaining strategic access to critical infrastructure—power grids, water treatment plants, transportation networks—to enable future disruption.

These adaptations reflect China’s growing emphasis on cyber warfare capabilities beneath the threshold of armed conflict, positioning it as a preeminent cyber superpower.

Lessons Learned and Defense Measures

• Spear-Phishing Awareness: Enhanced user training and email filtering to block malicious attachments.

• Network Segmentation & Monitoring: Isolate critical systems and monitor for anomalous lateral movement.

• Threat Intelligence Sharing: Leveraging indicators of compromise (over 3,000 IOCs released by Mandiant) to detect APT1-like campaigns .

• Zero-Trust Architectures: Verifying every user and device interaction, even within the perimeter.

• Continuous Incident Response: Rapid containment and remediation to prevent years-long stealthy intrusions.

Conclusion

Operation Shady RAT stands as a watershed moment in cyber-espionage history. It demonstrated the power of advanced persistent threats backed by state resources to conduct covert, long-term intellectual property theft at an unprecedented scale. By attributing the operation to PLA Unit 61398 (APT1), security researchers catalyzed a paradigm shift toward proactive cyber defense, intelligence collaboration, and resilience. Today’s cyber landscape continues to evolve, but the lessons of Shady RAT remain foundational in safeguarding national security and economic competitiveness.

Timeline of the Cyber Onslaught

• 27 April 2007: First wave of DDoS attacks hits high-profile sites—President, Parliament, ministries, political parties, major media outlets, and ISPs—overloading servers with malformed queries, UDP floods, ping floods, spam, and botnet traffic.

• 28 April 2007: Estonia’s Ministry of Defence and CERT-EE coordinate a fight-back, enlisting European CERTs to filter malicious traffic and restore services.

• 4 May 2007: Second, more sophisticated wave targets banks (notably Hansabank and SEB), disrupting online banking, ATMs, and e-mail servers; Hansabank shuts online service for over an hour, blocking some 300 suspect IP addresses and incurring an estimated US$1 million in losses.

• 9 May 2007 (Russia’s Victory Day): Peak traffic surges—streams up to 90 Mbps sustained for 10 hours—flood DNS, routing, and web servers with nearly one million infected “zombie” computers worldwide.

• 19 May 2007: Attacks abruptly cease after 22 days of intermittent DDoS waves.

• January 2008: Only one ethnic-Russian Estonian, Dmitri Galushkevich, is convicted and fined for organizing a single DDoS attack against a political-party website; broader attribution remains elusive as Russia refuses mutual-legal-assistance requests.

Attack Vectors and Scale

Analyses by Arbor Networks and Estonia’s CERT revealed:

• Predominant use of DDoS techniques—ping/UDP floods, malformed HTTP requests, mass e-mail spam comments, SQL-injection attempts—amplified by rented botnets of up to 1–2 million nodes across 175 jurisdictions.

• Targeted systems extended beyond public websites to DNS servers, e-mail servers, routers, telephony, and financial-transaction processors—some with non-public network addresses—indicating coordination beyond amateur hackers.

• Attack orchestration was facilitated by Russian-language forums issuing detailed instructions with timing (e.g., targeting 9 May) and defamatory payloads (e.g., “ANSIP_PIDOR=FASCIST”) embedded in requests.

Attribution and Perpetrators

• State backing suspected: Although no definitive public proof links the Kremlin, hostile rhetoric from Russian officials, suspension of trade with Estonia, and refusal to cooperate with investigations suggest tacit state support.

• Claims of responsibility:

• Sergei Markov (Russian Duma member) alleged an aide acted independently from Transnistria in 2007.

• Konstantin Goloskokov, a “commissar” for the Kremlin-backed Nashi youth in Transnistria, admitted organizing the attacks in 2009 but denied official orders from Nashi leadership.

Expert opinions vary:

• Some security analysts argue the attack scale required state-level resources and telecom cooperation, exceeding organised crime capabilities.

• CERT-US downplayed its technical magnitude, labeling it “not significant in scale” beyond its political impact.

• Others characterize it as a “cyber riot” or “people’s war” digital campaign rather than a classic military strike.

Impact on Estonia and Beyond

• Immediate disruption: Government news portals, online banking, media commentaries, and essential e-services were inaccessible domestically and abroad; Estonia briefly “closed its digital borders,” blocking all international web traffic to stem the flood.

• Economic cost: Banks estimated losses of at least US$1 million; private-sector entities incurred service-restoration expenses and reputational damage.

• No physical damage: Despite the severity, no hardware was destroyed and no critical infrastructure permanently disabled; however, psychological impacts and disruption to investor confidence were significant.

• Legal response: Estonia invoked computer-sabotage statutes—max three-year imprisonment—and sought mutual-legal assistance from Russia; only one domestic conviction ensued.

• Strategic shift: Shock spurred Estonia, NATO, and the EU to bolster cyber defense:

• Creation of the Tallinn Manual on international law in cyber conflict.

• Establishment of NATO’s Cooperative Cyber Defence Centre of Excellence (CCDCOE) in May 2008 in Tallinn.

• Adoption of national cyber-security strategies, cyber-incident legislation, and enhanced CERT-EE capabilities.

Conclusion

The 2007 cyberattacks on Estonia marked a turning point in global cybersecurity. Far from mere nuisance, the campaign underscored how digital weaponry can paralyze a nation’s critical functions. Estonia’s rapid, transparent response and subsequent policy leadership illustrate how even small states can pioneer cyber resilience. Today, the lessons from Tallinn inform NATO doctrines, international law discussions, and national cyber strategies worldwide—ensuring the Bronze Soldier crisis remains etched in the annals of cyber defense.

Origins and First Appearance

The Shadow Brokers burst onto the cybersecurity scene in August 2016 with a dramatic announcement that sent shockwaves through the intelligence community. The group claimed to have successfully infiltrated the Equation Group, a sophisticated cyber espionage unit widely believed to be associated with the intelligence community's Tailored Access Operations (TAO).

The name "Shadow Brokers" derives from the popular video game Mass Effect, where the character serves as "an enigmatic figure at the head of an expansive organization which trades in information, always selling to the highest bidder". This reference proved prophetic, as the group's subsequent actions closely mirrored this fictional character's role as an information broker.

The Initial Breach and Auction Attempt

In their first public appearance, the Shadow Brokers revealed they had stolen what they claimed was a treasure trove of cyber weapons and hacking tools. The stolen cache allegedly contained sophisticated exploits targeting various systems including Cisco routers, Microsoft Windows platforms, and Linux mail servers.

Rather than immediately releasing everything, the group attempted to monetize their theft through an unusual auction format. They initially demanded 1 million Bitcoin (approximately $600 million at the time) for the complete set of tools. The auction structure was particularly bizarre - winning bidders would receive the tools, but losing bidders would forfeit their payments entirely.

The auction proved to be a spectacular failure. After months of attempting to sell the stolen tools, the Shadow Brokers had collected only about 10.5 Bitcoin (roughly $24,000) by 2017. The lack of interest forced them to repeatedly lower their asking price and eventually pivot to different distribution methods.

Evolution of Distribution Methods

Following the failed auction, the Shadow Brokers adapted their approach several times:

Crowdfunding Campaign

After the auction's failure, they launched a crowdfunding campaign requesting 10,000 Bitcoin ($6.38 million) with promises to release the password for the encrypted archive once the target was reached. This effort was equally unsuccessful.

Direct Sales Platform

In December 2016, the group established a presence on ZeroNet, a decentralized platform, where they offered individual tools for prices ranging from 1 to 100 Bitcoin, with the complete archive available for 1,000 Bitcoin.

