AnonymousMedia.org

Author: anonymousmedia_tal70o

We let OpenClaw loose on an internal network. Here’s what it found
In my previous article on OpenClaw I wrote:

“Even the most ‘risk-on’ organizations with deep AI and security experience, will likely find it challenging to configure OpenClaw in a way that effectively mitigates the risk of compromise or data loss, while still retaining any productivity value.”

The Red Team here at Sophos took that as ‘challenge accepted’, so we devised a goal: arm OpenClaw with a standard set of red teaming tools, give it access to one of our legacy on-prem networks, and let it loose to find and exploit any issues. And do it safely.

Approach

Target

We picked a legacy on-prem network for a few reasons:
1. Risk mitigation – while these are real production networks, not test environments, the majority of mission critical workloads are in isolated cloud native environments. We wanted to keep a healthy distance between the tool and our crown jewels.
2. Control – modern cloud-native distributed systems are complex to monitor. We felt that a network-heavy approach with strict ingress and egress controls was the right approach to monitor, understand and, where necessary, control activity. It’s not impossible in cloud native systems, just harder, and we wanted to control scope.
3. Optimising for success – we chose a legacy network which our Red Teaming program had not hit for a while. We wanted the tool to have a decent chance of finding something!
Stealth

We didn’t attempt to be stealthy. This was run as a deliberately noisy penetration test, not a covert red team engagement: we optimised for coverage, speed, and reproducibility over evasion. As a result, the activity generated a large number of internal detections and alerts across our monitoring stack — which, in this context, was a feature rather than a bug. A stealthy Red Team style engagement would have required a different architecture and likely hit a lot more model guardrails.

Safety

Without a doubt the most important parts of the test were the guardrails and skills we developed. The majority of the team’s time was spent creating the operating framework to ensure our agent did not completely destroy the environment, and more importantly, not delete all of our emails.

Our main mental model here was the ‘Lethal Trifecta .’” We needed to avoid granting the agent the ability to a) receive untrusted content, b) access sensitive data, and c) exfiltrate that data externally.

Our first line of defence was the aforementioned strict ingress & egress controls. While the agent could potentially end up accessing sensitive data (which is the point of a pentest!) we could manage the risk of prompt injection and exfiltration.

We also needed to guard against unintended consequences arising from the agent’s goal-seeking behaviour. Our ultimate goal here was to make the environment more secure, but an agent with this solitary goal might conclude the best way to achieve that would be to gain control over the domain, encrypt everything, and throw away the key. While no doubt technically impressive, a self-inflicted ransomware event would be a non-optimal outcome.

To achieve the desired level of safety and control, we ended up only using custom skills, built in-house, for the assessment.

As the team already had well-documented procedures for running these kinds of assessments, turning those procedures into skills was actually pretty quick (with the help of some agents). This proved to be an easier approach than finding and auditing the (generally low quality) publicly available external skills.

This approach also allowed us to build in a lightweight human-in-the-loop approval mechanism, giving us a reasonable balance of autonomy and control for the experiment. There are some excerpts below (Figures 1-3), and we’ve also published our main system prompt and associated skills on GitHub, as well as the findings.

Figure 1: OpenClaw Red-Team Agent Guardrails

Figure 2: Snippet of Active Directory Reconnaissance Skills Scope

Figure 3: Snippet of Active Directory Reconnaissance Skills Safety Boundaries

Key learnings

Overall, the experiment exceeded our expectations:
1. The agent adhered to the configured boundaries for the duration of the test – we did not experience any issues around goal pursuit leading to unintended consequences
2. The team were able to realise huge efficiency gains throughout the process – reducing, for example, the active directory reconnaissance phase from three days down to three hours
3. The assessment produced 23 actionable, high quality findings (a breakdown of findings is in the appendix)
4. The assessment methodology produced a high quality audit trail at a level of detail not achievable via manual means, drastically simplifying report writing
5. The agent demonstrated creativity and autonomy. For example, when a promising attack path was blocked, the agent suggested and (after authorisation) proceeded to spin up an EC2 GPU instance to crack an acquired hash
6. The models we used regularly refused to cooperate due to concerns around malicious use. The team was able to work around these guardrails for the most part, but they did introduce friction into the process
7. Pentesters are uniquely well positioned to take advantage of new—and potentially risky—tools. Pentesting often involves potentially dangerous open-source tooling and early exploit proofs-of-concept, creating a challenging software supply chain environment. As such, the team had already built a framework to run untrusted tools in sensitive environments with a high degree of confidence. More on this underlying infrastructure is provided in the appendix
Final thoughts

This successful experiment clearly demonstrated firsthand the complex trade-off that cybersecurity teams are going to have to make. Yes, these tools are dangerous, but not embracing them could be even more dangerous. The world is forging ahead and securing agentic AI is fast becoming the era-defining challenge for the cybersecurity community.

