Romance scams cost victims hundreds of millions of dollars a year. As people grow increasingly isolated, and generative AI helps scammers scale their crimes, the problem could get worse.

Loneliness has never been more urgent. On top of the significant mental health concerns, the idea that people are now lonelier and having fewer social interactions is fueling very real threats to security. Foremost among these is one of today’s most pernicious digital frauds: romance scams, which exploit targets’ feelings of isolation and net fraudsters hundreds of millions of dollars per year. As scammers increasingly organize their workflows and incorporate new AI technologies, it’s becoming possible for them to deploy these scams at an even more vast scale.

Romance scams, also known as confidence scams, are extremely communication-intensive. They require attackers to build relationships with their targets via dating apps and social media. So while generative AI chatbots are already being used to write scripts and converse in multiple languages for other types of fraud, they can’t quite pull off these romance scams on their own. But with the vulnerable population growing, researchers believe there is real potential for automation to provide a boon to scammers.

“These frauds are growing into a more organized form,” says Fangzhou Wang, an assistant professor researching cybercrime at the University of Texas at Arlington. “They are hiring individuals from all over the world, meaning that they can target all different kinds of victims. Everybody is using dating apps and social media. There are all these opportunities that give fraudsters fertile ground.”

Romance fraud is already big business for scammers. People in the US have reported losses of nearly $4.5 billion to romance and confidence fraud over the past decade, according to an analysis of the last 10 years of data from the FBI’s annual internet crime reports. (The most recent data available encompasses up to the end of 2023.) According to the FBI’s figures, romance and confidence scams have led to losses of around $600 million for each of the past five years—except for 2021, when losses peaked at almost $1 billion. Some estimates are even higher. And while there has been some decrease in the amount of money lost to romance scammers in recent years, there has been a rise in so-called pig butchering fraud, which often contains elements of confidence scams.

Romance scams begin all over the internet, from criminals blasting out messages on Facebook to hundreds of victims at a time, to others matching with every profile they see on dating apps. A variety of criminals run romance scams, from “Yahoo Boys” in West Africa to giant scam compounds in Southeast Asia. However, once a criminal has made contact with a potential victim, they all follow an eerily similar playbook to build emotional attachment with those they are attempting to defraud.

“Romance fraud is the most devastating fraud to be a victim of, bar none,” says Elisabeth Carter, an associate professor of criminology at Kingston University London, who has extensively studied these scams and their impacts on people.

Online dating has taken years to integrate into mainstream conceptions of relationships and love, but it is now the norm. As generative AI chatbots have found their way onto scores of smartphones, they have quickly become yet another digital avenue for romance and connection. While it would be difficult with current technology to farm out a romance scam to a chatbot entirely, the potential is clearly there for attackers to use generative AI for creating scam scripts and helping fill in content for more and more chats that are all running simultaneously, even in multiple languages.

UTA’s Wang notes that while she hasn’t assessed whether scammers are using generative AI to produce romance scam scripts, she is seeing evidence that they are using it to produce content for online dating profiles. “I think it is something that has already happened, unfortunately,” she says. “Scammers right now are just using AI-generated profiles.”

Some criminals in Southeast Asia are already building AI tools into their scamming operations, with a United Nations report in October saying organized crime efforts have been “generating personalized scripts to deceive victims while engaging in real-time conversations in hundreds of languages.” Google says scam emails to businesses are being generated with AI. And separately, the FBI has noted, AI allows criminals to more quickly message victims.

Criminals will use a range of manipulation tactics to entrap their victims and build up their perceived romantic relationships. This includes asking intimate questions of their potential victims that only a trusted confidant would ask—for example, questions about relationships or dating history. Attackers also build intimacy through a technique known as “love bombing,” in which they use terms of endearment to try to rapidly advance a feeling of connection and closeness. As romance scams progress, it is very common for attackers to start saying that victims are their girlfriend or boyfriend, or even call them “husband” or “wife” as a way of signaling their devotion.

Carter emphasizes that a core tactic used by romance scammers is to make their heartthrob personas seem hapless and vulnerable. Criminals lurking on dating apps, for example, will sometimes even claim that they were previously scammed and are wary of trusting anyone new. This names the elephant in the room right away and makes it seem less likely that the person the victim is chatting with could be a scammer.

When it comes to extorting money from their victims, this vulnerability is crucial. “They will do things like explain that they have some kind of cash-flow problem in their business, not ask for money, drop it, then maybe a few weeks later bring it back up again,” Carter says. At which point, she explains, the person being manipulated may want to help and proactively offer to send money. Attackers may even go so far, at first, as to argue with victims and attempt to dissuade them from sending funds, all to manipulate targets into believing that it is not only safe but also important to take a stand and assist someone they care about.

“It's never framed as the perpetrator wanting money for themselves,” Carter says. “There is a real link between the language of fraud criminals and the language of domestic abusers and coercive controllers.”

In a lot of cases, criminals find romance scam success with people who are struggling with feelings of loneliness, says Brian Mason, a constable with the Edmonton Police Service in Alberta, Canada, who works with the victims of scams. “Especially with romance scams, it’s very difficult to convince the person that the person they’re speaking with is not in love,” he says.

Mason says that in one instance he spent two years working with a victim of a romance scam and found out, when updating them on the case, that they had been back in touch with their scammer. “He looped her back in and got her to start sending money again, and she was doing it just so she could see his photos, because she was lonely,” Mason explains. At the end of 2023, the World Health Organization declared high levels of loneliness to be an ongoing threat to people’s health.

Stigma and embarrassment are major reasons that it can be difficult for victims to accept the reality of their situation. And Kingston’s Carter notes that attackers exploit this from the start by telling victims that their conversations should stay between them, because the relationship is too special and no one will understand. Keeping the relationship secret, combined with tactics to trick the victim into offering money rather than asking for it, can make it difficult for even the most careful, thoughtful person to grasp the manipulation that’s happening.

Scammers “dull down red flags and alarm bells; they hide them,” Carter says. “The victim not only has a lot of money taken from them, but it’s taken from them by the person that they love and trust the most in that moment. Just because it's online, just because it was completely fake, doesn't mean it wasn't real to them.”

The Loneliness Epidemic Is a Security Crisis

Despite high-profile attention and even US sanctions, the group hasn’t stopped or even slowed its operation, including the breach of two more US telecoms.

When the Chinese hacker group known as Salt Typhoon was revealed last fall to have deeply penetrated major US telecommunications companies—ultimately breaching no fewer than nine of the phone carriers and accessing Americans' texts and calls in real time—that hacking campaign was treated as a four-alarm fire by the US government. Yet even after those hackers' high-profile exposure, they've continued their spree of breaking into telecom networks worldwide, including more in the US.

Researchers at cybersecurity firm Recorded Future on Wednesday night revealed in a report that they've seen Salt Typhoon breach five telecoms and internet service providers around the world, as well as more than a dozen universities from Utah to Vietnam, all between December and January. The telecoms include one US internet service provider and telecom firm and another US-based subsidiary of a UK telecom, according to the company's analysts, though they declined to name those victims to WIRED.