Subscription Service Model

Perhaps their most audacious business model was the launch of the "Wine of the Month Club" subscription service in 2017. For 100 ZEC (Zcash cryptocurrency, approximately $21,000), subscribers would receive monthly releases of new hacking tools and exploits. The service promised access to zero-day exploits targeting Windows 10, web browsers, routers, smartphones, and compromised banking data.

Major Releases and Their Impact

The April 2017 "Lost in Translation" Dump

The Shadow Brokers' most devastating release came on April 14, 2017, when they published the password to their encrypted archive as a "protest" against political developments. This release included numerous powerful exploits with code names like ETERNALBLUE, ETERNALROMANCE, ETERNALSYNERGY, FUZZBUNCH, and DOUBLEPULSAR.

The timing was significant - Microsoft had released patches for many of these vulnerabilities just one month earlier in March 2017, suggesting they may have been warned about the impending leak. However, many organizations had not yet applied these critical security updates.

The WannaCry Connection

The most catastrophic consequence of the April 2017 release was the WannaCry ransomware attack that occurred just one month later in May 2017. The ransomware incorporated the ETERNALBLUE exploit from the Shadow Brokers leak, allowing it to spread rapidly across networks without user interaction.

WannaCry infected over 300,000 computers across 150 countries in a matter of days. The attack crippled hospitals in the United Kingdom, disrupted railway systems, and affected numerous other critical infrastructure components worldwide. The ransomware's impact demonstrated the real-world consequences of leaked cyber weapons falling into malicious hands.

Additional Malware Campaigns

Beyond WannaCry, the leaked exploits were incorporated into other destructive malware campaigns:

• NotPetya (2017): This destructive malware also utilized ETERNALBLUE to spread across networks, causing over $1 billion in damages across 65 countries.

• BadRabbit: Another ransomware variant that leveraged the leaked exploits

• Various cryptocurrency mining malware: Cybercriminals adapted the exploits for less destructive but profitable cryptocurrency mining operations

Investigation and Insider Theories

The Hunt for Shadow Brokers' Identity

The investigation into the Shadow Brokers' identity became one of the most significant counterintelligence operations in recent history. The probe involved multiple agencies including the FBI, National Counterintelligence and Security Center (NCSC), and internal security groups.

Early theories suggested foreign state involvement, particularly pointing to Russia. Edward Snowden publicly speculated that "circumstantial evidence and conventional wisdom indicates Russian responsibility" and suggested the leak was a warning about potential retaliation for other cyber operations.

The Insider Theory

However, as investigations progressed, evidence increasingly pointed toward an insider threat. Several factors supported this theory:

1. File Structure and Content: The leaked materials contained internal file directories and scripts that would typically only be accessible from within secure networks.

2. Operational Details: The group demonstrated knowledge of internal personnel and classified project names not included in the leaked files.

3. Technical Limitations: Many experts argued that external hackers would be unlikely to successfully penetrate the highly secured networks where these tools were stored.

Key Arrests and Connections

The investigation led to several high-profile arrests of government contractors:

Harold T. Martin III

Martin, a Booz Allen Hamilton contractor (the same company that previously employed Edward Snowden), was arrested in August 2016. FBI agents discovered approximately 50 terabytes of classified materials in his home, car, and storage shed. While Martin was never directly charged with being the source of the Shadow Brokers leaks, investigators found that 75% of the stolen cyber weapons were present on his computers.

Martin pleaded guilty to willful retention of classified material and was sentenced to nine years in prison in 2019. Notably, the Shadow Brokers continued posting cryptographically-signed messages even while Martin was in custody, suggesting either multiple sources or that he was not the primary leak.

Nghia Hoang Pho

Pho, a developer in the Tailored Access Operations unit, was arrested and sentenced to 66 months in prison for taking classified materials home between 2010 and 2015. His personal computer, which contained the classified hacking tools, was running Kaspersky antivirus software that was allegedly exploited by Russian intelligence to steal the materials.

The timing of Pho's activities aligned with when the Shadow Brokers claimed to have obtained their materials, making him another potential source.

Political Motivations and Messaging

Deep State Conspiracy Claims

The Shadow Brokers' communications revealed strong political motivations and conspiracy theories. In their messages, they claimed to be former members of the "Deep State" - a term referring to alleged hidden networks within government agencies. They stated they had originally taken an oath "to protect and defend the constitution" but became disillusioned with how intelligence agencies operated.

Support for Political Figures

The group expressed support for certain political figures while criticizing others. They claimed to have voted for and initially supported Donald Trump but later expressed disappointment with his policies. Their April 2017 password release was explicitly framed as a "protest" against military actions and personnel changes they disagreed with.

Anti-Globalist Ideology

Throughout their communications, the Shadow Brokers promoted anti-globalist, nationalist, and isolationist ideologies. They positioned themselves as patriots fighting against what they perceived as corruption within intelligence agencies.

Technical Capabilities and Tools

Zero-Day Exploits

The Shadow Brokers' cache contained numerous zero-day exploits - previously unknown vulnerabilities that could be exploited before software vendors became aware of them. These included:

• ETERNALBLUE: Exploited a vulnerability in Microsoft's Server Message Block (SMB) protocol.

• ETERNALROMANCE: Another SMB-based exploit targeting Windows systems.

• ETERNALSYNERGY: A related exploit in the same family.

Advanced Persistent Threat Tools

The leaked materials included sophisticated tools designed for long-term network infiltration and espionage. These tools demonstrated capabilities that security researchers described as "second to none" in terms of sophistication and stealth.

Targeting and Attribution

Analysis of the leaked tools revealed that they had been used against targets in numerous countries, with particular focus on Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali. The global reach and sophisticated targeting suggested state-level resources and objectives.

Impact on Cybersecurity Industry

Immediate Response and Patching

The Shadow Brokers revelations triggered one of the largest coordinated patching efforts in cybersecurity history. Microsoft released emergency patches not only for supported operating systems but also for long-discontinued systems like Windows XP. The company took the unusual step of issuing out-of-band security updates to address the immediate threat.

Long-term Security Implications

The leaks had several lasting effects on cybersecurity practices:

1. Vulnerability Disclosure Policies: The incident sparked debates about government agencies' responsibilities to disclose security vulnerabilities to vendors.

2. Zero-Day Stockpiling: Questions arose about the ethics and risks of intelligence agencies maintaining arsenals of undisclosed vulnerabilities.

3. Supply Chain Security: Organizations began more carefully scrutinizing their software supply chains and update processes

Evolution of Threat Landscape

The Shadow Brokers' actions democratized advanced cyber weapons, making nation-state-level tools available to common cybercriminals. This led to a significant escalation in the sophistication of ransomware and other malware campaigns.

International Implications

Diplomatic Consequences

The revelations created diplomatic tensions as targeted countries learned the extent of surveillance operations against them. The leaked materials revealed intelligence operations against banks in the Middle East and other sensitive targets.

Cyber Deterrence Theory

The Shadow Brokers incident challenged traditional concepts of cyber deterrence. The leak demonstrated that even the most sophisticated cyber weapons could be turned against their creators or used by adversaries.

Attribution Challenges

The case highlighted the difficulties in attributing cyber operations. While intelligence agencies likely had strong suspicions about the Shadow Brokers' identity, public attribution remained elusive, complicating diplomatic responses.

Economic Impact

Direct Financial Losses

The malware campaigns enabled by Shadow Brokers tools caused billions of dollars in damages:

• WannaCry alone caused estimated damages ranging from hundreds of millions to billions of dollars globally.