It also showed me that cybersecurity teams are actually better placed than anyone else to be at the forefront of adoption. First, who better to handle a dangerous and powerful tool than operators who naturally think about security at every step of the way? Second, the more firsthand experience cybersecurity professionals have in this domain, the more chance that they can predict where things are going, where the right control points are and, as I mentioned in my previous article, what practical risk management looks like in practice.
Source link
04/09/2026
ThreatsDay Bulletin: Hybrid P2P Botnet, 13-Year-Old Apache RCE and 18 More Stories
Ravie LakshmananApr 09, 2026Hacking News / Cybersecurity News
Thursday. Another week, another batch of things that probably should’ve been caught sooner but weren’t.

This one’s got some range — old vulnerabilities getting new life, a few “why was that even possible” moments, attackers leaning on platforms and tools you’d normally trust without thinking twice. Quiet escalations more than loud zero-days, but the kind that matter more in practice anyway.

Mix of malware, infrastructure exposure, AI-adjacent weirdness, and some supply chain stuff that’s… not great. Let’s get into it.
Resilient hybrid botnet surge

A new variant of the botnet known as Phorpiex (aka Trik) has been observed, using a hybrid communication model that combines traditional C2 HTTP polling with a peer-to-peer (P2P) protocol over both TCP and UDP to ensure operational continuity in the face of server takedowns. The malware acts as a conduit for encrypted payloads, making it challenging for external parties to inject or modify commands. The primary goal of Phorpiex’s Twizt variant is to drop a clipper that re-routes cryptocurrency transactions, as well as distribute high-volume sextortion email spam and facilitate ransomware deployment (e.g., LockBit Black, Global). It also exhibits worm-like behavior by propagating through removable and remote drives, and drop modules responsible for exfiltrating mnemonic phrases and scanning for Local File Inclusion (LFI) vulnerabilities. “Phorpiex has consistently demonstrated its capability to evolve, shifting from a pure spam operation to a sophisticated platform,” Bitsight said. “The Phorpiex botnet remains a highly adaptive and resilient threat.” There are about 125,000 infections daily on average, with the most affected countries being Iran, Uzbekistan, China, Kazakhstan, and Pakistan.

Chained flaws enable stealth RCE

A remote code execution (RCE) vulnerability that lurked in Apache ActiveMQ Classic for 13 years could be chained with an older flaw (CVE-2024-32114) to bypass authentication. Tracked as CVE-2026-34197 (CVSS score: 8.8), the newly identified bug allows attackers to invoke management operations through the Jolokia API and trick the message broker into retrieving a remote configuration file and executing operating system commands. According to Horizon3.ai, the security defect is a bypass for CVE-2022-41678, a bug that allows authenticated attackers to trigger arbitrary code execution and write web shells to disk. “The vulnerability requires credentials, but default credentials (admin:admin) are common in many environments,” Horizon3.ai researcher Naveen Sunkavally said. “On some versions (6.0.0 – 6.1.1), no credentials are required at all due to another vulnerability, CVE-2024-32114, which inadvertently exposes the Jolokia API without authentication. In those versions, CVE-2026-34197 is effectively an unauthenticated RCE.” The newly discovered security defect was addressed in ActiveMQ Classic versions 5.19.4 and 6.2.3.

Cyber fraud losses hit record highs

Cyber-enabled fraud cost victims over $17.7 billion during 2025, as financial losses to internet-enabled fraud continue to grow. The total loss exceeds $20.87 billion, up 26% from 2024. “Cyber-enabled fraud is responsible for almost 85% of all losses reported to IC3 [Internet Crime Complaint Center] in 2025,” the U.S. Federal Bureau of Investigation (FBI) said. “Cryptocurrency investment fraud was the highest source of financial losses to Americans in 2025, with $7.2 billion reported in losses.” In all investment scams led the pack with $8.6 billion in reported losses, followed by business email compromise ($3 billion) and tech support scams ($2.1 billion). Sixty-three new ransomware variants were identified last year, leading to more than $32 million in losses. Akira, Qilin, INC./Lynx/Sinobi, BianLian, Play, Ransomhub, Lockbit, Dragonforce, Safepay, and Medusa emerged as the top ten variants to hit critical manufacturing, healthcare, public health, and government entities.