“They’re super active, and they continue to be super active,” says Levi Gundert, who leads Recorded Future's research team known as Insikt Group. “I think there's just a general under-appreciation for how aggressive they are being in turning telecommunications networks into Swiss cheese.”

To carry out this latest campaign of intrusions, Salt Typhoon—which Recorded Future tracks under its own name, RedMike, rather than the Typhoon handle created by Microsoft—has targeted the internet-exposed web interfaces of Cisco's IOS software, which runs on the networking giant's routers and switches. The hackers exploited two different vulnerabilities in those devices' code, one of which grants initial access, and another that provides root privileges, giving the hackers full control of an often powerful piece of equipment with access to a victim's network.

“Any time you're embedded in communication networks on infrastructure like routers, you have the keys to the kingdom in what you're able to access and observe and exfiltrate,” Gundert says.

Recorded Future found more than 12,000 Cisco devices whose web interfaces were exposed online, and says that the hackers targeted more than a thousand of those devices installed in networks worldwide. Of those, they appear to have focused on a smaller subset of telecoms and university networks whose Cisco devices they successfully exploited. For those selected targets, Salt Typhoon configured the hacked Cisco devices to connect to the hackers' own command-and-control servers via generic routing encapsulation, or GRE tunnels—a protocol used to set up private communications channels—then used those connections to maintain their access and steal data.

When WIRED reached out to Cisco for comment, the company pointed to a security advisory it published about vulnerabilities in the web interface of its IOS software in 2023. “We continue to strongly urge customers to follow recommendations outlined in the advisory and upgrade to the available fixed software release,” a spokesperson wrote in a statement.

Hacking network appliances as entry points to target victims—often by exploiting known vulnerabilities that device owners have failed to patch—has become standard operating procedure for Salt Typhoon and other Chinese hacking groups. That's in part because those network devices lack many of the security controls and monitoring software that's been extended to more traditional computing devices like servers and PCs. Recorded Future notes in its report that sophisticated Chinese espionage teams have targeted those vulnerable network appliances as a primary intrusion technique for at least five years.

That Salt Typhoon continues to carry out business as usual is nonetheless notable, Recorded Future's analysts say. The group's activities have been exposed in the media, in government reports and announcements issued by the FCC, CISA, and the White House, even in sanctions issued by the US Treasury. But that hasn't caused the hackers to change course. On January 17, Treasury sanctioned Sichuan Juxinhe Network Technology, a cybersecurity firm allegedly linked to Salt Typhoon's operations. And yet, Gundert says, Recorded Future hasn't seen any cessation or slowdown of the hackers' activities even since that date.

“That's the disappointing part about this,” says Gundert. “Even with all the attention, we haven't observed any real change in the volume or velocity of attacks, even in the same target demographic of telecommunications.”

After Salt Typhoon's hacking campaign targeting US telecom networks came to light last fall, then FBI director Christopher Wray described the phone company breaches as China's “most significant cyber-espionage campaign in history.” The intrusions, which in some cases exploited the wiretap mechanisms built into telecoms for law enforcement use, prompted CISA and FBI officials to go so far as to recommend that Americans use end-to-end encrypted communication apps like Signal and WhatsApp to avoid leaving their texts and calls vulnerable to China's real-time spying.

In this latest rash of intrusions, Recorded Future says it's seen the Chinese hackers break into not only the US internet service provider and telecommunications firm and a US affiliate of a UK telecom, but also telecoms in South Africa and Thailand and an internet service provider in Italy, though it declined to name any of those victims. It's also seen the group target a broader range of universities around the world for apparent espionage, including in Argentina, Bangladesh, Indonesia, Malaysia, Mexico, Netherland, Thailand, Vietnam, and the US—including the University of California, California State, Utah Tech, and Loyola University.

Recorded Future says it was able to gain visibility into those intrusions by identifying command-and-control infrastructure used by Salt Typhoon, though it didn't further explain its methodology. The company's analysts note that there may well be other parts of the group's hacking campaign—and other victims—that it hasn't discovered.

“They've only gotten more bold,” says Jon Condra, another Recorded Future analyst. “I strongly suspect it's much larger than what we’ve seen.”

China’s Salt Typhoon Spies Are Still Hacking Telecoms—Now by Exploiting Cisco Routers

A team Microsoft calls BadPilot is acting as Sandworm's “initial access operation,” the company says. And over the last year it's trained its sights on the US, the UK, Canada, and Australia.

Over the last decade, the Kremlin's most aggressive cyberwar unit, known as Sandworm, has focused its hacking campaigns on tormenting Ukraine, even more so since Russian president Vladimir Putin's full-scale invasion of Russia's neighbor. Now Microsoft is warning that a team within that notorious hacking group has shifted its targeting, indiscriminately working to breach networks worldwide—and, in the last year, has seemed to show a particular interest in networks in English-speaking Western countries.

On Wednesday, Microsoft's threat intelligence team published new research into a group within Sandworm that the company’s analysts are calling BadPilot. Microsoft describes the team as an “initial access operation” focused on breaching and gaining a foothold in victim networks before handing off that access to other hackers within Sandworm’s larger organization, which security researchers have for years identified as a unit of Russia’s GRU military intelligence agency. After BadPilot's initial breaches, other Sandworm hackers have used its intrusions to move within victim networks and carry out effects such as stealing information or launching cyberattacks, Microsoft says.

Microsoft describes BadPilot as initiating a high volume of intrusion attempts, casting a wide net and then sorting through the results to focus on particular victims. Over the last three years, the company says, the geography of the group's targeting has evolved: In 2022, it set its sights almost entirely on Ukraine, then broadened its hacking in 2023 to networks worldwide, and then shifted again in 2024 to home in on victims in the US, the UK, Canada and Australia.

“We see them spraying out their attempts at initial access, seeing what comes back, and then focusing on the targets they like,” says Sherrod DeGrippo, Microsoft’s director of threat intelligence strategy. “They’re picking and choosing what makes sense to focus on. And they are focusing on those Western countries.”

Microsoft didn't name any specific victims of BadPilot's intrusions, but broadly stated that the hacker group's targets have included “energy, oil and gas, telecommunications, shipping, arms manufacturing,” and “international governments.” On at least three occasions, Microsoft says, its operations have led to data-destroying cyberattacks carried out by Sandworm against Ukrainian targets.

As for the more recent focus on Western networks, Microsoft's DeGrippo hints that the group's interests have likely been more related to politics. “Global elections are probably a reason for that,” DeGrippo says. “That changing political landscape, I think, is a motivator to change tactics and to change targets.”

Over the more than three years that Microsoft has tracked BadPilot, the group has sought to gain access to victim networks using known but unpatched vulnerabilities in internet-facing software, exploiting hackable flaws in Microsoft Exchange and Outlook, as well as applications from OpenFire, JetBrains, and Zimbra. In its targeting of Western networks over the last year in particular, Microsoft warns that BadPilot has specifically exploited a vulnerability in the remote access tool Connectwise ScreenConnect and Fortinet FortiClient EMS, another application for centrally managing Fortinet's security software on PCs.

