This is the first time Russia has used its so-called Oreshnik intermediate-range ballistic missile in combat. The launch also serves as a warning to the West.

Two days ago, Russian president Vladimir Putin announced a change in the country's policy for employing nuclear weapons in conflict. Then, on Thursday, Russia attacked the Ukrainian city of Dnipro with a new type of ballistic missile capable of one day delivering multiple nuclear warheads to distant targets with little warning.

Putin says his ballistic missile attack on Ukraine is a warning to the West.

These events are just part of what has been a week of escalation in the war between Russia and Ukraine. In recent days, Ukraine fired US-made ATACMS tactical ballistic missiles and UK-supplied Storm Shadow missiles at targets in Russian territory for the first time. This followed approval by President Joe Biden for Ukraine to use US-provided longer-range missiles against Russian targets. Previously, Ukraine was only permitted to use them on its own territory.

In a rare televised statement Thursday, Putin said he ordered Russia's military to strike Dnipro, home to Soviet-era rocket factories, using a ballistic missile named Oreshnik. This means “hazelnut tree” in Russian. The attack was the first use of the Oreshnik missile “under combat conditions,” Putin said.

Videos from Dnipro posted on social media show multiple projectiles exploding as they impact the ground at high speed. Local residents in Dnipro said the Oreshnik missile struck an industrial plant operated by PA Pivdenmash, formerly known as Yuzhmash. The PA Pivdenmash factory previously manufactured booster stages for the Soviet-era Zenit rocket and, most recently, first-stage tanks for the US-operated Antares rocket for Northrop Grumman.

**Threats From the Kremlin**

Sabrina Singh, the Pentagon's deputy press secretary, called the weapon used Thursday an “experimental intermediate-range ballistic missile” based on Russia's RS-26 Rubezh intercontinental ballistic missile model. While the strike before dawn Thursday used conventional munitions, the impact of multiple projectiles suggests the missile employed multiple reentry vehicles, or MIRVs, similar to the way Russia might use the missile in a nuclear attack.

Singh said the missile could be refitted with different types of conventional or nuclear warheads. She said Russia notified the US government of the planned attack “briefly” before it happened through nuclear risk-reduction channels.

Ukrainian government officials initially said the attack on Dnipro was by an ICBM rather than an intermediate-range weapon, or IRBM.

ICBMs typically follow long, arcing trajectories that take the missiles into space, above the discernible atmosphere, as they travel to faraway targets. An intermediate-range missile, classified as a weapon that can travel between 3,000 and 5,500 kilometers, could also reach space, although the exact altitude reached by the Oreshnik missile was unknown Thursday.

“An IRBM and an ICBM, they can have similar flight paths. They can have high trajectories,” Singh said. “They can carry large payloads, but the main difference lies in the range and the strategic purpose.”

The Oreshnik missile launched Tuesday apparently took off from Russia’s Kapustin Yar rocket base roughly 800 kilometers from Dnipro, well away from intense fighting.

This is the first time any IRBM has been used in combat. The Intermediate-Range Nuclear Forces Treaty, ratified by the United States and the Soviet Union in 1988, banned ground-launched IRBMs. The US pulled out of the treaty in 2019 under the first Trump administration, citing noncompliance from Russia. At the time, US officials noted that China, which was not a signatory to the treaty, possessed more than 1,000 IRBMs in its arsenal.

Putin said Western air defenses are not capable of destroying the Oreshnik missile in flight, although this claim can't be verified. He said Russia would provide warnings to Ukraine in advance of similar missile attacks in the future to allow civilians to escape danger zones.

The Oreshnik missiles strike their targets at speeds of up to Mach 10, or 2.5 to 3 kilometers per second, Putin said. “The existing air defense systems around the world, including those being developed by the US in Europe, are unable to intercept such missiles.”

**A Global War?**

In perhaps the most chilling part of his remarks, Putin said the conflict in Ukraine is “taking on global dimensions” and said Russia is entitled to use missiles against Western countries supplying weapons for Ukraine to use against Russian targets.