• NotPetya caused over $1 billion in damages across 65 countries.

• Ongoing exploitation of the leaked vulnerabilities continued to cause financial losses for years

Cybersecurity Market Growth

The incidents accelerated growth in the cybersecurity industry as organizations scrambled to improve their defenses against advanced threats. The demand for endpoint detection and response solutions, threat intelligence, and incident response services increased significantly.

The Group's Disappearance

Final Messages and Silence

The Shadow Brokers' activity gradually declined throughout 2017. Their final major communications occurred in the summer of 2017, when they announced they were "going dark" due to insufficient financial returns from their efforts.

In their farewell message, they stated: "So long, farewell peoples. TheShadowBrokers is going dark, making exit. Continuing is being much risk and nonsense, not many bitcoins". However, they left the door open for a return if they received their requested 10,000 Bitcoin payment.

Continued Mystery

Despite extensive investigations, the true identity of the Shadow Brokers remains officially unknown. Various theories continue to circulate, ranging from Russian intelligence operations to disgruntled insiders to a combination of both.

Legacy and Long-term Impact

Transformation of Cyber Warfare

The Shadow Brokers fundamentally changed how the world thinks about cyber warfare and espionage. Their actions demonstrated that even the most classified and sophisticated cyber weapons could be compromised and turned against their creators.

Influence on Security Practices

The incident led to significant changes in how organizations approach cybersecurity:

• Faster patch deployment processes

• Improved network segmentation strategies

• Enhanced insider threat monitoring

• Greater emphasis on threat intelligence sharing

Ongoing Vulnerability

Years after their disappearance, security researchers continue to find systems vulnerable to exploits leaked by the Shadow Brokers. The group's actions created a lasting legacy of vulnerability that continues to affect organizations worldwide.

Academic and Research Impact

The Shadow Brokers case became a cornerstone study in cybersecurity education, demonstrating the intersection of technical vulnerability, human psychology, and geopolitical strategy. Researchers continue to analyze their methods, motivations, and impact to better understand similar threats.

Conclusion

The Shadow Brokers represent a watershed moment in cybersecurity history. Their actions exposed the double-edged nature of cyber weapons - tools designed to provide strategic advantages can become catastrophic liabilities when they fall into the wrong hands. The group's sophisticated understanding of both technical vulnerabilities and information warfare tactics made them uniquely dangerous.

While their true identity may never be definitively established, their impact is undeniable. The Shadow Brokers transformed the global threat landscape, democratized advanced cyber weapons, and forced governments and organizations worldwide to reconsider their approach to cybersecurity. Their legacy serves as a stark reminder that in the interconnected digital age, even the most powerful cyber capabilities can be turned against their creators.

The case continues to influence cybersecurity policy, international relations, and threat assessment methodologies. As cyber warfare becomes increasingly central to national security, the lessons learned from the Shadow Brokers incident remain critically relevant for understanding and defending against similar threats in the future.

The Glitch That Sparked an Alarm

On an ordinary morning, an assistant in the German federal parliament noticed odd character errors on her desktop: umlauts displayed as question marks. What seemed like a harmless encoding hiccup soon revealed itself as the footprint of a covert intruder. By the time investigators traced the anomaly to custom malware, hackers had already penetrated deep into the Bundestag’s digital corridors.

The Hunt for the “Bear”

Within days of the first glitch, Germany’s Federal Office for the Protection of the Constitution and cybersecurity specialists pinpointed the culprit: APT28—known in intelligence circles as Fancy Bear. This elite hacking outfit, linked to a foreign military intelligence service, had launched a carefully crafted spear-phishing campaign. Official-looking emails arrived in MPs’ inboxes, spoofing United Nations bulletins and coaxing recipients to click malicious links.

Once inside, the custom Trojan unfolded its arsenal: credential-harvesting tools, domain-wide backdoors, and undetected lateral-movement malware that spanned over 5,600 workstations, 500 network printers, and myriad servers.

A Network Held Hostage

For two tense weeks, Fancy Bear roamed freely in the Bundestag’s Parlakom network. Using tools like Mimikatz, hackers lifted administrator passwords and forged silver tickets to assume full domain control. Every keystroke, every confidential email—from routine schedules to high-level strategy memos—was siphoned off to remote servers.

The breach’s true scale emerged only after a UK security firm alerted Germany’s Federal Office for Information Security (BSI) on May 11. By May 15, forensic teams rerouted all parliamentary internet traffic through the more secure executive network (“IVBB”), isolating the malware. A full network shutdown ensued, lasting four days, as experts scrubbed code, reset credentials, and fortified defenses.

The Fallout: Data, Trust, and Diplomacy

When the Bundestag’s systems blinked back online, the damage was laid bare. Over 16 GB of data—including MPs’ personal and official email archives—had vanished. Parliamentary operations stalled, legislative debates delayed, and public confidence in digital governance took a serious blow.

On the diplomatic front, Germany reacted with unprecedented unity. Arrest warrants were issued for senior intelligence officers abroad, and in 2020 the EU and United Kingdom imposed sanctions—travel bans and asset freezes—on Fancy Bear affiliates. What began as a technical glitch had rippled outward, reshaping Europe’s approach to state-sponsored cyber threats.

Lessons Written in Code

The Bundestag breach laid bare critical weaknesses—and pointed the way forward:

Coordinated Defense: Delays in real-time intelligence sharing between the BfV, BSI, and parliamentary IT teams allowed hackers precious weeks to deepen their foothold. Protocols for instant cross-agency alerts are now non-negotiable.

Segmented Networks: Integrating specialized parliamentary systems with elevated, government-grade security networks curtailed lateral movement once activated—a model now replicated across EU capitals.

Credential Safeguards: Multi-factor authentication and strict privilege controls are standard practice, thwarting swift credential theft.

Continuous Monitoring: Extended log retention and AI-driven anomaly detection have become the frontline, flagging suspicious behaviors far sooner than outdated seven-day log windows ever could.

The New Face of Espionage

Today, cyber-espionage stands shoulder to shoulder with traditional spying. Digital attacks no longer just steal data—they can dictate political rhythms, disrupt infrastructure, and sow doubt among citizens. The Bundestag breach was a wake-up call, highlighting the urgent need for stronger cybersecurity measures. Democracies must treat cyberspace as an active battlefield.

As hackers refine their tradecraft—injecting malware into satellites, blending phishing campaigns with disinformation—nations must invest equally in resilient defenses. For Germany, the lessons of 2015 fuel a broader strategy: one that fuses diplomacy, sanctions, intelligence cooperation, and cutting-edge cybersecurity.

In a world where code can threaten democracy itself, the Bundestag’s digital heist reminds us that vigilance, unity, and innovation are our best shields.

The Bears That Roam the Digital Wild

Intelligence agencies have identified several notorious hacking groups, each with distinct specialties and operational methods. These units, often given animal-themed codenames like “Fancy Bear” and “Cozy Bear,” represent some of the most advanced persistent threats in the digital realm.

Fancy Bear operates with elegant precision, known for their agility and cunning in penetrating high-value targets. Meanwhile, Cozy Bear prefers a more methodical approach, quietly embedding themselves in systems for extended periods, sometimes remaining undetected for years.

Other specialized units include the energy-obsessed Berserker Bear, the digital sorcery specialists Voodoo Bear, and the particularly dangerous Toxic Bear. Each group brings unique capabilities to state-sponsored cyber operations.