After exploiting those vulnerabilities, Microsoft found that BadPilot typically installs software that gives it persistent access to a victim machine, often with legitimate remote access tools like Atera Agent or Splashtop Remote Services. In some cases, in a more unique twist, it also sets up a victim's computer to run as so-called onion service on the Tor anonymity network, essentially turning it into a server that communicates via Tor's collection of proxy machines to hide its communications.

Another, separate report Tuesday from the cybersecurity firm EclecticIQ pointed to an entirely distinct hacking campaign that firm also ties to Sandworm. Since late 2023, EclecticIQ found the hacker group has used a malware-infected Windows piracy tool, distributed via Bittorrent, to breach Ukrainian government networks. In those cases, EclecticIQ found, the hackers have installed a remote access tool called Dark Crystal RAT to carry out cyberespionage.

Any sign of Sandworm, which Microsoft refers to by the name Seashell Blizzard, raises alarms in part because the group has a history of hacking operations that go far beyond mere spying. Over the last decade, the group has caused at least three blackouts by targeting electric utilities in Ukraine—still the only such hacker-induced blackouts in history. The group also released the NotPetya malware that spread worldwide and did at least $10 billion in damage, and it used wiper malware to destroy countless networks in more targeted attacks across Ukraine both before and after the 2022 invasion.

Microsoft has so far found no evidence that, in BadPilot's targeting of Western networks specifically, Sandworm has shown any intention to carry out anything other than espionage. “This seems very early in terms of initial resource gathering, trying to get this much persistent access,” says Microsoft's DeGrippo. “Then we would have to wait to see what they do with it.”

But she notes that BadPilot is nonetheless tied to a larger group that has a history of highly disruptive cyberattacks. “Therefore," says DeGrippo, "the potential actions that they could take next is of deep concern.”

A Hacker Group Within Russia’s Notorious Sandworm Unit Is Breaching Western Networks

In a letter to a US senator, a Florida-based data broker says it obtained sensitive data on US military members in Germany from a Lithuanian firm, revealing the global nature of online ad surveillance.

Last year, a media investigation revealed that a Florida-based data broker, Datastream Group, was selling highly sensitive location data that tracked United States military and intelligence personnel overseas. At the time, the origin of that data was unknown.

Now, a letter sent to US senator Ron Wyden’s office that was obtained by an international collective of media outlets—including WIRED and 404 Media—reveals that the ultimate source of that data was Eskimi, a little-known Lithuanian ad-tech company.

Eskimi’s role highlights the opaque and interconnected nature of the location data industry: A Lithuanian company provided data on US military personnel in Germany to a data broker in Florida, which could then theoretically sell that data to essentially anyone.

“There’s a global insider threat risk, from some unknown advertising companies, and those companies are essentially breaking all these systems by abusing their access and selling this extremely sensitive data to brokers who further sell it to government and private interests,” says Zach Edwards, senior threat analyst at cybersecurity firm Silent Push, referring to the ad-tech ecosystem broadly.

In December, the joint investigation by WIRED, Bayerischer Rundfunk (BR), and Netzpolitik.org analyzed a free sample of location data provided by Datastream. The investigation revealed that Datastream was offering access to precise location data from devices likely belonging to American military and intelligence personnel overseas—including at German airbases believed to store US nuclear weapons. Datastream is a data broker in the location data history, sourcing data from other providers and then selling it to customers. Its website previously said it offered “internet advertising data coupled with hashed emails, cookies, and mobile location data.”

That dataset contained 3.6 billion location coordinates, some logged at millisecond intervals, from up to 11 million mobile advertising IDs in Germany over a one-month period. The data was likely collected through SDKs (software development kits) embedded in mobile apps by developers who knowingly integrate tracking tools in exchange for revenue-sharing agreements with data brokers.

Following this reporting, Wyden’s office demanded answers from Datastream Group about its role in trafficking the location data of US military personnel. In response, Datastream identified Eskimi as its source, stating it obtained the data “legitimately from a respected third-party provider, Eskimi.com.” Vytautas Paukstys, CEO of Eskimi, says that “Eskimi does not have or have ever had any commercial relationship with Datasys/Datastream Group,” referring to another name that Datastream has used, and that Eskimi “is not a data broker.”

In an email responding to detailed questions from the reporting collective, M. Seth Lubin, an attorney representing Datastream Group, described the data as lawfully sourced from a third party. While Lubin acknowledged to Wyden that the data was intended for use in digital advertising, he stressed to the reporting collective that it was never intended for resale. Lubin declined to disclose the source of the data, citing a nondisclosure agreement, and dismissed the reporting collective’s analysis as reckless and misleading.

The Department of Defense (DOD) declined to answer specific questions related to our investigation. However, in December, DOD spokesperson Javan Rasnake said that the Pentagon is aware that geolocation services could put personnel at risk and urged service members to remember their training and adhere strictly to operational security protocols.

In an email, Keith Chu, chief communications adviser and deputy policy director for Wyden, explained how their office has tried to engage with Eskimi and Lithuania’s Data Protection Authority (DPA) for months. The office contacted Eskimi on November 21 and has not received a response, Chu says. Staff then contacted the DPA multiple times, “raising concerns about the national security impact of a Lithuanian company selling location data of US military personnel serving overseas.” After receiving no response, Wyden staff contacted the defense attaché at the Lithuanian embassy in Washington, DC.

It was only after that, and on January 13, that the DPA responded, asking for more information. “Once additional information is received, we will assess the situation within the scope of our competence and determine the appropriate course of action,” the DPA said, according to Chu.

The Lithuanian DPA told reporters in an email that it “currently is not investigating this company” and it “is gathering information and assessing the situation in order to be prepared to take well-informed actions, if needed.” If the Lithuanian DPA does decide to investigate and finds Eskimi in violation of GDPR provisions, the company could face significant consequences—including fines up to €20 million.

Wyden’s office also contacted Google in November, to alert them to Datastream saying that Eskimi, a Google advertising partner, was selling the location data of DOD personnel overseas, Chu says.

Jacel Booth, Google spokesperson, wrote in an email that “Eskimi is currently part of Google’s Authorized Buyer program and must abide by our policies.”

“Google regularly audits its Authorized Buyers program participants, and reviews allegations of potential misconduct,” the spokesperson adds.

Even if Google does act against Eskimi, there may be plenty more advertising companies ready to sell harvested location data.

“Advertising companies are merely surveillance companies with better business models,” Edwards says.

_This story was produced as part of an ongoing reporting project from an international coalition of media outlets, including Netzpolitik.org and Bayerischer Rundfunk (Germany), Schweizer Radio und Fernsehen (Switzerland), BNR Nieuwsradio (Netherlands), NRK (Norway), Dagens Nyheter (Sweden), Le Monde (France), and WIRED and 404 Media (US)._

This Ad-Tech Company Is Powering Surveillance of US Military Personnel

Services supporting victims of online child exploitation and trafficking around the world have faced USAID and State Department cuts—and children are suffering as a result, sources tell WIRED.

As Elon Musk’s Department of Government Efficiency (DOGE) has ravaged its way though the United States Agency for International Development (USAID), cutting its workforce from 10,000 to just 300, hundreds of organizations providing vital safety services have been upended. Multiple children’s safety groups—including those fighting online child sexual abuse and exploitation—say their efforts have been severely hamstrung.