AI-driven DDoS tactics escalate

According to data from NETSCOUT, more than 8 million DDoS attacks were recorded across 203 countries and territories between July and December 2025. “The attack count remained stable compared to the first half of the year, but the nature and sophistication of attacks changed dramatically,” the company said. “The TurboMirai class of IoT botnets, including AISURU and Eleven11 (RapperBot), emerged as a major force. DDoS-for-hire platforms are now integrating dark-web LLMs and conversational AI, lowering the technical barrier for launching complex, multi-vector attacks. Even unskilled threat actors can now orchestrate sophisticated campaigns using natural-language prompts, increasing risk for all industries.”

Insider breach exposes private photos

A former Meta employee in the U.K. is under investigation over allegations that he illegally downloaded about 30,000 private photos from Facebook. According to The Guardian, the accused developed a software program to evade Facebook’s internal security systems and access users’ private images. Meta uncovered the breach more than a year ago, terminated the employee, and referred the case to law enforcement. The company said it also notified affected users, although it’s not clear how many were impacted.

Help desk attacks enable enterprise breaches

Google said it’s tracking a financially motivated threat cluster called UNC6783 that’s tied to the “Raccoon” persona and is targeting dozens of high-profile organizations across multiple sectors by compromising business process outsourcing (BPO) providers and help desk staff for later data extortion. “The campaign relies on live chat social engineering to direct employees to spoofed Okta logins using [org].zendesk-support[##].com domains,” Austin Larsen, Google Threat Intelligence Group (GITG) principal threat analyst, said. “Their phishing kit steals clipboard contents to bypass MFA and enroll their own devices for persistent access. We also observed them using fake security updates (ClickFix) to drop remote access malware.” Organizations are advised to prioritize FIDO2 hardware keys for high-risk roles, monitor live chat for suspicious links, and regularly audit newly enrolled MFA devices.

Magecart skimmer hides in SVG

A large-scale Magecart campaign is using invisible 1×1 pixel SVG elements to inject a fake checkout overlay on 99 Magento e-commerce stores, exfiltrating payment data to six attacker-controlled domains. “In the early hours of April 7th, nearly 100 Magento stores got mass-infected with a ‘double-tap’ skimmer: a credit card stealer hidden inside an invisible SVG element,” Sansec said. “The likely entry vector is the PolyShell vulnerability that continues to affect unprotected Magento stores.” Like other attacks of this kind, the skimmer shows victims a convincing “Secure Checkout” overlay, complete with card validation and billing fields. Once the payment details are captured, it silently redirects the shopper to the real checkout page. Adobe has yet to release a security update to address the PolyShell flaw in production versions of Magento.

Emoji-coded signals evade detection

Cybercriminals are using emojis across illicit communities to signal financial activity, access and account compromise, tooling and service offerings, represent targets or regions, and communicate momentum or importance. Using emojis allows bad actors to bypass security controls. “Emojis provide a shared visual layer that allows actors to communicate core concepts without relying entirely on text,” Flashpoint said. “This is particularly valuable in: large Telegram channels with international membership, cross-border fraud operations, [and] decentralized marketplaces. This ability to compress meaning into visual shorthand helps scale operations and coordination across diverse actor networks.”

Stealth RAT delivered via MSI

A ClickFix campaign targeting Windows users is leveraging malicious MSI installers to deliver a Node.js-based information stealer. “This Windows payload is a highly adaptable remote access Trojan (RAT) that minimizes its forensic footprint by using dynamic capability loading,” Netskope said. “The core stealing modules and communication protocols are never stored on the victim’s disk. Instead, they are delivered in-memory only after a successful C2 connection is established. To further obfuscate the attacker’s infrastructure, the malware routes gRPC streaming traffic over the Tor network, providing a persistent and masked bidirectional channel.”

macOS attack bypasses Terminal safeguards

More ClickFix, this time targeting macOS. According to Jamf, a ClickFix-style macOS attack is abusing the “applescript://” URL scheme to launch Script Editor and deliver an Atomic Stealer infostealer payload, thereby bypassing Terminal entirely. The attack leverages fake Apple-themed web pages that include instructions to “reclaim disk space on your Mac” by clicking on an “Execute” button that triggers the “applescript://” URL scheme. The new approach is likely a response to a new security feature introduced by Apple in macOS 26.4 that scans commands pasted into Terminal before they’re executed. “It’s a meaningful friction point, but as this campaign illustrates, when one door closes, attackers find another,” security researcher Thijs Xhaflaire said.

