Some years ago, the US National Security Agency was quite keen to see the “Dual EC DRBG” pseudorandom number generator become widely adopted for secure encryption purposes <https://www.theregister.com/2020/10/28/nsa_backdoor_wyden/>. But two independent researchers at Microsoft discovered that there were weaknesses in the algorithm, that could be exploited to implant backdoors -- that is, it was possible to compromise the algorithm such that the output still looked random, but a knowledgeable attacker would be able to predict enough statistical characteristics of the bitstream to fatally weaken its randomness. Naturally you can figure out what the NSA were assuming -- that they would be the only ones in the world with the capability to take advantage of such a weakness. This turned out to be wrong. Apparently a report was written up about “lessons learned” from this episode (would it be too much to assume it concluded that such backdoors should never be planted again?) ... but the NSA cannot find the report.