Groups identifying victims and providing care for those who have been subject to online exploitation or human trafficking are struggling to support the vulnerable children, multiple organizations tell WIRED. Such child safety projects often take place in poorer countries, which can have fewer resources to support victims or investigate crimes. Sources say that funding for safe houses has been paused, potentially exposing victims to more harm, and efforts that identify criminals behind child exploitation have been put on hold.

“It will be very hard for us to identify the victims,” says Chantal Yelu Mulop, from the Coordination for Youth and the Fight Against Sexual Violence and Trafficking in Persons (CJVFFT), in the Democratic Republic of the Congo. While the war-torn country faces new fighting and humanitarian crises, children have long been trafficked to work in cobalt mines linked to the production of smartphone and EV batteries.

As USAID funding was withdrawn over the past week, Mulop says her organization had just started helping around 25 newly identified victims of human trafficking—all of them aged under 17. The group was taken to a support shelter run by another organization. “When we bring them there, USAID was ready to help. A few hours later they cancel,” Mulop says. “There’s no food, no nothing that we can provide to them,” she adds.

While the USAID cuts have been immediate, global child protection projects have also faced a funding pause from the State Department. This foreign aid “pause,” issued by the Trump administration, is set to last for at least 90 days. USAID did not respond to WIRED’s request for comment. The State Department had not provided a comment by time of publication.

Both government bodies have provided funding to help countries and people around the world. This includes USAID’s vast swath of health care and education programs—their withdrawal is putting millions of lives at risk and limits tackling the climate crisis. In Southeast Asia, several patients at a migrant camp reportedly died after medical support was removed.

Counter-human-trafficking funding often includes money for projects that help to crack down on online child exploitation and sexual abuse. Funding can be provided to international organizations that coordinate efforts and work with partners, like Mulop’s CJVFFT, on the ground. The funding can directly support victims, as well as providing expertise to officials in countries, and stop more children becoming targets.

“Many of these victims engage with their traffickers through electronic means,” says Jessica Ryckman, the executive director of the nonprofit Lawyers Without Borders (LWOB), which works on trafficking and child exploitation programs and has been impacted by the funding changes. “It is exploitation that is advanced through digital technology.”

Over the years, the programs have been effective. For instance, a four-year partnership between the US and the Philippines, which started under the first Trump administration and ended in 2021, helped protect hundreds of children: More than 350 kids were rescued and supported and almost 100 potential criminals arrested. The new cuts also come as record levels of online child sexual abuse imagery are being discovered.

“Victims and perpetrators alike originate from diverse regions and countries, underscoring the necessity for continued international engagement and coordinated efforts to address these crimes comprehensively,” says an employee of a South American child protection group that works to combat trafficking and online sexual abuse. The organization, like others in this story, was granted anonymity to speak given the sensitive nature of the work and uncertainty about future funding. “The interruption of these funds inevitably limits the scope and reach of these critical services,” it says.

One person, who works for an organization running multiple child protection projects, says operations in one southeastern European country have been widely disrupted. Within the country, the organization’s projects have 147 victims of trafficking in its care, the person says. “The ongoing pause and potentially the cessation of funding would have significant and negative impact on our capacity and ability to provide essential services to these victims who are in fragile stages of their recovery; some of whom are in ongoing programs for psycho-social counseling related to their trauma,” the person says.

Multiple members of LWOB say children are being put further at risk in the projects it runs in East Africa. “These children may not be identified, the practices to reduce their trauma aren't being supported right now,” says Ryckman. “Even if they are identified, they may be put in a pipeline where they are going to have to face ongoing interviews about their trauma or face their traffickers again.”

LWOB has, along with partner organizations, identified around 200 victims of human trafficking in Tanzania, with the majority referred to safe houses, says Lulu Makwale, a victim service coordinator at Lawyers Without Borders. “Most of the funding for the safe houses has been paused, meaning the services and the needs of the victim are also being paused too,” Makwale says. She says the organization has been linking up shelters to investigators up until now. “Victims may not be connected well now to the law enforcement,” Makwale says.

As well as supporting victims directly, many of the efforts also provide training or technical assistance to police forces, allowing them to better investigate crimes. One program listed on the State Department’s list of counter-trafficking funding says it is providing training to combat online child sexual exploitation for 10,000 police officers, prosecutors, and judges in 100 countries.

The person with links to work in a European country says their organization has 74 investigations into traffickers ongoing, plus 66 prosecutions that are underway. They say that the funding changes will have a “significant and negative impact on these criminal trials” and the safety of people who may give evidence in the cases.

Ryckman, from Lawyers Without Borders, says the organization recently completed work on an online database for identifying victims and tracking online child exploitation in Kenya. While the database is functional, Ryckman says, future work to train people has been paused, and there will be a slower uptake of the system. “I do believe it will be used, and it will be extremely useful,” Ryckman says. “But these victims are there now. They shouldn’t have to wait.”

US Funding Cuts Are Helping Criminals Get Away With Child Abuse and Human Trafficking

Swarms of weaponized unmanned surface vessels have proven formidable weapons in the Black and Red Seas. Can the US military learn the right lessons from it?

It was the most expensive war game in US military history, and the outcome was a disaster.

Conducted in 2002 and costing roughly $250 million to plan over two years, the so-called Millennium Challenge exercise pitted a Blue team representing the United States against a Red team representing a fictional state in the Persian Gulf, usually understood as Iran or Iraq, as a means of testing the US Defense Department’s post-Cold War doctrine based on advanced new technologies and concepts.

Despite the Blue Team’s ostensible military and technological superiority, the Red team, led by Marine Corps Lieutenant General Paul Van Riper, unleashed complete chaos upon its adversary using unanticipated asymmetric and unconventional tactics—most notably, a complex cruise missile attack followed by a wave of explosive-laden kamikaze speedboats that, in one 10-minute swarm, sank 19 Blue team warships and inflicted 20,000 simulated casualties on his adversary. The exercise was so disastrous that the Pentagon went on to impose arbitrary constraints on the Red team that all but ensured a Blue team victory, prompting Van Riper to quit as team leader in protest.

As part of its complicated legacy, Millennium Challenge 2002 had undermined the very advanced technologies it sought to validate, proving that a handful of small watercraft could, when deployed in coordinated swarms amid a larger attack, successfully outmaneuver larger surface warships with potentially deadly consequences. It’s a lesson the Pentagon all but ignored by stacking the deck in favor of the Blue team following the Red team’s initial victory. Now, more than two decades later, its lessons are playing out in battlefields around the world.

View of an explosion on a ship that Houthis say is an attack by them on Greek-owned MV Tutor in the Red Sea, dated June 12, 2024, in this screen grab obtained from a video.Photograph: HOUTHI MEDIA CENTRE/Reuters

Unmanned surface vessels (USVs) loaded with explosives and other lethal payloads are proving a fearsome weapon for ostensibly outgunned fighting forces. Amid Russia’s ongoing invasion, the Ukrainian military has successfully driven Moscow’s Black Sea Fleet from its safe harbor in Sevastopol in the annexed Crimean peninsula using a growing fleet of weaponized drone boats that aren’t just successfully targeting other surface vessels, but engaging shore targets with their own organic kamikaze first-person-view drones and knocking Russian aircraft out of the sky with machine guns and surface-to-air missiles. In the Red Sea, the Iranian-backed Houthi rebels in Yemen have employed explosive-laden watercraft to lesser effect in response to Israel's military campaign against Hamas in Gaza, successfully sinking the Liberia-flagged bulk carrier _MV Tutor_ in June 2024 and consistently disrupting international maritime traffic in the region.