PyPI package exfiltrates AI prompts

A malicious PyPI package named hermes-px has been advertised as a “Secure AI Inference Proxy” but contains functionality to steal users’ prompts. “The package actually hijacks a Tunisian university’s private AI endpoint, bundles a stolen and rebranded Anthropic Claude Code system prompt, launders all responses to hide the true upstream source, and exfiltrates every user message directly to the attacker’s Supabase database, bypassing the very Tor anonymity it promises,” JFrog said.

Exposed PLCs targeted by state actors

Data from Censys has revealed that there are 5,219 internet-exposed hosts that self-identify as Rockwell Automation/Allen-Bradley devices. “The United States accounts for 74.6% of global exposure (3,891 hosts), with a disproportionate share on cellular carrier ASNs indicative of field-deployed devices on cellular modems,” it said. “Spain (110), Taiwan (78), and Italy (73) represent the largest non-Anglosphere concentrations. Iceland’s presence (36 hosts) is disproportionate to its population and warrants attention, given its geothermal energy infrastructure.” The disclosure follows a joint advisory from U.S. agencies that warned of ongoing exploitation of internet-facing Rockwell Automation/Allen-Bradley programmable logic controllers (PLCs) by Iranian-affiliated nation-state actors since March 2026 to breach U.S. critical infrastructure sectors, causing operational disruption and financial loss in some cases. The agencies said the attacks are reminiscent of similar attacks on PLCs by Cyber Av3ngers in late 2023.

Code leak weaponized for malware spread

In late March 2026, Anthropic inadvertently exposed internal Claude Code source material via a misconfigured npm package, which included approximately 512,000 lines of internal TypeScript. While the exposure lasted only about three hours, it triggered rapid mirroring of the source code across GitHub, prompting Anthropic to issue takedown notices (and later a partial retraction). Needless to say, threat actors wasted no time and took advantage of the topical nature of the leak to distribute Vidar Stealer, PureLogs Stealer, and GhostSocks proxy malware through fake leaked Claude Code GitHub repositories. “The campaign abuses GitHub Releases as a trusted malware delivery channel, using large trojanized archives and disposable accounts to repeatedly evade takedowns,” Trend Micro said. “The combined functionality of the malware payloads enables credential theft, cryptocurrency wallet exfiltration, session hijacking, and residential proxy abuse across Windows, giving the operators multiple monetization paths from a single infection.”

Lumma successor adopts evasive tactics

A new 64-bit version of Lumma Stealer called Remus (historically called Tenzor) has emerged in the wild following Lumma’s takedown and the doxxing of its alleged core members. “The first Remus campaigns date back to February 2026, with the malware switching from Steam/Telegram dead drop resolvers to EtherHiding and employing new anti-analysis checks,” Gen researchers said. Besides using identical code, direct syscalls/sysenters, and the same string obfuscation technique, another detail linking the two is the use of an application-bound encryption method, only observed in Lumma Stealer to date.

Court rulings split on AI risk label

In a setback for Anthropic, a Washington, D.C., federal appeals court declined to block the U.S. Department of Defense’s national security designation of the AI company as a supply chain risk. The development comes after another appeals court in San Francisco came to the opposite conclusion in a separate legal challenge by Anthropic, granting it a preliminary injunction that bars the Trump administration from enforcing a ban on the use of AI chatbot Claude.The company has said the designation could cost the company billions of ⁠dollars in lost business and reputational harm. As Reuters notes, the lawsuit is one of two that Anthropic filed over the Trump administration’s unprecedented move to classify it as a supply chain risk after it refused to allow the military to use Claude for domestic mass surveillance or autonomous weapons.

