Week of Sunday, May 3, 2026

The United Arab Emirates quit OPEC (the Organization of the Petroleum Exporting Countries, the cartel that coordinates oil production among major exporters) on May 1 after nearly 60 years. The cartel's third-largest producer didn't leave over a quota dispute. It left because a fellow OPEC member's military hit its oil infrastructure, and the cartel couldn't do anything about it.

Iran's strikes on the UAE's Ruwais Industrial Complex during the war exposed a question OPEC was never designed to answer: what happens when one member attacks another? Washington answered it. Days before the announcement, UAE Central Bank Governor Khaled Mohamed Balama met Treasury Secretary Scott Bessent during the IMF (International Monetary Fund) spring meetings. The outcome: a $20 billion dollar swap line, an expansion of the US military footprint at Al Dhafra Air Base in Abu Dhabi, and the first-ever deployment of Israel's Iron Dome missile defense system on foreign soil during an active conflict. In exchange, the UAE abandoned a floated plan to price oil in Chinese yuan and anchored itself to the dollar system. The petrodollar (the decades-old arrangement of pricing oil in US dollars) survived. OPEC did not.

The immediate market reaction was violent. Brent crude (the international benchmark price for oil) spiked to $126 a barrel on April 30, a wartime high, before settling around $114. The World Bank projects energy prices will surge 24 percent in 2026, the steepest increase since Russia's invasion of Ukraine. Citi's bull case puts Brent at $150 if the Hormuz disruption persists through summer.

The structural damage runs deeper than price. The UAE holds roughly 14 percent of OPEC's production capacity and was producing well below its physical ceiling under cartel quotas. With $145 billion committed to upstream oil investment through 2030, Abu Dhabi is targeting 5 million barrels per day by 2027, unconstrained. OPEC's remaining members met May 3 without their most capable partner at the table and approved a 188,000 barrels-per-day increase, recalculated downward from the originally planned 206,000 to reflect the UAE's absence. They also adopted a new annual production baselines mechanism, an attempt to stabilize a cartel that just lost its enforcer.

The last major OPEC defection was Qatar in January 2019. Qatar produced negligible oil. The UAE produces over 3 million barrels per day. The Council on Foreign Relations' Steven Cook put the cascade risk plainly: if the UAE proves that leaving is profitable, other members will study the exit math.

Goldman Sachs raised its Q4 2026 base-case forecast to $90 a barrel, assuming Hormuz normalizes by late summer. Commodity Context analyst Rory Johnston estimates a $10 to $20 immediate drop on speculative unwinding if the strait genuinely reopens. The coordination mechanism that smoothed the swings between $80 and $120 just lost its enforcer. What replaces it is a market where one country's production decision can move prices by double digits overnight.

Anthropic's Claude Mythos Preview found 271 vulnerabilities in Firefox in a single automated pass. Mozilla patched them all in Firefox 150, released April 22. For comparison, Firefox accumulated 189 security vulnerabilities across the entire year of 2025. An AI found more in one sitting than the security community found in twelve months.

The raw count understates it. Mythos chained individually harmless bugs into exploit sequences that bypassed both the browser's renderer sandbox (a security boundary that isolates programs from the rest of the system) and the operating system's sandbox beneath it. It built working attacks against a server running FreeBSD (an open-source operating system) by stitching together fragments distributed across network packets, no human involvement required. Mozilla's CTO Bobby Holley said the volume gave his team "vertigo," then added: "Defenders finally have a chance to win, decisively." Bruce Schneier was more measured. He wrote that the technology points to a current advantage for defenders, but warned the advantage is likely to shrink as more powerful models become publicly available.

Two weeks earlier, Microsoft's Zero Day Quest invited researchers from more than 20 countries who submitted almost 700 cases targeting Azure and AI services. They found over 80 high-impact vulnerabilities, including cross-tenant access paths (routes that let an attacker break out of one customer's cloud environment into another's). Microsoft paid $2.3 million in bounties because the findings were real.