The German Parliament Breach: A Digital Heist Unfolds

The story begins with something as simple as a malfunctioning accent mark. In May 2015, Claudia, an assistant working in the German Parliament, noticed her computer couldn’t properly display certain characters. What seemed like a minor technical glitch was actually the first visible sign of one of the most sophisticated cyber attacks in German history. The breach started weeks earlier when parliamentary staff received seemingly legitimate emails appearing to come from international organizations. These messages referenced current geopolitical tensions and included attachments that many recipients felt compelled to open.

A single click was all it took. Malware silently installed itself, providing hackers with administrator-level access to the entire parliamentary network. The attackers moved laterally through the system, scanning for valuable information and eventually reaching computers in the highest levels of government.

The Technical Masterpiece and Fatal Flaw

The hackers demonstrated remarkable technical sophistication, deploying custom tools designed to extract email databases and maintain persistent access. However, their operation nearly collapsed due to an unexpected challenge: the German language.

When attempting to locate and extract files, their extraction tool couldn’t properly handle German characters, specifically the umlaut. The program failed to recognize the special characters, causing the file path to display incorrectly and preventing successful data extraction.

Under pressure and realizing their operation might be exposed, the hackers hastily rewrote their code to accommodate the German language quirks. This rush led to a critical mistake—they forgot to remove identifying information from their custom program, leaving behind a digital fingerprint that would later help investigators.

The 2016 Digital Election Interference

The techniques refined in the German parliamentary attack were later deployed on a much larger scale during the 2016 presidential election. The same hacking groups that had infiltrated European political systems turned their attention to democratic processes across the Atlantic.

Using sophisticated spear-phishing campaigns, hackers targeted campaign officials with convincing fake security alerts. When victims entered their credentials on fraudulent websites, the attackers gained access to internal communications and strategic documents.

The stolen information was then weaponized through strategic releases designed to maximize political impact. Rather than dumping all data at once, the hackers created a sustained campaign of revelations, each timed for maximum disruption.

The Amsterdam Incident: When Hackers Get Physical

Not all cyber operations remain purely digital. In April 2018, four operatives traveled to the Netherlands with a mission to physically infiltrate the headquarters of an international chemical weapons watchdog organization.

he team carried sophisticated equipment including Wi-Fi antennas, voltage regulators, and powerful batteries. Their plan involved parking near the target building and using their mobile setup to mimic the organization’s wireless network, hoping to capture employee credentials.

However, Dutch intelligence services had been tracking the operatives from the moment they entered the country. When authorities moved in, they discovered not just the hacking equipment but also evidence linking the team to previous operations worldwide.

The Satellite Strike: Cyber Warfare Meets Military Conflict

The evolution of these cyber capabilities became starkly apparent in early 2022 when hackers targeted satellite internet infrastructure. As military operations began in Eastern Europe, a coordinated cyber attack simultaneously crippled communications across the region.

The attack targeted both ground stations and individual satellite modems, using previously implanted malware to render thousands of devices inoperable. Wind farms went offline, rural communities lost internet access, and military communications were severely disrupted.

This operation demonstrated how cyber warfare has become fully integrated with conventional military strategy, with digital strikes coordinated to support physical operations.

The Human Face Behind the Code

Through meticulous digital forensics, investigators have identified some of the individuals behind these operations. One hacker, known by the alias “Scaramouch” (after the theatrical character), left enough digital breadcrumbs to build a detailed profile.

Investigators discovered he’s a young professional who listens to music while working, follows international football, and appears to lead an otherwise ordinary life. Yet he was responsible for penetrating some of the most secure government systems in the world.

The Ongoing Digital Arms Race

These sophisticated attacks represent more than just espionage—they’re tools of destabilization designed to erode public trust in democratic institutions. The ability to steal internal communications and release them at strategically chosen moments gives authoritarian regimes powerful weapons against open societies.

Democratic nations face unique vulnerabilities in this digital conflict. While authoritarian regimes can quickly suppress dissent and control information flow, democracies must balance security with transparency and civil liberties.

The Stakes of Digital Democracy

As our democratic processes become increasingly digitized, the importance of cybersecurity cannot be overstated. The ability of foreign actors to influence elections, steal sensitive government communications, and disrupt critical infrastructure represents a fundamental challenge to national sovereignty.

The ongoing digital conflict requires constant vigilance, international cooperation, and continued investment in both defensive and investigative capabilities. The bears may still be prowling in cyberspace, but the global community is learning to track their movements and defend against their attacks.

The future of democracy may well depend on our ability to secure the digital realm that increasingly governs our political and social lives. As these elite hacking units continue to evolve their tactics, so too must our defenses against those who would use code as a weapon against freedom itself.

What Exactly Is a Zero-Day?

Imagine standing before an impenetrable wall. This wall represents the cybersecurity protecting your phone, your bank, or even critical infrastructure. Now imagine discovering a single loose brick—a flaw that nobody else knows about. That’s essentially what a zero-day vulnerability is: a secret entrance that can be exploited before anyone realizes it exists. Modern operating systems like Windows 10 and Mac OS contain approximately 80 million lines of code. If each line were a physical brick, you could build nearly 300 miles of wall. With that many components, what are the odds that at least one contains a critical flaw? The answer: extremely high. And that’s where the zero-day market thrives.

From Hacker Forums to Million-Dollar Trades

The story begins in the 1990s with Bugtraq, a humble mailing list where hackers shared newly discovered vulnerabilities for free. It was a community-driven effort to improve internet security, fueled by curiosity and the desire for recognition within hacker circles. But money changed everything. As governments and corporations began offering substantial payments for these digital secrets, the community transformed from an open-source security initiative into a shadowy marketplace. What started as emails between hobbyists evolved into a multi-billion-dollar industry where a single exploit can command $20 million.

The Price of Digital Destruction

The current market rates paint a chilling picture of our digital vulnerability:

• Phone passcode bypass: Up to $100,000

• Chat application access: Up to $500,000

• Remote phone takeover: $2-2.5 million

• Advanced attack chains: Up to $20 million

These aren’t prices for petty cybercrime. We’re talking about tools used in international espionage, cyberwarfare, and attacks that can cripple entire nations.

Real-World Consequences: When Zero-Days Strike

Operation Triangulation: The iPhone Nightmare

Researchers recently uncovered one of the most sophisticated mobile attacks ever discovered. A malicious iMessage could silently infiltrate any iPhone using a chain of four different zero-day vulnerabilities. The victim would never know their device had been compromised—no notifications, no suspicious behavior, just complete and invisible surveillance.

The MOVEit Massacre

In 2023, the Clop ransomware gang acquired a single zero-day vulnerability in MOVEit file transfer software. This one exploit allowed them to breach over 2,500 companies and steal data from nearly 90 million people—more than the entire population of Germany.

Stuxnet: Cyberwar Made Real

Perhaps the most famous zero-day attack, Stuxnet used four vulnerabilities to infiltrate and physically destroy Iranian nuclear centrifuges. It proved that digital attacks could cause real-world destruction on an unprecedented scale.

The Three-Tier Market Structure

The zero-day ecosystem operates on three distinct levels:

• The White Market: Legitimate bug bounty programs where companies pay researchers to find and report vulnerabilities. This is the visible, legal face of vulnerability research.

• The Gray Market: Government agencies and defense contractors quietly purchasing exploits for intelligence gathering and cyber defense. Technically legal but morally ambiguous and completely unregulated.

• The Black Market: Criminal organizations, hostile nations, and anyone willing to pay premium prices for digital weapons. This is where the most dangerous exploits change hands.