The concept of kamikaze boats isn’t new: The US Navy learned this lesson firsthand in October 2000, when a small boat full of suicide bombers blew a hole in the side of the Arleigh Burke-class destroyer USS _Cole_ in Yemen’s Aden Harbor, killing 17 American sailors. But the Ukrainian and Houthi campaigns both represent weaker belligerents who have used complex attacks of missiles and drones, both airborne and maritime, to significantly disrupt their adversaries’ naval operations just as Van Riper did during Millennium Challenge decades ago.

“Within a few minutes, the US fleet was confronted with boats, cruise missiles, and aircraft, which overwhelmed the electronics and human decisionmaking,” Van Riper tells WIRED. “Small boats themselves have been demonstrated by Ukraine as useful, but to the degree they can be complemented with other systems they are even more effective.”

The US military has been steadily exploring the potential applications of USVs to naval warfare for years. Four large USVs associated with the US Navy’s Ghost Fleet Overlord initiative have been autonomously transiting oceans since at least 2018 as part of a large-scale effort to add unmanned systems to the surface fleet. In 2021, the Navy stood up Task Force 59 to “rapidly integrate unmanned systems and artificial intelligence with maritime operations” in the 5th Fleet area of operations in the Middle East, as officials announced at the time. The following year, the service established an Unmanned Surface Vessel Division to focus on building the “foundational knowledge” for the regular operation and sustainment of USVs. And in mid-2024, the service unveiled a new Robotic Warfare Specialist to focus on drone systems and stood up a separate squadron of small USVs explicitly “to deliver the most formidable, unmanned platforms in the maritime domain,” according to officials.

Commercial operators deploy Saildrone Voyager Unmanned Surface Vessels out to sea in the initial steps of U.S. 4th Fleet’s Operation Windward Stack during a launch from Naval Air Station Key West’s Mole Pier and Truman Harbor, on September 13, 2023.Photograph: Danette Baso Silvers/US NAVY

Today, USVs of all sizes are used for everything from surveillance and reconnaissance to mine sniffing, augmenting the existing surface fleet as floating sensor nodes for sailors aboard conventional warships.

The US isn’t alone in its newfound focus on drone boats. In December 2024, officials with the North Atlantic Treaty Organization (NATO) laid out plans for the alliance’s own fleet of small USVs to operate as a robotic surveillance network like “street-lighting” in busy Atlantic waterways. Then, in January, NATO’s Maritime Command announced that a contingent of 20 USVs would participate in NATO’s new Baltic Sentry operation, which is designed to safeguard sensitive communications, power cables, and other “critical infrastructure” throughout the Baltic Sea that have been the focus of sabotage efforts in recent years.

With the threat of a future conflict with China over Taiwan’s sovereignty looming on the horizon, the Navy has kicked its USV ambitions into high gear. As part of the Pentagon’s ongoing Replicator initiative launched in 2023 to quickly field both low-cost ("attritable," in US military speak) unmanned systems to US troops abroad ahead of the next big war with a “near-peer” adversary like Russia or China, the Navy has pursued the rapid production of swarms of small, networked USV “interceptors” through its Production-Ready Inexpensive Maritime Expeditionary (PRIME) Small Unmanned Surface Vehicle (sUSV) project. These interceptors are capable of “loitering in an assigned operating area while monitoring for maritime surface threats, and then sprinting to interdict a noncooperative, maneuvering vessel,” as the Defense Innovation Unit solicitation described them.

It’s unclear what those future interceptors may look like, but the Navy and Marine Corps have in recent years experimented with various armed USVs designed to engage adversary surface fleets with lethal payloads. They include the Textron Systems–produced Expeditionary Warfare USV armed with a .50 caliber machine gun and AGM-114 Hellfire missile system the Navy publicly debuted in August 2019; the Common Unmanned Surface Vehicle (CUSV) armed with a .50 cal for force protection Textron demonstrated in 2020; the Marine Corps’ Long Range Unmanned Surface Vessel (LRUSV) outfitted with a launcher for multiple Uvision Hero-120 loitering munitions the service debuted in May 2023; and the MARTAC T38 Devil Ray which successfully destroyed several seaborne targets with Lethal Miniature Aerial Missile System–launched loitering munitions during the Navy’s first two Digital Talon exercises in late 2023. In addition, the Navy’s fiscal year 2024 budget request sought to fund an experiment to test a notional Multi-domain Area Denial from Small-USV (MADS), an unmanned Global Autonomous Reconnaissance Craft outfitted with surface-to-air FIM-92 Stinger missile launchers designed to defend larger vessels against airborne attacks.

“During future conflicts, US and allied forces will be greatly outnumbered by peer or near-peer competitors in both tactical platforms and munitions,” as the Navy’s budget documents described the logic behind the MADS experiment. “Large numbers of small, low signature, attritable unmanned missile launching vessels have the potential to improve surface force magazine depth and reduce risk to force in denied areas.”

A Lethal Miniature Aerial Missile System launches munitions from a MARTAC T-38 Devil Ray unmanned surface vehicle, attached to U.S. Naval Forces Central Command’s Task Force 59, during Exercise Digital Talon in the Arabian Gulf on October 23, 2023.Photograph: Chief Mass Communication Specialist Justin Stumberg/US NAVY

The Navy’s armed USV efforts appear to have culminated in Project 33, a new initiative unveiled as part of Chief of Naval Operations Admiral Lisa Franchetti’s 2024 Navigation Plan in September 2024 that focuses on, among other targets, “scal\[ing\] robotic and autonomous systems to integrate more platforms at speed” in an ostensible complement to the Pentagon’s larger Replicator effort, designed to outfit American fleets with armed robot boats ahead of a potential future war with China.

“This Navigation Plan drives toward two strategic ends: readiness for the possibility of war with the People’s Republic of China by 2027 and enhancing the Navy’s long-term advantage,” as Franchetti wrote at the time. “We will work towards these ends through two mutually reinforcing ways: implementing Project 33 and expanding the Navy’s contribution to the Joint warfighting ecosystem … By 2027, we will integrate proven robotic and autonomous systems for routine use by the commanders who will employ them.”

The Defense Department seems confident that the Navy’s robotic push will help prepare the US military for the possibility of war with China, but some seasoned military and defense observers have their misgivings. Van Riper points to Marine Corps’ Force Design 2030, a reorganization of the service ahead of a notional island-hopping conflict against China in the Pacific, as evidence that the Pentagon still hasn’t learned the right lessons from Millennium Challenge 2002.