Trojanized tools deliver crypto clipper

In a new campaign observed by Kaspersky, unwitting users searching for proxy clients like Proxifier on search engines like Google and Yandex are being directed to malicious GitHub repositories that host an executable, which acts as a wrapper around the legitimate Proxifier installer.Once launched, it configures Microsoft Defender Antivirus exclusions, launches the real Proxifier installer, sets up persistence, and runs a PowerShell script that reaches out to Pastebin to retrieve a next-stage payload. The downloaded PowerShell script is responsible for retrieving another script containing the Clipper malware from GitHub. The malware substitutes cryptocurrency wallet addresses copied to the clipboard with an attacker-controlled wallet with the intention of rerouting financial transactions. Since the start of 2025, more than 2,000 Kaspersky users – most of them in India and Vietnam – have encountered the threat.

SaaS platforms abused for phishing delivery

Threat actors are leveraging notification pipelines in popular collaboration platforms to deliver spam and phishing emails. Because these emails are dispatched from the platform’s own infrastructure (e.g., Jira’s Invite Customers feature), they are unlikely to be blocked by email security tools. “These emails are transmitted using the legitimate mail delivery infrastructure associated with GitHub and Jira, minimizing the likelihood that they will be blocked in transit to potential victims,” Cisco Talos said. “By taking advantage of the built-in notification functionality available within these platforms, adversaries can more effectively circumvent email security and monitoring solutions and facilitate more effective delivery to potential victims.” The development coincides with a phishing campaign targeting multiple organizations with invitation lures sent from compromised email accounts that lead to the deployment of legitimate remote monitoring and management (RMM) tools like LogMeIn Resolve. The campaign, tracked as STAC6405, has been ongoing since April 2025. In one case, the threat actor has been found to leverage a pre-existing installation of ScreenConnect to download a HeartCrypt-protected ZIP file that ultimately leads to the installation of malware that’s consistent with ValleyRAT. Other campaigns have leveraged procurement-themed emails to direct users to cloud-hosted PDFs containing embedded links that, when clicked, take victims to Dropbox credential harvesting pages. Threat actors have also distributed executable files disguised as copyright violation notices to trick them into installing PureLogs Stealer as part of a multi-stage campaign. What’s more, Reddit posts advertising the premium version of TradingView have acted as a conduit for Vidar and Atomic Stealer to steal valuable data from both Windows and macOS systems. “The threat actor actively comments on their own posts with different accounts, creating the illusion of a busy and helpful community,” Hexastrike said. “More concerning, any comments from real users pointing out that the downloads are malware get deleted within minutes. The operation is hands-on and closely monitored.”

Linux SMB flaw leaks crypto keys

A high-severity security flaw has been disclosed in the Linux kernel’s ksmbd SMB3 server. Tracked as CVE-2026-23226 (CVSS score: 8.8), it falls under the same bug class as CVE-2025-40039, which was patched in October 2025. “When two connections share a session over SMB3 multichannel, the kernel can read a freed channel struct – exposing the per-channel AES-128-CMAC signing key and causing a kernel panic,” Orca said. “An attacker needs valid SMB credentials and network access to port 445.” Alternatively, the vulnerability can be exploited by an attacker to leak the per-channel AES-128-CMAC key used to sign all SMB3 traffic, enabling them to forge signatures, impersonate the server, or bypass signature verification. It has been fixed in the commit “e4a8a96a93d.”

Prompt injection turns AI into attack tool

New research has demonstrated it’s possible to trick Anthropic’s vibe coding tool Claude Code into performing a full-scope penetration attack and credential theft by modifying a project’s “CLAUDE.md” file to bypass the coding agent’s safety guardrails. The instructions explicitly tell Claude Code to help the developer complete a penetration testing assessment against their own website and assist them in their tasks. “Claude Code should scan CLAUDE.md before every session, flagging instructions that would otherwise trigger a refusal if attempted directly within a prompt,” LayerX said. “When Claude detects instructions that appear to violate its safety guardrails, it should present a warning and allow the developer to review the file before taking any actions.”

AI exploit silently leaks enterprise data

Grafana has patched a security vulnerability that could have enabled attackers to trick its artificial intelligence (AI) capabilities into leaking sensitive data by means of an indirect prompt injection and without requiring any user interaction. The attack has been codenamed GrafanaGhost by Noma Security. “By bypassing the client-side protections and security guardrails that restrict external data requests, GrafanaGhost allows an attacker to bridge the gap between your private data environment and an external server,” the cybersecurity company said. “Because the exploit ignores model restrictions and operates autonomously, sensitive enterprise data can be leaked silently in the background.” GrafanaGhost is stealthy, as it requires no login credentials and does not depend on a user clicking a malicious link. The attack is another example of how AI-assisted features integrated into enterprise environments can be abused to access and extract critical data assets while remaining entirely invisible to defenders.