The Moral Complexity

Before rushing to condemn the entire market, consider this: in late 2023, law enforcement used zero-day exploits to infiltrate and destroy LockBit, one of the world’s largest ransomware operations. This single action saved countless victims from having their data encrypted and held for ransom. The same tools used by criminals to extort hospitals and schools are also used by law enforcement to bring those criminals to justice. The zero-day market exists in a morally gray area where traditional concepts of right and wrong become frustratingly blurred.

An Unstoppable Force

As long as humans write code, that code will contain flaws. And as long as those flaws exist, there will always be people willing to pay extraordinary sums to exploit them. The zero-day market isn’t going anywhere—it’s an inevitable consequence of our increasingly digital world. The question isn’t whether we can stop it, but whether we can find ways to make it serve humanity’s interests rather than undermine them.

The Digital Arms Race Continues

Every day, in secure facilities around the world, elite hackers stare at millions of lines of code searching for that one perfect flaw—the loose brick that could be worth millions of dollars and change the course of international relations.

hey are the modern gunsmiths of the digital age, crafting weapons from mathematics and logic. And their marketplace operates in the shadows of the same internet we use to check email and watch cat videos.

The zero-day market represents both humanity’s greatest cybersecurity threat and, paradoxically, one of its most important defense mechanisms. Understanding its existence is the first step toward navigating our increasingly complex digital future.

The zero-day market will persist as long as software contains bugs and people are willing to pay to exploit them. In this digital arms race, knowledge truly is power—and power, as always, comes with a price.

A Hidden Flaw with Big Consequences

Operation Shotgiant started because of a small—but very important—problem deeply hidden in Huawei routers. For example, an important Iranian official used a new Huawei device, thinking it was safe. But inside, there was a secret password. This backdoor allowed attackers to control the device completely and secretly copy all data to their own servers. What was thought to be safe technology had now become a tool for spying. The real twist? Many people worried about Chinese government spying, but in this case, the NSA was responsible for the breach. This surprised the world and made people rethink who to trust with their digital safety.

Why Did the NSA Target Huawei?

Huawei is a major Chinese tech company. In just a few years, it grew from a small manufacturer to one of the most important companies in global communications. Because Huawei products were used everywhere, many Western governments were suspicious—afraid these devices could have “backdoors” that allow spying. The NSA decided it was important to understand Huawei’s technology and secrets in order to avoid being outsmarted.

How the Operation Worked

A special NSA team called Tailored Access Operations (TAO) led the mission. Their job was to secretly access Huawei’s internal emails, explore how the company worked, and learn as much as possible. By 2010, they succeeded. Using advanced hacking tools, they accessed the emails of top Huawei leaders and collected confidential documents, product blueprints, and other sensitive data. The NSA collected so much information that, for a time, they didn’t know what to do with all of it.

What Did They Find?

A key question remains: Did the NSA find proof that Huawei was helping with government spying? After a lot of investigation, no solid evidence was shared. Even so, people didn’t stop worrying. This story also showed that any security flaw can be used by anyone—no matter where they are from.

The Impact on Cybersecurity

Operation Shotgiant changed how people think about online safety. The operation was revealed by Edward Snowden’s leaks. It showed that even the world’s biggest companies can be hacked. Since then, more attacks, such as the famous SolarWinds breach, have happened. Experts now know that just one weak spot in any system can be dangerous for everyone.

What We Learned?

In the end, Operation Shotgiant reminds us that good cybersecurity is not just about strong technology. It’s about trust, constant care, and staying alert. Every device can be a target, and every bug in the code could be a future risk. We all must work together to keep the online world safe.

In this blog post, we’ll learn about Retrieval-Augmented Generation (RAG) and build a basic RAG system step-by-step using Python and Ollama. This project will give you a clear idea of how RAG works and how to create one using simple coding techniques.

What is RAG

Lets first imagine a simple chatbot without any RAG. It somewhat will looks like below

While a chatbot can answer general questions based on what it has learned during training, it doesn’t always have the latest or specific information about certain topics.

For example, if you ask ChatGPT, “What is my father’s name?”, it won’t be able to answer because it doesn’t know personal details like your family members’ names — that information is not part of its training or memory.

To address this limitation, we need to provide external knowledge to the model (in this example, a list of family members' names):

A RAG system has two main parts:

1. A retriever, which looks for useful information from outside sources like a database, search engine, or document collection.

2. A language model, which uses that information to create a meaningful response.

There are also different styles of building RAG systems, such as Graph RAG, Hybrid RAG, and Hierarchical RAG.

A simple RAG system

Lets built a simple RAG that comprises of following components

1- An embedding model

2- Vector Database

3- Chat Model

4- knowledge base(An external dataset)

The architecture will look something like below

To build a RAG system, we need three important pieces:

1. Embedding Model – This is a pre-trained language model that turns text into numbers (called embeddings) that represent the meaning of the text. These embeddings help in finding related information from a dataset.

2. Vector Database – This is where we store information along with its embeddings. There are tools like Qdrant, Pinecone, or pgvector for this, but in this project, we’ll build a basic in-memory version ourselves.

3. Chatbot – This is the language model that reads the retrieved information and creates answers. It can be any model like Llama, Gemma, or OpenAI GPT models.

The RAG development process will have three phases

1- Indexing Phase

2- Retrieval Phase

3- Generation Phase

Lets understand & code each phase

Indexing Phase

The indexing phase is the first step in building a RAG system. In this step, we split the documents into smaller parts (called chunks) and then convert each chunk into a vector using the embedding model. These vectors help the system quickly find relevant information later when generating answers.

The size of each chunk can vary depending on the dataset and the application. For example, in a document retrieval system, each chunk can be a paragraph or a sentence. In a dialogue system, each chunk can be a conversation turn.

After the indexing phrase, each chunk with its corresponding embedding vector will be stored in the vector database. Here is an example of how the vector database might look like after indexing:

We can use embedding vectors later to find the right information based on a question or search. It’s similar to how a SQL WHERE clause works, but instead of looking for exact matching words, we search using vectors that understand the meaning of the text. This helps us find related content, even if it’s written differently.

To compare the similarity between two vectors, we can use cosine similarity, Euclidean distance, or other distance metrics. Here we will use cosine similarity. Here is the formula for cosine similarity between two vectors A and B:

We will implement this formula in our python code.

Retrieval Phase

In the diagram below, we’ll look at an example where a user asks a question (called the input query).

We then convert this question into a vector (called the query vector) and compare it with the vectors stored in the database.

This helps us find the most relevant pieces of information to answer the question.

The result returned by The Vector Database will contains top N most relevant chunks to the query. These chunks will be used by the Chatbot to generate a response.

Lets code it. We will build a simple RAG using Python

To run the models, we’ll use Ollama, a command-line tool that lets you run AI models from Hugging Face directly on your computer — no need for cloud or server access.

We’ll use the following models:

• Embedding model: bge-base-en-v1.5-gguf

• Language model: Llama-3.2-1B-Instruct-GGUF

For our dataset, we’ll use a simple list of cat facts. Each fact will be treated as a chunk during the indexing phase.

Model Download

First download and install he Ollama CLI on your machine. After installed, open a terminal and run the following command to download the required models:

ollama pull hf.co/CompendiumLabs/bge-base-en-v1.5-gguf

ollama pull hf.co/bartowski/Llama-3.2-1B-Instruct-GGUF

The embedding model size around 50MB while chat model around 800MB. Make sure you have RAM on your machine to run these model.

Load the Dataset

Next, create a Python script and load the dataset into memory. The dataset contains a list of cat facts that will be used as chunks in the indexing phrase.