The Marine Corps “was known for being an air-ground combined arms rapid-response deployed around the world,” Van Riper tells WIRED. “Now it has divested itself of every element of combined arms or reduced it, getting rid of its armor, breaching vehicles, mine clearing, and assault bridging capabilities, cutting its infantry and aviation, all to buy missiles and go on the defense in the Pacific. The Marine Corps got rid of existing capabilities in favor of unproven or undelivered capabilities.”

Indeed, the US military’s propensity to fixate on next-generation technology like drone boats as a one-size-fits-all combat solution may obscure those tactical lessons in combined arms evident in the Ukrainian campaign in the Red Sea, Van Riper says.

“You shouldn’t take the use of drones in isolation with what Ukraine is doing,” Van Riper says. “We presented the Navy fleet \[in Millennium Challenge 2002\] with multiple challenges, which is really what combined arms is. What you’re doing is presenting the enemy with a dilemma: If he tries to protect himself against threat A, he’s vulnerable to threat B, and with threats C, D, and E, he’s unable to handle it. In Ukraine, boats plus missiles and aircraft are more difficult for the Russians to respond to.”

“I’m not sure the US military today is equipped to learn from those things,” he adds. “I’m depressed from the leadership on all levels, particularly the naval services.”

The Rise of the Drone Boats

Plus: Benjamin Netanyahu gives Donald Trump a golden pager, Hewlett Packard Enterprise blames Russian government hackers for a breach, and more.

As Elon Musk and his so-called Department of Government Efficiency rampage through United States federal institutions, WIRED reported extensively this week on DOGE’s members, activity, and digital access to some of the US government's most delicate and critical software systems. One DOGE technologist, 19-year-old high school graduate Edward Coristine, established at least five different companies in the past four years—including Tesla.Sexy LLC—and briefly worked at a network monitoring company that has hired convicted hackers. Experts question whether Coristine, who has gone by the name “Big Balls” online, would pass the background check typically required for access to sensitive US government systems.

Meanwhile, DOGE’s apparent dismantling of USAID coupled with the US State Department's funding freeze have dramatically disrupted efforts to help people escape forced labor camps in Southeast Asia run by criminal scammers.

Outside of US government news, WIRED conducted an investigation into more than 300 cyberattacks in the past five years against US K–12 schools and found that victim schools sometimes withhold critical information about the scale and scope of the breaches from impacted students and parents. In slightly better news, data from the cryptocurrency tracing firm Chainalysis shows that ransomware payments fell precipitously in the second half of 2024. Experts fear, though, that the brief reprieve could be short-lived and may not be easy for defenders to sustain.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**UK Home Secretary Orders Apple Enable Access to Encrypted iCloud Backups**

The Washington Post reported on Friday that Apple has received a secret order from the UK office of the Home Secretary mandating the company to provide a way to access any user data protected by the company’s Advanced Data Protection for iCloud. The feature, which debuted at the end of 2022, is designed with end-to-end encryption so only users themselves, not Apple, have access to their data. As a result, complying with the UK demand would require Apple to break the feature by building a backdoor into it. Sources told the Post that rather than install a backdoor, Apple is likely to withdraw support for Advanced Data Protection for iCloud in the UK. “Yet that concession would not fulfill the UK demand for backdoor access to the service in other countries, including the United States,” the Post noted.

The order was issued under the UK’s broad 2016 Investigatory Powers Act. UK law enforcement agencies, not to mention cops in the US and other countries, have championed encryption backdoors for years, and lawmakers have tried at various times to mandate backdoors. The Home Office told the Post in a statement, “We do not comment on operational matters, including for example confirming or denying the existence of any such notices.” An Apple spokesperson declined to comment to the Post.

**Israel’s Netanyahu Gave Trump a Golden Pager During Washington Meeting**

Israeli prime minister Benjamin Netanyahu gave President Donald Trump a golden pager when the two met in Washington on Tuesday. The gift references a September attack in Lebanon against the militant group Hezbollah in which booby-trapped pagers (and walkie-talkies) detonated in coordinated explosions around the country. The operation killed at least 42 people, including some civilians, and injured at least 4,000 civilians, according to Lebanese officials. The attack has been widely attributed to Israel, but the country has neither confirmed nor denied its involvement. At the meeting Trump apparently gave Netanyahu a signed photograph of the two of them, which he signed, “To Bibi, a great leader!”

**Hewlett Packard Enterprise Says Russian Government Hackers Stole Some Users’ Sensitive Data**

Hewlett Packard Enterprise has been notifying dozens of users that their personal information was stolen during a 2023 breach. The company is attributing the attack to Russian state-backed hackers. The stolen data included Social Security numbers, driver’s license information, and credit card numbers. The incident began as a system intrusion in May 2023 into HPE’s email mailboxes and Microsoft SharePoint systems. HPE publicly disclosed the incident in January 2024.

**PowerSchool Data Breach Impacted Students Outside the US, Including 16,000 in the UK**

The edtech giant PowerSchool says that at least 16,000 students in the United Kingdom had their data stolen as part of a massive December data breach that may have affected 62 million students and 9.5 million teachers, most of them in the US and Canada. Attackers used compromised credentials to infiltrate the company’s customer support portal and then access user data.

PowerSchool spokesperson Beth Keebler confirmed to TechCrunch in a statement that students at four UK schools were affected totaling “approximately 16,000 students.” It is not clear if this is the total number of UK victims. The compromised data includes students’ dates of birth, contact information, some medical data, and “other related information.”

UK Secret Order Demands That Apple Give Access to Users’ Encrypted Data

The ACLU says it stands ready to sue for access to government records that detail DOGE’s access to sensitive personnel data.

The American Civil Liberties Union (ACLU) told federal lawmakers on Friday that Elon Musk and his Department of Government Efficiency (DOGE) have seized control of a number of federal computer systems that house data tightly restricted under federal statutes. In some cases, any deviations in the manner in which the data is being used may be not only illegal, the ACLU says, but unconstitutional.

DOGE operatives have infiltrated or assumed control of a number of federal agencies that are responsible for managing personnel files on nearly 2 million federal employees, as well as offices that supply the government with a broad range of software and information technology services.

Unauthorized use of sensitive or personally identifiable data as part of an effort to purge the government of ideologically unaligned staff may constitute a violation of federal law. The Privacy Act and the Federal Information Security Modernization Act strictly prohibit, for instance, unauthorized access and use of government personnel data.

In a letter to members of several congressional oversight committees, ACLU attorneys highlighted DOGE’s access to Treasury systems that handle a “majority” of federal payments, which includes details on Social Security benefits, tax refunds, and salaries. Citing WIRED reporting from Tuesday, the attorneys note that, in addition to choking off funding to specific agencies or individuals, this grants DOGE access to “troves of personal information,” including “millions of Social Security numbers, bank accounts, business finances, and personal finances.”

The attorneys write: “Access to—and abuse of—that information could harm millions of people. Young engineers, with no experience in human resources, governmental benefits, or legal requirements around privacy have gained unprecedented surveillance over payments to federal employees, Social Security recipients, and small businesses—and with it, control over those payments.”

The ACLU attorneys stress that, under normal circumstances, these systems would fall under the control of career civil servants with years of training and experience in managing sensitive data, all of whom survived a comprehensive vetting process.