The UK's National Cyber Security Centre (NCSC) published the first Five Eyes government warning about what comes next. CEO Richard Horne said AI will make it "easier, faster and cheaper to discover and exploit weaknesses" buried in decades of legacy code. The patch queue is growing faster than the team assigned to work it. Palo Alto Networks reported that Mythos delivered the equivalent of a year's worth of penetration testing in under three weeks. Anthropic's own evaluation found that fewer than 1 percent of the vulnerabilities Mythos identified were actually patched during the assessment period.

The EU Cyber Resilience Act (CRA) adds a regulatory deadline to the capacity crunch. Starting September 2026, manufacturers must report exploited vulnerabilities within 24 hours. Full product compliance is required by December 2027. NIS2 (the EU's updated cybersecurity directive for critical infrastructure) is already enforcing fines in Germany, France, and the Netherlands.

Nearly a dozen governments and their intelligence agencies published a joint advisory on April 23 naming what they found inside consumer-grade network equipment worldwide. The answer was the Chinese military.

CISA (the Cybersecurity and Infrastructure Security Agency) advisory AA26-113A documents how two Chinese government hacking groups, Volt Typhoon and Flax Typhoon, stopped building their own attack infrastructure and started borrowing everyone else's. They compromised more than 200,000 small office routers, firewalls, network storage devices, and IoT devices (internet-connected equipment like cameras and sensors), then networked them into a shared, professionally managed platform that supports espionage operations from initial reconnaissance through data theft. A Beijing-based company called Integrity Technology Group ran the operation. The FBI obtained a court order and conducted a takedown, but the advisory warns the technique is persistent: compromised devices are replaced as fast as they're cleaned.

The shift matters more than the scale. Previous Chinese cyber campaigns built custom infrastructure for each operation. This model industrializes it. The advisory calls it "externally provisioned" infrastructure, meaning Chinese operators don't own or rent the servers they attack from. They use yours. Traditional defenses built around blocking known malicious IP addresses fail because the addresses belong to legitimate devices in legitimate offices. Geographic IP blocking is equally useless. The traffic comes from a dental office in Ohio, not a server in Shanghai.

The majority of compromised devices were in North America and Europe. The devices that made them targets were the ones designed to be forgotten after installation: $40 routers running firmware from 2019, network cameras with default passwords, storage devices exposed to the internet for remote access convenience.

The FBI issued a public service announcement on April 30 warning that cybercriminals are stealing physical cargo by impersonating legitimate trucking companies on digital load boards (online platforms where shippers post freight and carriers bid on it). Losses hit nearly $725 million in 2025, up 60 percent from the prior year. The average theft is now worth nearly $274,000.

The method works because the platforms were designed for speed. Attackers send spoofed emails disguised as carrier agreements to freight brokers. The links install remote access tools that give full control of the broker's systems. From there, attackers modify the carrier's registration with FMCSA (the Federal Motor Carrier Safety Administration, the agency that licenses commercial carriers), change contact information and insurance records, then accept shipments under the stolen identity. Complicit drivers pick up the cargo with manipulated bills of lading (the shipping documents that prove who owns the cargo) and divert it for resale. Victims often don't realize the load is gone until the real carrier reports a booking they never made.

The trust model that makes freight logistics fast is the same one that makes it vulnerable. Load boards match carriers to shipments based on credentials that were never designed to resist impersonation at scale. Large logistics companies have verification layers: callback procedures, secondary identity checks, insurance confirmation through independent channels. Most mid-market shippers don't. They rely on the platform to do the vetting the platform was never built to do.

Two cybersecurity professionals hired to defend companies against ransomware were running it against them instead. On April 30, Ryan Goldberg, a former incident response manager at Sygnia, and Kevin Martin, a former ransomware negotiator at DigitalMint, were each sentenced to four years in federal prison for deploying BlackCat ransomware against multiple US victims during a six-month spree in 2023.