#Loading the dataset with Knowledge base data
dataset = []
with open('datasets/cat-facts.txt', 'r') as file:
  dataset = file.readlines()
#   print(f'Loaded {len(dataset)} entries')

Vector Database

Now, let’s build our own basic vector database.

We’ll use the embedding model through Ollama to turn each text chunk into a vector (a set of numbers that represent the meaning of the text).

Then, we’ll store each chunk along with its vector in a list so we can search through them later.

Here’s a simple function to generate an embedding vector for any given text:

# Each element in the VECTOR_DB will be a tuple (chunk, embedding)
# The embedding is a list of floats, for example: [0.1, 0.04, -0.34, 0.21, ...]
VECTOR_DB = [] # [("hello there", [0.1, 0.04, -0.34, 0.21, ...]), ...]

def add_chunk_to_database(chunk):
  embedding = ollama.embed(model=EMBEDDING_MODEL, input=chunk)['embeddings'][0]
  VECTOR_DB.append((chunk, embedding))


# we will consider each line in the dataset as a chunk for simplicity.
for i, chunk in enumerate(dataset):
  add_chunk_to_database(chunk)
#   print(f'Added chunk {i+1}/{len(dataset)} to the database')

Retrieval System

Next, let's implement the retrieval function that takes a query and returns the top N most relevant chunks based on cosine similarity. We can imagine that the higher the cosine similarity between the two vectors, the "closer" they are in the vector space. This means they are more similar in terms of meaning.

Here is an function to calculate the cosine similarity between two vectors:

def cosine_similarity(a, b):
  """Calculate the cosine similarity between two vectors.
  Formula = a.b / ||a|| * ||b||
  Args:
    a (list): First vector.
    b (list): Second vector.
  Returns:
    float: Cosine similarity between the two vectors.

  """
  dot_product = sum([x * y for x, y in zip(a, b)])
  norm_a = sum([x ** 2 for x in a]) ** 0.5
  norm_b = sum([x ** 2 for x in b]) ** 0.5
  return dot_product / (norm_a * norm_b)

Now the retrieval function

def retrieve(query, top_n=3):
  user_query_embedding = ollama.embed(model=EMBEDDING_MODEL, input=query)['embeddings'][0]
  # temporary list to store (chunk, similarity) pairs
  similarities = []
  for chunk, db_embedding in VECTOR_DB:
    similarity = cosine_similarity(user_query_embedding, db_embedding)
    similarities.append((chunk, similarity))
  # sort by similarity in descending order, because higher similarity means more relevant chunks
  similarities.sort(key=lambda x: x[1], reverse=True)
  # finally, return the top N most relevant chunks
  return similarities[:top_n]

Generation Code

In this step, the chatbot will create a response using the relevant information retrieved earlier.

To do this, we simply add the retrieved chunks into the prompt, which is then passed to the chatbot as input. Here’s an example of how such a prompt might look:

input_query = input('Ask me a question: ')
retrieved_knowledge = retrieve(input_query)

print('Retrieved knowledge:')
for chunk, similarity in retrieved_knowledge:
  print(f' - (similarity: {similarity:.2f}) {chunk}')

instruction_prompt = f'''You are a helpful chatbot.
Use only the following pieces of context to answer the question. Don't make up any new information:
{'\n'.join([f' - {chunk}' for chunk, similarity in retrieved_knowledge])}
'''

We then use the ollama to generate the response. In this example, we will use instruction_prompt as system message:

stream = ollama.chat(
  model=LANGUAGE_MODEL,
  messages=[
    {'role': 'system', 'content': instruction_prompt},
    {'role': 'user', 'content': input_query},
  ],
  stream=True,
)

# print the response from the chatbot in real-time
print('Chatbot response:')
for chunk in stream:
  print(chunk['message']['content'], end='', flush=True)

Putting all together

You can find the final code in this file.

To run the code :

1- Clone the repo

2- Install the modules form requirements file

3- run the rag-code.py

Othere RAG Types

In practice, there are many ways to implement RAG systems. Here are some common types of RAG systems:

• Graph RAG: In this type of RAG, the knowledge source is represented as a graph, where nodes are entities and edges are relationships between entities. The language model can traverse the graph to retrieve relevant information. There are many active researches on this type of RAG. Here is a collection of papers on Graph RAG.

• Hybrid RAG: a type of RAG that combines Knowledge Graphs (KGs) and vector database techniques to improve question-answering systems. To know more, you can read the paper here.

• Modular RAG: a type of RAG that goes beyond the basic "retrieve-then-generate" process, employing routing, scheduling, and fusion mechanisms to create a flexible and reconfigurable framework. This modular design allows for various RAG patterns (linear, conditional, branching, and looping), enabling more sophisticated and adaptable knowledge-intensive applications. To know more, you can read the paper here.

Conclusion

RAG is a big step forward in making language models smarter and more accurate. By building a simple RAG system from scratch, we’ve learned the basics of how embedding, retrieval, and response generation work together.

Even though our version is simple, it shows the core idea behind more advanced RAG systems used in real-world applications. There’s a lot of room to grow — like using faster vector databases or trying out advanced designs such as Graph RAG and Hybrid RAG.

As AI continues to improve, RAG will stay an important tool for giving language models access to outside knowledge while keeping their ability to generate natural responses.

References:

Ranking Models https://www.pinecone.io/learn/series/rag/rerankers/

For other types of RAG, you can refer to the this post by Rajeev Sharma.

Hugging face build your own RAG https://huggingface.co/blog/ngxson/make-your-own-rag

AI Agent vs. Chatbot: What's the Diff?

Chatbots are like friendly receptionists, answering your questions and pointing you in the right direction. AI agents? They're like having an entire department working for you, 24/7.

How do they actually work?

Imagine an AI agent as having these steps:

1. See: It takes in info from users, websites, sensors...anything!

2. Think: It uses smarts (like understanding language) to make sense of the info.

3. Decide: Based on the info, it figures out what to do. This could involve special rules or even learning from past experiences!

4. Do: It takes action! This could be sending a message, updating a system, or even changing prices in a store.

What Makes Up an AI Agent?

• Brains: It uses a fancy language model (LLM) to think.

• Identity: It knows why it exists and what it's supposed to do.

• Tools: It has access to different tools to get info and take action.

• Memory: It remembers past conversations and info to make smarter decisions.

• Channels: It uses different ways to talk to people (like chat, email, or voice).

• Rules: It follows guidelines to make sure it's doing things ethically and correctly.

What Can AI Agents Do?

AI agents can do practically anything! Here are some cool examples:

Customer Service: Forget those frustrating old chatbots! AI agents can solve problems, give personalized advice, and handle tasks like resetting passwords.

Lead Generation: Like a super-smart sales assistant, they can collect info, qualify leads, and pass them on to your sales team.

Knowledge Management: They can find info buried in company documents in seconds!

Workflow Automation: They can handle entire processes, from ordering supplies to onboarding new employees.

Developer Co-Pilots: They can help programmers write code faster, find errors, and write documentation.

Virtual Assistants: Like a super-organized personal assistant, they can schedule meetings, draft emails, and summarize reports.

Why are AI Agents a Big Deal?

They're Flexible: They can adapt to different situations.

They Make Decisions: They don't just follow instructions.

They're Scalable: You can use them for all sorts of tasks.

They're Always On: They work 24/7.

They Save Money: They reduce the need for human workers.

They Automate Everything: They handle entire workflows, not just single tasks.

They Connect to Everything: They work with all your existing systems.

They Get Better Over Time: They learn from experience.

They're Compliant: They follow rules and regulations.