The group has also filed Freedom of Information Act (FOIA) requests for the communications records of identified DOGE personnel, as well as for details of any requests the task force may have made for access to sensitive and personal data at the Office of Personnel Management (OPM).

Other files the ACLU seeks pertain to DOGE’s plans to deploy artificial intelligence tools across the government, as well as any plans or discussions about how the task force plans to conform to the litany of federal laws safeguarding sensitive financial and medical information, such as the the Health Information Portability and Accountability Act (HIPAA).

WIRED first reported Thursday that DOGE operatives at the General Services Administration, which manages the US government’s IT infrastructure, had begun pushing to rapidly deploy a homebrew AI chatbot called “GSAi.” A source with knowledge of GSA's prior dealings with AI tells WIRED that the agency launched a pilot program last fall aimed at testing the use of Gemini, a chatbot adapted for Google Workplace. DOGE quickly determined, however, that Gemini would not provide the level of data desired by the task force.

It's unclear whether GSA has assessed the privacy impacts of deploying the GSAi chatbot—a requirement under federal law.

The ACLU tells WIRED it is prepared to pursue all options in obtaining the documents, including lawsuits, if necessary.

“The American people deserve to know if their private financial, medical, and personal records are being illegally accessed, analyzed, or weaponized,” says Nathan Freed Wessler, deputy director of ACLU’s Speech, Privacy, and Technology Project. “There’s every indication that DOGE has forced its way into the government’s most tightly protected databases and systems, without consideration of long-standing privacy safeguards mandated by Congress. We need answers now.”

The ACLU’s warning was directed at the chairs and ranking members of the House Committee on Energy and Commerce, the House Committee on Financial Services, the House Committee on Ways and Means, and the Senate Committee on Finance.

“Presidential overreach that violates our privacy and attacks funding for critical programs is going to hurt people across the country—potentially undermining Social Security, payments to small businesses, and programs that support children and families,” Cody Venzke, senior policy counsel at ACLU, tells WIRED. “Congress must meet its constitutional responsibility and ensure that the president is carrying out the law, not flouting it.”

ACLU Warns DOGE’s ‘Unchecked’ Access Could Violate Federal Law

Experts question whether Edward Coristine, a DOGE staffer who has gone by “Big Balls” online, would pass the background check typically required for access to sensitive US government systems.

A young technologist known online as “Big Balls,” who works for Elon Musk's so-called Department of Government Efficiency (DOGE), has access to sensitive US government systems. But his professional and online history call into question whether he would pass the background check typically required to obtain security clearances, security experts tell WIRED.

Edward Coristine, a 19-year-old high school graduate, established at least five different companies in the last four years, with entities registered in Connecticut, Delaware, and the United Kingdom, most of which were not listed on his now-deleted LinkedIn profile. Coristine also briefly worked in 2022 at Path Network, a network monitoring firm known for hiring reformed blackhat hackers. Someone using a Telegram handle tied to Coristine also solicited a cyberattack-for-hire service later that year.

Coristine did not respond to multiple requests for comment.

One of the companies Coristine founded, Tesla.Sexy LLC, was set up in 2021, when he would have been around 16 years old. Coristine is listed as the founder and CEO of the company, according to business records reviewed by WIRED.

Tesla.Sexy LLC controls dozens of web domains, including at least two Russian-registered domains. One of those domains, which is still active, offers a service called Helfie, which is an AI bot for Discord servers targeting the Russian market. While the operation of a Russian website would not violate US sanctions preventing Americans doing business with Russian companies, it could potentially be a factor in a security clearance review.

"Foreign connections, whether it's foreign contacts with friends or domain names registered in foreign countries, would be flagged by any agency during the security investigation process," Joseph Shelzi, a former US Army intelligence officer who held security clearance for a decade and managed the security clearance of other units under his command, tells WIRED.

A longtime former US intelligence analyst, who requested anonymity to speak on sensitive topics, agrees. “There's little chance that he could have passed a background check for privileged access to government systems,” they allege.

Another domain under Coristine’s control is faster.pw. The website is currently inactive, but an archived version from October 25, 2022 shows content in Chinese that stated the service helped provide “multiple encrypted cross-border networks.”

Prior to joining DOGE, Coristine worked for several months of 2024 at Elon Musk’s Neuralink brain implant startup, and, as WIRED previously reported, is now listed in Office of Personnel Management records as an “expert” at that agency, which oversees personnel matters for the federal government. Employees of the General Services Administration say he also joined calls where they were made to justify their jobs and to review code they’ve written.

Other elements of Coristine’s personal record reviewed by WIRED, government security experts say, would also raise questions about obtaining security clearances necessary to access privileged government data. These same experts further wonder about the vetting process for DOGE staff—and, given Coristine’s history, whether he underwent any such background check.

The White House did not immediately respond to questions about what level of clearance, if any, Corisitine has and, if so, how it was granted.

At Path Network, Coristine worked as a systems engineer from April to June of 2022, according to his now-deleted LinkedIn résumé. Path has at times listed as employees Eric Taylor, also known as Cosmo the God, a well-known former cybercriminal and member of the hacker group UGNazis, as well as Matthew Flannery, an Australian convicted hacker whom police allege was a member of the hacker group LulzSec. It’s unclear whether Coristine worked at Path concurrently with those hackers, and WIRED found no evidence that either Coristine or other Path employees engaged in illegal activity while at the company.

“If I was doing the background investigation on him, I would probably have recommended against hiring him for the work he’s doing,” says EJ Hilbert, a former FBI agent who also briefly served as the CEO of Path Network prior to Coristine’s employment there. “I’m not opposed to the idea of cleaning up the government. But I am questioning the people that are doing it.”

**Got a tip?**

_Are you a current or former US government employee? We'd like to hear from you. Using a nonwork phone or computer, contact the reporters securely on Signal at Andy.01 (Andy Greenberg), DavidGilbert.01 (David Gilbert), or +1 (347) 722-1347 (Lily Hay Newman)._

Potential concerns about Coristine extend beyond his work history. Archived Telegram messages shared with WIRED show that, in November 2022, a person using the handle “JoeyCrafter” posted to a Telegram channel focused on so-called distributed denial of service (DDoS) cyberattacks that bombard victim sites with junk traffic to knock them offline. In his messages, JoeyCrafter—which records from Discord, Telegram, and the networking protocol BGP indicate was a handle used by Coristine—writes that he’s “looking for a capable, powerful and reliable L7” that accepts bitcoin payments. That line, in the context of a DDoS-for-hire Telegram channel, suggests he was looking for someone who could carry out a layer-7 attack, a certain form of DDoS. A DDoS-for-hire service with the name Dstat.cc was seized in a multinational law enforcement operation last year.

The JoeyCrafter Telegram account had previously used the name “Rivage,” a name linked to Coristine on Discord and at Path, according to Path internal communications shared with WIRED. Both the Rivage Discord and Telegram accounts at times promoted Coristine’s DiamondCDN startup. It’s not clear whether the JoeyCrafter message was followed by an actual DDoS attack. (In the internal messages among Path staff, a question is asked about Rivage, at which point an individual clarifies they are speaking about “Edward.”)