“In the event of escalation, we will respond decisively and in kind,” Putin said. “I advise the ruling elites of those countries planning to use their military forces against Russia to seriously consider this.”

The change in nuclear doctrine authorized by Putin earlier this week also lowers the threshold for Russia’s use of nuclear weapons to counter a conventional attack that threatens Russian “territorial integrity.”

This seems to have already happened. Ukraine launched an offensive into Russia’s Kursk region in August, taking control of more than 1,000 square kilometers of Russian land. Russian forces, assisted by North Korean troops, are staging a counteroffensive to try to retake the territory.

Singh called Russia’s invitation of North Korean troops “escalatory” and said Putin could “choose to end this war today.”

US officials say Russian forces are suffering some 1,200 deaths or injuries per day in the war. In September, The Wall Street Journal reported that US intelligence sources estimated that a million Ukrainians and Russians had been killed or wounded in the war.

The UN Human Rights Office most recently reported that 11,973 civilians have been killed, including 622 children, since the start of the full-scale Russian invasion in February 2022.

“We warned Russia back in 2022 not to do this, and they did it anyways, so there are consequences for that,” Singh said. “But we don't want to see this escalate into a wider regional conflict. We don't seek war with Russia.”

_This story originally appeared on_ _Ars Technica._

Russia’s Ballistic Missile Attack on Ukraine Is an Alarming First

Plus: The worst telecom hack in US history rolls on, iPhones are harder to break into, and more of the week’s top security news.

A joint investigation by WIRED, Bayerischer Rundfunk (BR), and Netzpolitik.org uncovered that US companies legally collecting digital ad data are enabling adversaries to cheaply track American military and intelligence personnel. A collaborative analysis of billions of location coordinates from a US-based data broker revealed detailed tracking of thousands of devices from sensitive US sites in Germany, including NSA facilities and bases reportedly housing US nuclear weapons.

Elsewhere, social media giant Meta has disclosed for the first time its efforts to combat the forced-labor compounds driving the surge in pig butchering scams on its platforms. The company revealed that it has been quietly collaborating with global law enforcement, tech industry partners, and external experts for over two years to dismantle the crime syndicates behind these operations in Southeast Asia and the UAE. This year alone, Meta reports it has taken down more than 2 million accounts linked to scam compounds in Myanmar, Laos, Cambodia, the Philippines, and the UAE.

At the Cyberwarcon security conference on Friday, the cybersecurity firm SpyCloud shared findings about publicly accessible black market services offering low-cost access to sensitive information on Chinese citizens, including phone numbers, banking details, hotel and flight records, and even real-time location data. According to the firm’s researchers, these services seem to obtain their data through insiders within Chinese surveillance agencies and government contractors, who sell their access. Also at the conference, cybersecurity firm Volexity uncovered that a Russian hacking group has reportedly developed a novel Wi-Fi-hacking technique that involves taking control of a nearby laptop and using it as a bridge to infiltrate a targeted Wi-Fi network. Dubbed a “nearest neighbor attack,” the method was uncovered during a 2022 investigation by the firm into a network breach of an unnamed Washington, DC. client. And finally, researchers explored how the US is calling out foreign influence campaigns faster than they ever have—but there’s plenty of room for improvement.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

**“King of Toxic Masculinity” Gets Hacked**

Hacktivists have breached an online “educational platform” founded by the misogynistic right-wing influencer Andrew Tate reportedly revealing the email addresses of hundreds of thousands of users as well as the contents of the platforms’ private chat servers. Data from the hack, first reported by the Daily Dot, has now been published by the transparency nonprofit Distributed Denial of Secrets.

Andrew Tate, the so-called “king of toxic masculinity,” is currently under house arrest in Romania and faces two separate criminal charges, including allegations of forming an organized criminal group and trafficking women across Romania, the UK, and the US.

The compromised platform, a subscription-based service known as The Real World (formerly called Hustler's University), describes itself as a “global community” focused on “personal growth.” According to its website, members receive expert training, mentorship, and access to a wide range of educational courses for around $50 per month.