Android framework abused for payment fraud

LSPosed is a powerful framework for rooted Android devices that allows users to modify the behavior of the system and apps in real-time without actually making any modifications to APK files. According to CloudSEK, threat actors are now weaponizing the tool to remotely inject fraudulent SMS messages and spoof user identities in modern payment ecosystems via a malicious module called “Digital Lutera.” The attack effectively undermines SIM-binding restrictions applied to banking and instant payment apps in India. However, for this approach to work, the threat actor requires a victim to install a Trojan that can intercept SMS messages sent to/from the device. While the attack previously combined a trojanized mobile device (the victim) and a modified mobile payment APK (on the attacker’s device) to trick bank servers into believing the victim’s SIM card is physically present in the attacker’s phone, the latest iteration leans on LSPosed to achieve the same goals. A key requisite to this attack is that the attacker must have a rooted Android device with the LSPosed module installed. “This new attack vector allows threat actors to hijack legitimate, unmodified payment applications by ‘gaslighting’ the underlying Android operating system,” CloudSEK said. “By using LSPosed, the threat actor ensures the payment app’s signature remains valid, making it invisible to many standard integrity checks.”
That’s the week. A lot of ground covered — old problems with new angles, platforms being abused in ways they weren’t designed for, and a few things that are just going to keep getting worse before anyone seriously addresses them.

Patch what you can. Audit what you’ve trusted by default. And maybe double-check anything that touches AI right now — that space is getting messy fast.

Same time next Thursday.
Source link
04/09/2026
From Bret Stephens to John Bolton, America’s Pro-War Elites Must Be Held Accountable

The United States is still good at many things, but holding elites to account is not one of them. President Gerald Ford pardoned Richard Nixon, George H. W. Bush pardoned the officials responsible for the Iran-Contra scandal, and Barack Obama declined to prosecute the men and women who had authorized the illegal use of torture. The architects of the disastrous wars in Vietnam and Iraq remained respected members of the establishment for the rest of their lives, in some cases occupying leadership posts or comfortable sinecures at prominent institutions and continuing to opine on foreign-policy matters whenever they wished. Nor were the fraudsters who brought us the 2008 financial crisis ever held to account—we just turned the page and moved on. Given that record, it isn’t so surprising that the United States tends to repeat past errors.

The war with Iran is a case in point. It remains to be seen whether the cease-fire announced on Tuesday will hold, but it is already clear that going to war again was a terrible blunder. Two months ago, the Strait of Hormuz was open, Iran was contained and its leaders were unpopular, oil and gas prices were lower, and its U.S. weapons stocks were fuller. Today, oil and gas prices have soared; inflation is rising; Iran controls the strait and is earning money from tolls; and its government is younger, more hard-line, and enjoying greater public support. U.S. missile stocks are depleted, and some key facilities in the region have been severely damaged. And the entire world has been shown that the United States is led by an impulsive old man who has no idea what he is doing. At this point, there’s no reason to delay imposing accountability on those responsible for what has been an unnecessary strategic disaster.

The United States is still good at many things, but holding elites to account is not one of them. President Gerald Ford pardoned Richard Nixon, George H. W. Bush pardoned the officials responsible for the Iran-Contra scandal, and Barack Obama declined to prosecute the men and women who had authorized the illegal use of torture. The architects of the disastrous wars in Vietnam and Iraq remained respected members of the establishment for the rest of their lives, in some cases occupying leadership posts or comfortable sinecures at prominent institutions and continuing to opine on foreign-policy matters whenever they wished. Nor were the fraudsters who brought us the 2008 financial crisis ever held to account—we just turned the page and moved on. Given that record, it isn’t so surprising that the United States tends to repeat past errors.