Different Flavors of AI Agents

Simple Reflex Agents: React to things immediately based on simple rules.

Model-Based Reflex Agents: Use a model to understand their environment and make decisions.

Utility-Based Agents: Choose the best action based on what will make them happiest.

Learning Agents: Learn from experience and get better over time.

Goal-Based Agents: Try to achieve specific goals and adapt their actions.

How to Get Started with AI Agents?

You can either buy an AI agent from a company that specializes in them, or you can build your own! There are frameworks like CrewAI, AutoGen, Phidata (now Agno), LangGraph etc which enables you to build agents quickly.

The Future is Agentic

AI agents aren't just a trend. They're changing the way we work and live. They're like super-smart helpers that can automate tasks, make decisions, and improve our lives in countless ways. Get ready for the age of AI agents!

A total of three sections involve

1. Creating the app

2. Dockerised the app

3. Deploy the image to AWS ECS

Prerequisites

Before proceeding make sure your system has the below items ready

• You should have Node installed

• Docker installed and ready for the run

• Access to Docker Hub(Registry)

• Access to AWS account

• An IDE of your choice

Once all the above is ready we can start with 1st section

Section-1: Creating an application

We can create any web application and run it in a container, mind any web application.

We can not I mean we should not run any desktop app via a container. (While running a desktop application in a Docker container may be possible, it's not always the best approach, especially for applications that require significant user interaction. In these cases, it may be better to run the application directly on the host machine or consider other virtualization options, such as virtual machines.)

so here for the demo, I will create a super simple web app

• Create your project folder

• Do npm init -y

• Install express by npm install express –save

• Create a file called index.js

• Put the code below

Note: you will not see the extra three files (README, .gitignore and .gitattributes) on your system if you are not using git version control and that is fine.

Once our app is ready we will run it locally first to see if it's working

Go to terminal and from the root directory run the command node index.js

If no error means the code parsed successfully.

Now go to your browser and access the localhost:3000 and if you are getting the below message then your app is working fine and ready for the next stage.

Section-2: Dockerising the app

We saw our app is working fine so we should be good for contenarising it. We know that docker containers are spawned from a docker image so first, we need to convert our app into a docker image.

To do that follow the below steps

Add the start parameter to the script section of the node app in package.json like below. This will guide the invoking process on how to start our application.

Now create a Dockerfile in your project root directory and put the following code

Now build the the docker image by using below command

docker build -t my-hashnode-demo-app .

As we can see all the steps declared in the docker file got completed without any error meaning our image got created. We can see our image by running the Docker image command.

Now test the Docker image locally by running the container with the following command and we should be able to access the same message from localhost:3000 .

docker run -p 3000:3000 my-hashnode-demo-app

We are running the container on port 3000

We can confirm it by looking at the active containers by running docker ps We can verify the container name and associated image.

Now as we have tested our image and it's working fine, it's time to move to the next stage i.e putting the container in AWS ECS but before that, we have to publish our image in the docker registry(hub) so that AWS can access it .

To do that type below commands in terminal

docker login : It will ask for the username and password

Then run docker tag myimage myusername/myimage:latest

after that docker push myusername/myimage:latest

Note: you just need to replace your username and image name.

Now we can log in to the docker hub web portal and see our uploaded docker image like below.

Now click on the image and it will be redirected to another page

Click on Public View and you will see the below page

Copy the Docker pull command and put it in a notepad

docker pull cicadadock/my-hashnode-demo-app

we need this image URI in AWS ECS service, hence remove the docker pull part and keep the rest. cicadadock/my-hashnode-demo-app

Now we are ready for the next stage

Section-3: Deploy the app to AWS ECS

Login to your AWS account and open ECS service and click either on clusters or Get started.

Let's choose Clusters and create a cluster

Give a unique cluster name. We can leave rest configurations as default. By default, the cluster will be created with FarGate which ok for us.

By clicking on create a cluster will start building and we can see the events in cloud formation.

Once the cluster is created, click on the Task definition at the left side bar and then create a new task definition

Fill in the value below. Hndemocon will be the container name when our image runs on the ECS cluster.

We can leave all other fields as default and click on next

Here also nothing to change. All the default values are good to go. So click Next for review and again Next to create the task definition

Once it is created successfully, we can see it as active in the console as below

Now go back to the cluster we created and go to the Service and create a service.

We can leave the compute configuration as a default setting and configure the deployment part below

Use the task definition created in the previous step as Family.

Give a unique name to the service and create it. It will take a few seconds to create the server.

Once the service is created successfully we can see the service status as active and Task deployment completed with green.

Now go to the Task section and click on the open address and it will launch our web app

Congratulation, your app is now running on the cloud as a docker container.

Note: If someone could not access the URL after opening the public ip, please make sure to add a custom TCP port range 3000 with CIDR 0.0.0.0/0 as an inbound rule. Remember for production allowing everything is not acceptable but for the demo it's fine.

You can do that as below.

Go to service >> Networking>>Security group

Add the inbound rule.

Cleanup

Once you have completed it, make sure to clean up all these resources so that it will not incur any cost.

If we try to delete the cluster it would fail because its associated service and Task are in progress. But it would have been great if AWS provided that feature to auto-delete all the resources by deleting the cluster, until then we have to go sequentially.

First, stop the task

Delete the service

Select Force delete service otherwise it will always create a new task due to replica setup.

Delete the cluster

Conclusion

Dockerizing your Node.js app and deploying it to AWS ECS can be a daunting task, but it doesn't have to be boring. Remember to always keep your sense of humour handy, because sometimes things can get a little crazy in the world of DevOps. As the saying goes, "With great power comes great responsibility, but with Docker, comes great portability." So go forth and Dockerize your apps, but don't forget to enjoy the journey and have a little fun along the way!

You can access the code here. Hope you have enjoyed the blog.

Happy learning!!

Prerequisites

• A node app

• GitHub Repository

• AWS account

Before we begin, let us assume that we have a simple weather app developed using Node.js. Here is the GitHub link to the app.

Let's start with the high-level steps required to deploy the app to AWS Elastic Beanstalk with CodePipeline

1. Build the app.

2. Make configuration changes to the code entry file and package.json to make your app deployable.

3. zip all your code files except the node-module folder.

4. Create an application and environment in the Beanstalk console using manual file upload.

5. Create an AWS code deploy pipeline using a GitHub connection (Integrating GitHub with AWS CodePipeline).

6. Make sure your source and deploy stage succeeded.

7. Commit the code changes and auto-deploy your app.

Configurational Changes

When developing an app locally, we often run it on localhost with a port number. However, when deploying to AWS, we need to use the port provided by AWS. Therefore, we need to capture that port from the environment.

const port = process.env.PORT || 3000

we also have to make changes to the package.json file as this going to tell AWS what is out app’s configuration requirements. For this, I have to make these three changes. It varies based on your coding style

1. ElasticBeanstalk for now supports only node16 hence make sure to change the node version in package.json same.

2. By default the main module is index.json - change it based on your project setup. Most people use app.js as the main entry file.

3. Define how to start your app under the scripts section

Creating an APP environment in Beanstalk

1. Log in to the AWS Elastic Beanstalk console and click on the Create New Environment button.

2. Select the environment tier as a web server environment.

3. Give a unique application name: hashnodeblog-weatherapp and observe that It will auto-populate the environment.

   

4. Select the platform - this is critical. Make sure you have declared the same node version in your package.json file; otherwise, the app deployment will fail.

