🔒 1. Chrome 146 with DBSC: The End of Cookie Theft Era

Google today released one of the most significant security updates in browser history: Chrome 146 with Device Bound Session Credentials (DBSC) that hardware-locks session cookies to your device. This means even if malware steals your cookies, it can't use them on another device. This is the end of an era for info-stealer hackers who've spent years stealing cookies to bypass even 2FA. The cookie theft business model just got destroyed.

How does it work? DBSC uses hardware security modules - TPM (Trusted Platform Module) on Windows and Secure Enclave on macOS - to create a unique public/private key pair that cannot be exported from the device. When you log into a service like Gmail or Google Workspace, the private key stays on your device and encrypts every request. Google's server verifies with the public key that the request actually comes from that specific device.

Why is this revolutionary? Info-stealer malware like Lumma, Vidar, and RedLine have been stealing session cookies from browsers for years and selling them on dark web markets. These cookies allow hackers to access your accounts without needing passwords or 2FA - because the browser thinks you're still logged in. According to Google's report, session hijacking attacks increased by over 400% in 2025. DBSC completely breaks this threat model.

Who's protected now? Currently, DBSC is only active for Windows users in Chrome 146 and only works with Google services (Gmail, Google Workspace, Google Cloud). macOS support is coming in a future Chrome release, and Google is working with other tech companies to make DBSC an industry standard. Microsoft, Amazon, and Apple have already expressed interest in implementing this technology.

What are the limitations? DBSC only works on devices with TPM 2.0 or Secure Enclave - meaning older computers (pre-2016) aren't supported. Also, if you switch devices, you'll need to log in again because the encryption keys are bound to the previous hardware. For enterprise users who move between multiple devices, this can be an inconvenience - but a necessary one for security.

💸 2. Bitcoin Depot: $3.66M Stolen in Cyberattack

Bitcoin Depot, America's largest Bitcoin ATM operator, today disclosed in an SEC filing that 50.9 Bitcoin (approximately $3.66 million) was stolen in a March 23 cyberattack. What makes this hack particularly concerning is that the company didn't realize until April 6 - two weeks later - that this constituted a "material event." This delay raises serious questions about the company's monitoring and incident response processes.

How did it happen? According to the SEC filing, attackers gained access to Bitcoin Depot's corporate IT systems and obtained credentials related to digital asset settlement accounts. This was a targeted attack on corporate infrastructure, not an exploitation of public ATMs. Importantly, Bitcoin Depot emphasized there was "no impact on customer platforms or customer data" - meaning ATM users weren't directly affected.

Why did it take two weeks to realize? This is one of the concerning aspects of the incident. The attack happened on March 23, but management didn't decide until April 6 that this was a "material event" requiring public disclosure. During these two weeks, the company was likely assessing the damage extent, consulting with external cybersecurity experts, and calculating potential legal and reputational costs. This delay could raise questions from the SEC and shareholders.

Where did the money go? Bitcoin Depot hasn't disclosed technical details of the attack, but based on typical patterns, attackers likely immediately moved the stolen Bitcoin through mixers like Tornado Cash or Wasabi Wallet to obscure the trail. These funds can later be converted to fiat through no-KYC exchanges or used to purchase other assets. Tracking and recovering these funds is nearly impossible after they pass through multiple mixing layers.

What's the impact on the company? Bitcoin Depot said it's working with "external cybersecurity experts" to strengthen IT security and seeking recovery through insurance. The company is also cooperating with law enforcement. However, the $3.66 million damage doesn't just include the stolen Bitcoin value - legal costs, incident response expenses, increased insurance premiums, and potential reputational damage could multiply the real cost several times.

🇨🇳 3. Alibaba 10,000-Chip Datacenter: China Responds to Nvidia

Alibaba and China Telecom today announced one of the most significant milestones in China's technological independence: the launch of an AI datacenter with 10,000 Zhenwu chips in Shaoguan, Guangdong Province. This is the first large-scale deployment of China's domestic AI chips at this scale and a direct response to US sanctions that restricted exports of advanced Nvidia and AMD chips to China. The message is clear: China is no longer waiting for the West.

What is the Zhenwu chip? It's the product of Alibaba's T-Head semiconductor unit, designed specifically for training and inference of AI models. While Alibaba hasn't disclosed exact technical specifications, the company claims these chips can support AI models with hundreds of billions of parameters - putting them in the same class as today's largest models. This datacenter will power Alibaba's new Qwen3.6-Plus model.

Why is this important? US sanctions that began in October 2022 and intensified in 2023 and 2024 restricted exports of advanced AI chips to China. These sanctions were designed to prevent China's progress in AI and high-performance computing. But instead of stopping China, these sanctions created a massive incentive for domestic development. The launch of this 10,000-chip datacenter shows China is rapidly closing the gap.

How's the performance? Alibaba claims Zhenwu can train large language models with efficiency comparable to Western solutions. While it likely doesn't yet match Nvidia's H100, the gap is closing fast. More importantly, China now has a completely domestic supply chain for AI chips - from design to manufacturing to deployment - making them immune to future sanctions.

What's the impact on Nvidia? This isn't good news for Nvidia. China was previously Nvidia's largest market, and sanctions eliminated billions in potential revenue. Now that China is scaling domestic alternatives, even if sanctions are lifted, Nvidia may never recover that market. Alibaba's stock jumped 7.79% after this announcement, while Nvidia remained under pressure.