According to the Daily Dot, hacktivists announced their breach of the platform on Thursday by disrupting the course's main chatroom with a barrage of uploaded emojis while Tate was livestreaming an episode of his show _Emergency Meeting_ on Rumble. The emojis included a transgender pride flag, a feminist fist, an AI-generated image of Tate wrapped in a rainbow flag.

Data from the breach, verified by WIRED, includes more than 700,000 usernames and reportedly includes messages from 221 public and 395 private chat servers. An analysis by the Daily Dot reveals a mix of content within the chat logs, ranging from motivational quotes and personal progress updates to grievances about the “LGBTQ agenda.” WIRED is continuing to analyze the leaked material.

**The “Worst Telecom Hack in US History” Is Still Ongoing**

Chinese government hackers have infiltrated over a dozen US telecommunications companies in what a senior senator is calling the worst telecom breach in American history—and they’re still inside the networks. The hacking group, Salt Typhoon, has been able to eavesdrop on audio calls in real time and obtain millions of records of call and text metadata from targeted individuals, according to a Washington Post interview with Senator Mark Warner of Virginia, chairman of the Senate Intelligence Committee.

Fewer than 150 victims have been identified and notified by the FBI so far—most of them in the DC region—including president-elect Donald Trump, his vice president-elect, JD Vance, as well as people working for Vice President Kamala Harris and state department officials.

Warner said, however, that the effort was not directly election-related, as the hackers got into some telecom systems more than a year ago.

**Leaked Documents Show GrayKey Struggles to Access Modern iPhones**

Leaked documents obtained by 404 Media reveal that GrayKey, a phone-hacking tool used by law enforcement to extract data from devices in their possession, can at the moment only partially access information from modern iPhones running iOS 18.0 and 18.0.1.

While the precise details of exactly how Graykey operates are unknown, the tool reportedly brute-forces iPhone or Android passcodes to unlock them—essentially hacking the phone—allowing law enforcement to then access and extract encrypted device data. While the specific types of data accessible during a “partial” extraction are unclear, it likely includes unencrypted files and metadata, such as file sizes and folder structures.

The document provides context to an ongoing cat-and-mouse dynamic between forensic technology companies and mobile device manufacturers. With each new software update, tools like GrayKey are temporarily thwarted, prompting developers to quickly adapt their technology to catch up. At the moment it appears that they have not. This leak follows another report from 404 Media about a feature in iOS 18 called “inactivity reboot,” which forces devices to restart after four days of inactivity, adding another layer of difficulty for law enforcement attempting to access data on seized devices.

**Europe Probes Undersea Cable Sabotage**

European authorities are investigating suspected sabotage to two undersea fiber-optic cables: one linking Finland and Germany, and the other connecting Sweden and Lithuania. Russia—widely suspected as the likely perpetrator—denies involvement, dismissing the allegations as “ridiculous.”

The incident began on Sunday when two telecommunications companies detected traffic disruptions likely caused by physical damage to undersea cables. One of the affected cables, known as C-Lion—a vital 730-mile link between Finland and Central Europe—runs alongside other critical infrastructure, including gas pipelines and power lines.

By Wednesday, the Danish navy had reportedly intercepted a Chinese cargo ship in connection with the disruptions. The vessel, which had most recently docked in Russia before the incident, was near the damaged area at the time. It is now under investigation, with its crew being questioned about their possible involvement.

Andrew Tate’s ‘Educational Platform’ Was Hacked

The 2024 elections were a high-water mark for naming and shaming threat actors from foreign governments. There’s still work to be done, though, on how to attribute disinformation campaigns most effectively.

Ahead of the the 2024 US elections, the US intelligence community and law enforcement were on high alert and ready to share information—both among agencies and publicly—as foreign malign influence operations emerged. Tech giants like Microsoft similarly sprang into action, collaborating with government partners and publishing their own information about election-related disinformation campaigns. The speed and certainty with which authorities were able to pin these efforts on threat actors in Russia, China, and Iran was unprecedented. But researchers also caution that not all attributions are created equal.