The war with Iran is a case in point. It remains to be seen whether the cease-fire announced on Tuesday will hold, but it is already clear that going to war again was a terrible blunder. Two months ago, the Strait of Hormuz was open, Iran was contained and its leaders were unpopular, oil and gas prices were lower, and its U.S. weapons stocks were fuller. Today, oil and gas prices have soared; inflation is rising; Iran controls the strait and is earning money from tolls; and its government is younger, more hard-line, and enjoying greater public support. U.S. missile stocks are depleted, and some key facilities in the region have been severely damaged. And the entire world has been shown that the United States is led by an impulsive old man who has no idea what he is doing. At this point, there’s no reason to delay imposing accountability on those responsible for what has been an unnecessary strategic disaster.

I’ve already offered some preliminary views on who is to blame for the boneheaded decision to go to war, along with some thoughts on who should not be blamed. Primary responsibility rests with U.S. President Donald Trump, Israeli Prime Minister Benjamin Netanyahu, and the aides who enabled them, of course. But such decisions do not arise out of thin air. In democracies, the road to foolish wars of choice is paved by pundits, lobbyists, advisors, and other alleged experts who sometimes spend years working to convince policymakers that unleashing the dogs of war will make a vexing foreign-policy problem disappear. Their efforts gradually normalize the idea of using military force, making a momentous and fateful decision on which thousands of lives depend seem like just one option among many.

The formula for war is almost always the same: After portraying the chosen enemy as the epitome of evil and incapable of reform, the war party assures us that the campaign will be quick, easy, cheap, and bring far-reaching and long-lasting benefits. They repeatedly warn that time is running out and failure to act now will have dire consequences. They tend to be studiously silent about the innocent civilians who will be killed and the hardships survivors will face after we’ve blown a lot of stuff up, and they confidently predict that the populations we are attacking will welcome our actions. This familiar recipe is then endlessly repeated until the stars line up and some foolish leader decides the warmongers are right.

So, who are some of the leading voices who helped legitimize Trump’s decision to go to war? Bret Stephens of the New York Times undoubtedly counts among them. Stephens has been a strident advocate of war with Iran for years, just as he backed (and still defends) the invasion of Iraq in 2003. From his lofty perch at one of the world’s most prominent news organizations, he wrote in 2024 that “We Absolutely Need to Escalate in Iran.” He reiterated this view on the eve of the war, in a column entitled “The Case for Striking Iran.” He remains fully committed to the fight today, penning subsequent columns assuring readers that the war is going well and warning against any slackening of U.S. efforts. If you appreciate having your taxes used for war crimes and enjoy paying $6 or more for a gallon of gas, feel free to send him a thank-you note.

Like Stephens, Matthew Kroenig of the Atlantic Council has called for war against Iran for more than a decade, beginning with a 2012 article, “Time to Attack Iran.” This article was a textbook case of how not to do strategic analysis, as Kroenig combined best-case assumptions about how a war would go with worst-case predictions for what would happen if war did not occur. Kroenig recycled these arguments in a subsequent book and hasn’t changed his views one iota since. He repeated his call for war again in 2025, insisting that there was little danger of a wider war because Iran would not escalate in response. (Apparently, Iran’s leaders failed to read his analysis; if they did, they clearly were not persuaded by it.)

The American Enterprise Institute’s Danielle Pletka, Marc Thiessen, and Michael Rubin also distinguished themselves as fervent advocates for war. On the eve of the war, these stalwart uber-hawks held a lengthy podcast conversation explaining why they hoped Trump would initiate regime change, predicting that toppling the Iranian government would be easy, and casually discussing the merits of assassinating its leaders. Pletka continues to defend the war, despite its rising costs and Trump’s evident desperation, and none of the three seems remotely concerned by the human costs of the war, the repeated violations of international law, or the possible commission of war crimes.

Niall Ferguson of the Hoover Institution should likewise be held to account. As befits someone who also supported the 2003 invasion of Iraq, Ferguson told a podcast in early 2026 that the United States should “finish the job” it had started last summer. In his words, “It would be, without question, a benefit to ordinary Iranians; it would be a benefit to the region as a whole—and indeed the world—to remove this evil regime from the face of the earth. Let’s do it.” When Trump granted his wish, he assured readers of the Free Press, “One thing I can confidently promise about the U.S.-Israeli war against the Islamic Republic: It will not last long.” Ever flexible, Ferguson more recently seems to have backed away from his initial optimism and has taken to wondering if the war might go “global.” One wishes he’d given some thought to that possibility before beating the drum for war.