"It does depend on which government agency is sponsoring your security clearance request, but everything that you've just mentioned would absolutely raise red flags during the investigative process," says Shelzi, the former US Army intelligence officer. He adds that a secret security clearance could be completed in as little as 50 days, while a top-secret security clearance could take anywhere from 90 days to a year to complete.

Coristine’s online history, including a LinkedIn account where he calls himself Big Balls, has disappeared recently. He also previously used an account on X with the username @edwardbigballer. The account had a bio that read: “Technology. Arsenal. Golden State Warriors. Space Travel.”

Prior to using the @edwardbigballer username, Coristine was linked to an account featuring the screen name “Steven French” featuring a picture of what appears to be Humpty Dumpty smoking a cigar. In multiple posts from 2020 and 2021, the account can be seen responding to posts from Musk. Coristine’s X account is currently set to private.

Davi Ottenheimer, a longtime security operations and compliance manager, says many factors about Coristine’s employment history and online footprint could raise questions about his ability to obtain security clearance.

“Limited real work experience is a risk,” says Ottenheimer, as an example. “Plus his handle is literally Big Balls.”

DOGE Teen Owns ‘Tesla.Sexy LLC’ and Worked at Startup That Has Hired Convicted Hackers

The dismantling of USAID by Elon Musk's DOGE and a State Department funding freeze have severely disrupted efforts to help people escape forced labor camps run by criminal scammers.

As Elon Musk’s DOGE team continues to rampage through United States federal agencies, Trump administration efforts to eliminate the United States Agency for International Development (USAID) seem to be furthest along. The impacts of the agency’s dismantling on humanitarian relief, public health, and human rights work, combined with the wider 90-day State Department pause on foreign aid payments, are already far-reaching and severe around the world. Sources tell WIRED that the situation is also impacting anti-human-trafficking work targeted at addressing forced labor compounds that fuel digital fraud like investment scams.

The funding cuts and pauses have immediately made it harder for people to safely escape scam compounds, according to half a dozen sources working to combat scams and trafficking. The cuts have also shrunk services that house and care for human trafficking victims and are limiting investigatory work into criminal groups. After just days of funding disruptions, sources say that the cuts have caused “chaos” for staff working to help survivors on a daily basis. Some organizations have already gone dark, and relief workers add that the withdrawal of services could embolden the criminal groups behind the fraud.

“It is a really, really bad situation,” says one person working in the anti-scam sector in Southeast Asia. The individual, as with several sources in this story, requested anonymity due to the sensitive nature of the work and ongoing changing situation. They say small grassroots organizations, which may have only a handful of staff each but help identify and work with trafficking victims, have been widely affected. “This pause will mean that organizations that essentially shifted their work from different forms of trafficking to looking at scamming compounds will cease to exist,” they say.

USAID and the US State Department did not immediately respond to questions from WIRED about the situation.

**Got a tip?**

_Are you a current or former USAID or State Department employee or a worker familiar with anti-human-trafficking efforts? We’d like to hear from you. Using a nonwork phone or computer, contact Matt Burgess securely on Signal at mattburgess.20 and Lily Hay Newman at +1 (347) 722-1347._

Over the past five years, dozens of “scam compounds” have been constructed in Southeast Asia, particularly within Myanmar, Laos, and Cambodia. Run by organized crime groups, which often have links to Chinese nationals, more than 200,000 people from 100-plus countries have been trafficked into the compounds—often under the pretense of getting a legitimate job. These people are often held captive, beaten and tortured, and forced to work long shifts running online scams targeting people around the world, including in the United States. While the compounds engage in a range of fraudulent activity, so-called pig butchering scams have been the predominant focus, with global losses estimated at $75 billion or more.

Law enforcement efforts in Southeast Asia to tackle scam compounds and the criminal organizations heavily profiting from them have sometimes made progress, but have also been widely criticized for corruption and failing to comprehensively deal with the problem. However, a patchwork of NGOs, charities, and anti-trafficking organizations have been attempting to fill the gaps, helping victims escape and get access to legal advice, health care, and other resources. A US State Department webpage details more than $272 million in funding provided to fight human trafficking around the world, with Southeast Asia programs that include investigative efforts, survivor protection, and more. And USAID directly funds humanitarian groups in the region.

Julia Macher, the CEO of Freedom Collaborative, a network that has been impacted by the freezes and works with grassroots groups fighting scam compounds, says the repercussions of the drastic changes at USAID have been “instantaneous.”

“Our partners say that for some survivors they are in touch with inside the scam centers, even if they can somehow manage to get out, they then have no place to put them. Then, the survivors have no money for a flight home and no place to go, so they get re-recruited into the centers, as they do not have any real alternative options,” Macher says. “Some survivors have injuries like broken bones from jumping out the window to escape, and now the organizations have no money to put them into the hospitals, and without medical care, the survivors could become paralyzed.”

Multiple sources tell WIRED that organizations that have relied on funding have had to stop or reduce work and lay off staffers. Macher, who has been running working groups with members of her network over the last week, says some survivors of scam compounds are being given assistance to return home; however, shelters that temporarily house them and provide care have been impacted. “Without a safe and dependable shelter to house them after their escape, some survivors opt to return to their exploitative work inside the scam centers despite knowing the risks,” Macher says.

“There are shelters in neighboring countries like Cambodia and Myanmar for people who’ve just been rescued, and there are helplines and so on that have now lost all of their funding overnight,” says Michael Brosowski, the founder of Blue Dragon, an impacted charity that has rescued more than 1,700 trafficking victims, including keeping people from being trafficked into brothels connected to online scamming.

Brosowski says Blue Dragon has been working to reduce the worst of the harm caused by the funding freezes. “We’ve been scrambling to work out what we can cut, how can we scale back, without losing the most direct work,” Brosowski says. For example, training programs for social workers who aid survivors of trafficking may have to be cut, Brosowski says.

Even if some funding does return—the State Department’s freeze is set to be in place for 90 days—organizations supporting victims may never be the same as staffers are forced to get other jobs or move away from the areas where they have been working locally with survivors. This loss of expertise will be extremely detrimental to the relief efforts, sources say.

“They’ve damaged relationships with local partners or authorities with whom they used to be working regularly to address these issues,” say two researchers at a global think tank who have had their work on policy recommendations on tackling scam compounds to the US government disrupted.

Aside from humanitarian efforts, the funding pauses are likely to allow, even temporarily, criminal organizations to further flourish. Some of the funding cuts impact programs designed to help identify potential criminals and assist local law enforcement efforts, according to one government affairs official at an international NGO with multiple US grants.

“Identifying criminal networks, identifying the bad actors, sending the information to the National Security Council. Everything that should be going on is stopped,” add the two global think tank researchers.

Ultimately, all of this means that trafficking victims will be trapped working in unimaginable conditions while more people in the US and around the world will be at risk of becoming victims in the ongoing fraud run from the compounds.

“These scam compounds, they scam people who are in the USA,” Brosowski, of Blue Dragon, says. “The US government might save hundreds of millions of dollars from cutting these sorts of programs, but the scammers are going to take billions.”

Source

Wired