At the Cyberwarcon security conference in Arlington, Virginia, today, researchers from the Atlantic Council’s Digital Forensic Research Lab are presenting initial findings on the role of attribution in the 2024 US elections. Their research compares the impact of quickly naming and shaming foreign influence actors to other recent US elections in which government attribution was far less common.

“We’re building on a project that we did back in 2020 where there was a lot more context of concern that the Trump administration was not being forthcoming about foreign attacks,” says Emerson Brooking, director of strategy and resident senior fellow for DFRLab. “In contrast to 2020, now there was an abundance of claims by the US government of influence operations being conducted by different adversaries. So in thinking through the policy of attribution, we wanted to look at the question of overcorrection.”

In the lead-up to the 2016 US presidential election, Russia’s extensive influence operations—which included hack-and-leak campaigns as well as strategic disinformation—caught the US government by surprise. Law enforcement and the intelligence community were largely aware of Russia's digital probing, but they didn't have an extreme sense of urgency, and the big picture of how such activity could impact public discourse hadn't yet come into view. After Russia's hack of the Democratic National Committee in June that year, it took four months for the US Office of the Director of National Intelligence and the Department of Homeland Security to publicly attribute the attack to the Kremlin. Some officials had said in the weeks following the incident that formal confirmation from the US government might never come.

Even in the highly politicized landscape that followed, federal, state, and local collaboration around election security expanded dramatically. By 2020, the researchers say, 33 of the 84 influence operation attributions they studied related to the 2020 US elections, or about 39 percent, came from US intelligence or federal sources. And this year, 40 of the 80 the group tracked came from the US government. DFRLabs resident fellow Dina Sadek notes, though, that one important factor in assessing the utility of US government attributions is the quality of the information provided. The substance and specificity of the information, she says, is important to how the public views the objectivity and credibility of the statement.

Specific information confirming that Russia had manufactured a video that purported to show ballots being destroyed in Bucks County, Pennsylvania was a high-quality, useful attribution, the researchers say, because it was direct, narrow in scope, and came very quickly to minimize speculation and doubt. Repeated statements from the Office of the Director of National Intelligence's Foreign Malign Influence Center warning very broadly and generally about Russian influence operations is an example of the type of attribution that can be less helpful, and even serve to amplify campaigns that otherwise might not register with the public at all.

Similarly, in the lead-up to the 2020 elections, the researchers point out, statements from the US government about Russia, China, and Iran playing a role in Black Lives Matter protests may have been mismatched to the moment because they didn't include details on the extent of the activity or the specific objectives of the actors.

Even with all of this in mind, though, the researchers note that there was valuable progress in the 2024 election cycle. But with a new Trump administration coming into the White House, such transparency could start to trend in a different direction.

“We don’t want to come across like rearranging deck chairs on the _Titanic_, because the state of affairs that was is not the state of affairs that will be,” Brooking says. “And from a public interest perspective I think we got a lot closer on disclosure in 2024.”

The US Is Calling Out Foreign Influence Campaigns Faster Than Ever

In a first, Russia's APT28 hacking group appears to have remotely breached the Wi-Fi of an espionage target by hijacking a laptop in another building across the street.

For determined hackers, sitting in a car outside a target's building and using radio equipment to breach its Wi-Fi network has long been an effective but risky technique. These risks became all too clear when spies working for Russia's GRU military intelligence agency were caught red-handed on a city street in the Netherlands in 2018 using an antenna hidden in their car's trunk to try to hack into the Wi-Fi of the Organization for the Prohibition of Chemical Weapons.

Since that incident, however, that same unit of Russian military hackers appears to have developed a new and far safer Wi-Fi hacking technique: Instead of venturing into radio range of their target, they found another vulnerable network in a building across the street, remotely hacked into a laptop in that neighboring building, and used that computer's antenna to break into the Wi-Fi network of their intended victim—a radio-hacking trick that never even required leaving Russian soil.