   

5. Choose the upload your code option and upload the code zip file.

   

6. Click on Create Environment.

7. You will have to wait for about 10 minutes for it to spin up a bunch of services like an S3 file to hold the zip file, spin up an EC2, do all dependency installation, create security groups, add load balancers, add auto-scaling facilities, and create CloudWatch alarms.

8. Once the environment has been created successfully, you will see this page. Health should be green.

   

9. Click on the link given at top of the page to see your app up and running fine.

   

Our weather app is up and running on AWS now.

Automating the Deployment process

Now, let's set up the CI-CD pipeline using AWS CodePipeline Service.

1. Open the AWS CodePipeline service console.

2. Click on the Create Pipeline button and fill in the details.

3. Choose the New Service Role option.

   

4. The next option asks for Source, choose GitHub Version 2 as we are going to use GitHub as our version controller.

   

5. The next step is setting up a connection between AWS CodePipeline and GitHub.

   For a new connection click Connect to GitHub.

6. Give a connection name and click on Connect to GitHub.

   

7. On the next page, AWS Connector for GitHub requests permission to verify your GitHub identity and control access to your resources. To grant permission, click on Authorize AWS Connector for GitHub.

8. Upon authorization, you’ll be redirected back to the Create connection page.

9. To have GitHub Apps generate a link to your GitHub to be used by CodePipeline, click on Install a new app.

   

10. This time, you’ll be redirected to a page to select the GitHub account or organization to which you want to connect. Select the appropriate option.

11. Next, you’ll be prompted to decide whether you want to give AWS access to all the repositories in your account or only specific ones. Here, you can select the option you prefer. I’ll choose All repositories.

12. Click on Install.

13. Upon installation, you’ll be redirected to the Create connection page.

14. Click on Connect to complete the process.

    Note: I have not put any screenshots for a few steps above because the prompts will self-direct you so there is nothing to confuse.

15. Once the connection is established successfully, we can fill in the rest fields like repository name and branch name.

    

16. Choose the output artifact format as CodePipeline Default.

17. Click Next and we can skip build stage.

18. We have to fill the deployment stage. Choose Beanstalk as the deployer.

19. Our formerly created application name and environment name will pop up by clicking on the search option in the application name and environment field.

    

20. Click Next

21. It will create a Review page, go through all the selections for verification and click on Create Pipeline.

22. And wait for the two-stage completion. Source and Deploy.

    

23. Once done, let's access the app again and see everything running as it is.

Testing the Auto Deployment

1. Once make sure the app is fine, let's do some changes to our app and commit the change and let’s see how auto-deploy gets triggered.

2. Let's make some changes to the help page.

   

3. Here I have added a new paragraph element and removed one.

4. Let's commit and push the changes. And we can see the moment we push the code the auto deployer has triggered in the CodePipeline console.

   

5. We can confirm that by clicking on the commit link. It will direct you to the commit on which this deployment was triggered.

   

6. Now let’s refresh the app and see the updates on the help page.

And with this, we have completed the setup for our auto-deployment feature.

Cleanup

As this is for educational purposes to save money you may want to clean up all the services from AWS.

1. Delete the code pipeline from the Code Pipeline dashboard. It should be quick.

2. Then go to the elastic beanstalk console, choose your environment and click on Terminate environment from the Action dropdown.

   

3. It will take a few minutes to complete as a lot of services in the background have to be cleaned up. This is the best thing about using this service.

4. After a few minutes, If you click on refresh, it will automatically show you the application list. Choose your application to terminate and click on Delete application from the Action menu.

5. Confirm the delete

   

6. If you refresh your app URL you should get the page cannot be found error page. You are done.

Conclusion

To conclude, this blog post walked us through the process of deploying a node-based web app to the AWS cloud via the Elastic Beanstalk service and configuring a CI/CD pipeline with GitHub and AWS CodePipeline. We also made some changes to the weather app and observed the auto-deploy feature in action. While AWS offers various options for code deployment, such as Amplify, CloudFormation, AppRunner, and EC2, I am leaning towards Beanstalk because I found it is the most user-friendly and efficient deployment option. However, when making decisions at the enterprise level, various other factors like cost should be considered.

Hope you have liked the blog. Happy learning!!

What is a chatbot?

At the most basic level, a chatbot is a computer program that simulates and processes human conversation (either written or spoken), allowing humans to interact with digital devices as if they were communicating with a real person. Chatbots can be as simple as rudimentary programs that answer a simple query with a single-line response, or as sophisticated as digital assistants that learn and evolve to deliver increasing levels of personalization as they gather and process information.

Let's have a basic discussion on a such chatbot model developed by OpenAI called ChatGPT.

What is ChatGPT?

ChatGPT is a new AI bot in town. It is an AI chatbot system that OpenAI released in November to show off and test what a very large, powerful AI system can accomplish. The bot lets you type questions using natural language that the chatbot answers in conversational, if somewhat stilted, language. The bot remembers the thread of your dialog, using previous questions and answers to inform its next responses.

For example, you can ask it encyclopedia questions like, "Explaining Newton's laws of motion." You can tell it, "Write me a poem," and when it does, say, "Now make it more exciting." You ask it to write a computer program that'll show you all the different ways you can arrange the letters of a word.

What kinds of questions can you ask?

You can ask anything, though you might not get an answer. OpenAI suggests a few categories, like explaining physics, asking for birthday party ideas and getting programming help.

I asked it to write a story with certain keywords and it did. I asked it few philosophical questions and it produced pretty good answers.

Who built the ChatGPT?

ChatGPT is the brainchild of OpenAI, an artificial intelligence research company. It's made splashes before, first with GPT-3, which can generate text that can sound like a human wrote it, and then DALL-E, which creates what's now called "generative art" based on text prompts you type in. ChatGPT is based on the GPT3.5 and its a large language model.

What are the limits of ChatGPT?

ChatGPT sometimes can give you wrong answers and also few times it will notify you its shortcomings by saying these line “I'm sorry, but I am not able to browse the internet or access any external information beyond what I was trained on.”

What is humanity?

Humanity is the human race, which includes all people. It is often used to refer to the qualities that make us human, such as compassion, empathy, and the ability to love and care for others. It can also refer to the condition of being human, including the strengths and weaknesses that are unique to us as a species.

Asked the same question again and answer framing was slightly different

Humanity is the quality of being human, which encompasses a wide range of characteristics and behaviors including the ability to reason, to communicate, to love, and to experience a range of emotions. It is the characteristic that distinguishes people from other animals and enables us to form complex societies and cultures.

Similarly on question on Moor’s law it gives two answers. One pointed optimistically to continued progress, while the other pointed more grimly to the slowdown and the belief "that Moore's Law may be reaching its limits."

Both ideas are common in the computer industry itself. The fact that it offers an answer at all, though, is a notable development in computing unlike other computers who refuses to answer at all if you dont follow certain syntax and notations.

How Can I access ChatGPT?

For now its free for public use but may be in future it will be monetised like DALL-E.

To play with this you just have to Login to the site https://chat.openai.com/chat

If you want to use it in your code for developing some POC or just for fun, we can do it easily. I did some testing with python script and it was fun. I am sharing some answer's it generated

I asked it to write a story using certain keywords and it did

when I asked to write a program in python to find the average of list

You can find the the full implementation here

Conclusion

There has been a great progress in the field of NLP and it starts with the development of transformer model. It can be creative, and its answers can sound downright authoritative but we should not blindly trust its raw output without any validation because unlike Google search it does not give us any link from where it took answers. There is no doubt ChatGPT is powerful and knowledgeable but for now i think it just a cool toy until we have found few use cases that will change the humanity in a positive way.

Hope you have liked this article. Happy learning!!!