A third co-conspirator, Angelo Martino, ran a larger operation from a different angle. As a DigitalMint negotiator, he was assigned to five active ransom cases and played both sides. He shared each victim's internal negotiating position and insurance policy limits directly with the BlackCat operators to maximize the demand. Those five victims paid a combined $75 million. Goldberg and Martin's own attacks were smaller in scale, netting $1.3 million from one victim, but the access pattern was the same: legitimate credentials, full visibility into victim systems, and no one watching the watchers. Martino's sentencing is scheduled for July 9.

Goldberg fled the country on a one-way flight to Paris after the FBI opened its investigation. The Bureau tracked him through ten countries before he was arrested landing in Mexico City and deported. The maximum sentence was 20 years. Both received four.

The Association of Southeast Asian Nations (ASEAN), a bloc of eleven countries including Indonesia, the Philippines, Thailand, Vietnam, and Singapore, activated its first collective economic defense on April 27. In a special energy ministers' meeting, all members committed to no export bans on essential goods and moved to ratify the ASEAN Petroleum Security Agreement, a fuel-sharing framework originally signed in 1986 but never put into practice. For 40 years it sat on a shelf. The Hormuz closure pulled it down.

The urgency is arithmetic. More than 80 percent of the oil and liquefied natural gas that transits Hormuz is headed to Asia. Southeast Asian economies run on imported energy. When that supply is cut, the cost doesn't stay in the fuel budget. It moves through fertilizer into food prices, through shipping into manufacturing input costs, through diesel into last-mile logistics. ASEAN ministers named the fertilizer-to-food chain explicitly in their joint statement. The World Bank projects fertilizer prices will rise 31 percent this year, with urea up 60 percent. That hits rice production costs across the region.

The joint statement goes to the 48th ASEAN Summit in Cebu, Philippines on May 7-8, where heads of state are expected to formally adopt the petroleum security pact. The Economic Research Institute for ASEAN proposed a regional joint oil stockpiling mechanism alongside it. These are governments that compete with each other on trade, manufacturing, and foreign investment. They are coordinating on energy because the alternative is competing for scarce fuel during a shortage none of them can solve alone.

A consortium backed by the Africa Finance Corporation, the African Development Bank, and the Italian government committed $1.3 billion in April to build 830 kilometers of rail connecting Zambia's copper belt to Angola's Atlantic port of Lobito. The project cuts transit time from over a month by truck to seven days by rail. Total cost is $5 billion. Ground breaks before the end of the year, with financial close expected Q4 2027 and freight moving by 2030.

The route exists because of what it avoids. The Democratic Republic of Congo produces 70 percent of the world's cobalt and is among the world's largest copper producers. Cobalt and copper are not niche commodities. They are in EV batteries, aerospace components, defense systems, medical devices, smartphones, and industrial wiring. Today, most of that output ships east through Chinese-built infrastructure to Chinese refineries via routes China finances and operates, including the TAZARA railway (a Chinese-built line linking Zambia to Tanzania's Indian Ocean coast). The Lobito Corridor runs the opposite direction, west to the Atlantic, bypassing Chinese-controlled logistics entirely.

Washington and Brussels are not subtle about the intent. The US International Development Finance Corporation already committed $553 million for the Angolan section of the corridor and titles the project "strengthening critical mineral supply chains by countering China's dominance." The EU backs it through its Partnership for Global Infrastructure and Investment. A 30-year operating concession is held by commodities trader Trafigura and Portuguese construction firm Mota-Engil, with the Africa Finance Corporation lining up at least ten additional international lenders including Citi.

The corridor needs 2.5 to 3 million tons of annual freight to break even. Current commitments sit at one million. The gap between viability and commitment is the risk. But the gap between having one supply route through a geopolitical competitor and having two through different oceans is the reason the money showed up.