Retired four-star Gen. Jack Keane deserves notice, too. Although other retired military officers have questioned the wisdom of this latest war, Keane has been an especially consistent supporter. Before the war he told Fox that military force was “the best option,” and called it a “historic opportunity” for regime change. He’s continued to defend the war ever since, praising Trump’s decisions and predicting that it would end soon.

No discussion of Iran warmongers would be complete if it excluded Mark Dubowitz and his various associates at the Foundation for Defense of Democracies (FDD). A key organization in the Israel lobby, the FDD was one of the most active opponents of the Joint Comprehensive Plan of Action (aka, the nuclear deal, or JCPOA) that had drastically reduced Iran’s enrichment capacity and its stockpile of enriched uranium, thereby extending the time it would take Iran to break out and create an actual weapon. Having failed to stop the original agreement, the FDD helped convince Trump to withdraw from the JCPOA during his first term—even though Iran was in full compliance—and adopt a policy of “maximum pressure” intended to topple the clerical regime. Critics warned that abandoning the deal would cause Iran to resume enrichment and move closer to the bomb (and it did) and the United States would eventually face the decision of using force, with all the negative repercussions we are now experiencing. That possibility didn’t trouble Dubowitz, however, who told NPR in early February that the United States had to “strike first and then talk.” Since then, the FDD has been a consistent cheerleader for the war, despite the growing evidence that Trump miscalculated and the human costs the war has imposed around the world.

And then there is former U.S. National Security Advisor John Bolton. Although Bolton has become highly critical of Trump, including his handling of the war, he’s long supported using force to overthrow the Iranian regime and opposed diplomatic efforts to improve relations between Washington and Tehran. He opposed the 2015 nuclear deal, supported the failed “maximum pressure” campaign in Trump’s first term, and told PBS in early March 2026 that the U.S. decision to go to war in February was “totally justified,” adding that “the world would have been a lot safer place if we had done it 20 years ago.” Despite having fallen out with Trump himself, therefore, Bolton deserves to be included among the voices who helped bring this war about.

These names are hardly the only prominent voices who called for attacking Iran before Feb. 28, 2026, and who have continued to defend the war since then. I’ve omitted politicians—such as Republican Sens. Lindsey Graham or Tom Cotton—along with talking heads such as Fox News’s Mark Levin or Sean Hannity. I’ve undoubtedly missed other important figures who have helped create a political climate where U.S. leaders would once again decide to start an open-ended conflict in the greater Middle East, despite the enormous consequences for the world economy and America’s ability to address more serious national security challenges. Feel free to add more names to my list and keep track of whether any of them eventually concede that their advice might have been mistaken.

If the war really does end in a major U.S. defeat—as is looking likely at present—the people who pushed for it are likely to claim that going to war was the right idea and blame Trump, Defense Secretary Pete Hegseth, Secretary of State Marco Rubio, Vice President J.D. Vance, et al., for failing to execute their brilliant scheme properly. But this alibi won’t wash, as the administration’s incompetence was apparent before the order to attack was given and there was little reason to believe the war would go swimmingly.

If Americans want to stop making the same mistakes, they need to pay far less attention to such chronic purveyors of bad advice. To be sure, the desire for accountability can be taken too far, because foreign policy is an uncertain business and nobody gets everything right all the time (including me). Sensible people admit their mistakes and learn from experience, however, while ideologues and activists tend to double down. When someone keeps offering the same prescriptions, gets the same bad results each time, and never seems to learn, it is time to look elsewhere for guidance.

It’s a free country—still—and I’m not suggesting that the voices who sold this latest dumb war should be prosecuted or fired or punished or abused in any other way. I still believe that what John Stuart Mill called “the liberty of thought and discussion” tends to produce better policy over time, and we shouldn’t try to suppress views with which we disagree. But preserving the right to free expression and an openness to opposing views doesn’t require us to give all voices equal attention or prominence.

Holding chronic dispensers of bad advice to account could start by identifying who they are and keeping track of what they said, which is why I wrote this column. Looking forward, one might hope that reporters seeking expert guidance for a story might turn to other voices more often, instead of reaching for the same familiar names in their Rolodex. Journal editors might treat the warmongers’ submissions with greater skepticism, and news networks and podcasters seeking enlightened commentary might showcase these failed prophets less often than they currently do. Most important of all, policymakers seeking wise counsel on tough foreign-policy problems should rely on others for insight and advice.

Source link

04/09/2026