⚠️ 4. Claude Mythos: AI Too Dangerous for Public Release

Anthropic today made one of the most controversial decisions in AI history: introducing Claude Mythos Preview - an AI model so powerful at discovering cybersecurity vulnerabilities that the company decided to restrict access to just 52 select organizations worldwide. This is the first time a major AI lab has explicitly said: "This model is too dangerous for you." And it raises a big question: if AI can find thousands of zero-days, who should have access to it?

What makes Mythos so special? According to Anthropic's announcement, this model has so far identified thousands of high-severity zero-day vulnerabilities across all major operating systems and browsers. Zero-day means a security flaw unknown to software makers with no patch available. This model discovered a 27-year-old bug in OpenBSD, a 16-year-old flaw in FFmpeg, and a memory corruption vulnerability in a memory-safe virtual machine monitor.

Why is it restricted? Anthropic is providing early access through Project Glasswing only to select technology and infrastructure organizations for defensive security tasks. These 52 organizations include NVIDIA, Amazon, Apple, Google, Microsoft, and government cybersecurity agencies. The concern is that if Mythos were publicly available, malicious actors could use it to discover and exploit vulnerabilities faster than defenders could patch them.

How advanced are the capabilities? Mythos goes beyond simple vulnerability scanning. It can perform automated penetration testing, analyze complex codebases for subtle security flaws, and even suggest exploitation techniques. In one demonstration, it automatically hacked a secure operating system in just four hours - work that typically takes human security researchers days or weeks. This level of capability could fundamentally change the balance between attackers and defenders.

What have the reactions been? The cybersecurity community is sharply divided. Some praise Anthropic for responsibility, while others argue that restricting access is only a temporary solution. Bruce Schneier, cybersecurity expert, said: "This is a turning point. We're entering an era where AI can find vulnerabilities faster than humans can patch them. This is a fundamental problem that access restriction can't solve."

💰 5. Amazon $200B on AI: Andy Jassy Defends the Bet

Amazon CEO Andy Jassy today forcefully defended the company's plan to invest $200 billion in AI infrastructure over the next few years at an investor conference. When an analyst asked if this massive investment was "too aggressive," Jassy responded decisively: "We're not going to be conservative. If we're conservative, we'll regret it." This is one of the biggest technology bets in history - and Jassy made clear that Amazon has put all its chips on AI.

Where's the $200 billion going? This massive investment includes building new datacenters, purchasing hundreds of thousands of GPUs (likely Nvidia's H200 and GB200), developing custom AI chips Trainium and Inferentia, and expanding AWS as the primary platform for training and deploying AI models. Amazon is also investing in power generation for these datacenters - including small modular nuclear reactors (SMRs) that can provide sustainable and reliable energy.

Why take this risk? Jassy argued that demand for AI compute is "growing exponentially" and AWS is in a unique position to capture this market. He pointed out that many of the world's largest AI models - including Anthropic Claude, Stability AI, and Cohere - are trained on AWS infrastructure. If Amazon doesn't invest now, competitors like Microsoft Azure and Google Cloud might capture the market.

How fierce is the competition? Microsoft has already announced it will invest $80 billion in fiscal year 2026 on AI datacenters. Google is also investing heavily, though it hasn't disclosed exact figures. Meta said it will spend $65 billion on AI infrastructure in 2026. This is a real arms race, and companies that fall behind may never catch up.

What do shareholders think? Reactions are mixed. Some investors praise Jassy's long-term vision, while others worry Amazon is spending too much too fast. Amazon stock dropped 2.3% after Jassy's comments, showing the market isn't yet convinced. But Jassy was clear: "We're not optimizing for next quarter. We're optimizing for the next decade."

⚖️ 6. xAI vs Colorado: AI Legal War Begins

Elon Musk's xAI today filed a federal lawsuit against the State of Colorado, challenging the state's new AI laws that were set to take effect in May. This is the first major legal challenge to AI regulation in America and could determine the fate of how AI is regulated across the country. Musk argues that Colorado's laws are "vague, unenforceable, and unconstitutional." Colorado says they're just protecting consumers from harmful automated decisions.

What do Colorado's laws say? The Colorado AI Act, passed in May 2025, is America's first comprehensive AI law. It requires companies using "high-impact decision systems" to conduct risk assessments, mitigate algorithmic discrimination, and allow consumers to opt-out of automated decisions. It also holds companies liable for damages caused by discriminatory AI systems.

Why did xAI sue? Musk argues that the law's definition of "high-impact decision system" is so broad it covers almost any AI application - from content recommendations to medical diagnosis. He says the risk assessment requirements are so burdensome they'll push small startups out of the market. And most importantly, he argues that holding companies liable for damages from AI decisions creates a new and dangerous liability standard.

What's the impact on the industry? If Colorado wins, expect other states to pass similar laws. This could create a complex regulatory landscape that AI companies must navigate. If xAI wins, it could set back state-level AI regulation efforts for years. Either outcome will have profound implications for how AI is developed and deployed in America.

What are industry reactions? The tech industry is sharply divided. Some companies support xAI, arguing that premature regulation stifles innovation. Others, including some tech giants, say reasonable regulation is necessary to prevent harm. Civil rights groups support Colorado's law, arguing that without regulation, AI systems will amplify existing discrimination.