At the Cyberwarcon security conference in Arlington, Virginia, today, cybersecurity researcher Steven Adair will reveal how his firm, Volexity, discovered that unprecedented Wi-Fi hacking technique—what the firm is calling a “nearest neighbor attack"—while investigating a network breach targeting a customer in Washington, DC, in 2022. Volexity, which declined to name its DC customer, has since tied the breach to the Russian hacker group known as Fancy Bear, APT28, or Unit 26165. Part of Russia's GRU military intelligence agency, the group has been involved in notorious cases ranging from the breach of the Democratic National Committee in 2016 to the botched Wi-Fi hacking operation in which four of its members were arrested in the Netherlands in 2018.

In this newly revealed case from early 2022, Volexity ultimately discovered not only that the Russian hackers had jumped to the target network via Wi-Fi from a different compromised network across the street, but also that this prior breach had _also_ potentially been carried out over Wi-Fi from yet another network in the same building—a kind of “daisy-chaining” of network breaches via Wi-Fi, as Adair describes it.

“This is the first case we’ve worked where you have an attacker that’s extremely far away and essentially broke into other organizations in the US in physical proximity to the intended target, then pivoted over Wi-Fi to get into the target network across the street,” says Adair. “That’s a really interesting attack vector that we haven’t seen before.”

A slide describing the “nearest neighbor attack” that Russian hackers used to breach a DC network via Wi-Fi, from the Cyberwarcon presentation of Volexity founder Steven Adair.

Illustration: Volexity

Based on the hackers' targeting of individuals within their customer's network, Adair says that the GRU hackers appear to have been seeking intelligence about Ukraine. It's no coincidence, he says, that the daisy-chained Wi-Fi-based intrusion was carried out in the months just before and after Russia's initial full-scale invasion of Ukraine in February 2022.

Adair argues, though, that the case should serve as a broader warning about cybersecurity threats to Wi-Fi for high-value targets—and not just from the usual suspects loitering in the parking lot or the lobby. “Now we know that a motivated nation-state is doing this and has done it,” says Adair, “It puts on the radar that Wi-Fi security has to be ramped up a good bit.” He suggests organizations that might be the target of similar remote Wi-Fi attacks consider limiting the range of their Wi-Fi, changing the network's name to make it less obvious to potential intruders, or introducing other authentication security measures to limit access to employees.

Adair says that Volexity first began investigating the breach of its DC customer's network in the first months of 2022, when the company saw signs of repeated intrusions into the customer's systems by hackers who had carefully covered their tracks. Volexity's analysts eventually traced the compromise to a hijacked user's account connecting to a Wi-Fi access point in a far end of the building, in a conference room with external-facing windows. Adair says he personally scoured the area looking for the source of that connection. “I went there to physically run down what it could be. We looked at smart TVs, looked for devices in closets. Is someone in the parking lot? Is it a printer?” he says. “We came up dry.”

Only after the next intrusion, when Volexity managed to get more complete logs of the hackers' traffic, did its analysts solve the mystery: The company found that the hijacked machine which the hackers were using to dig around in its customer's systems was leaking the name of the domain on which it was hosted—in fact, the name of another organization just across the road. “At that point, it was 100 percent clear where it was coming from,” Adair says. “It's not a car in the street. It's the building next door.”

With the cooperation of that neighbor, Volexity investigated that second organization's network and found that a certain laptop was the source of the street-jumping Wi-Fi intrusion. The hackers had penetrated that device, which was plugged into a dock connected to the local network via Ethernet, and then switched on its Wi-Fi, allowing it to act as a radio-based relay into the target network. Volexity found that, to break into that target's Wi-Fi, the hackers had used credentials they'd somehow obtained online but had apparently been unable to exploit elsewhere, likely due to two-factor authentication.

Volexity eventually tracked the hackers on that second network to two possible points of intrusion. The hackers appeared to have compromised a VPN appliance owned by the other organization. But they had also broken into the organization's Wi-Fi from _another_ network's devices in the same building, suggesting that the hackers may have daisy-chained as many as three networks via Wi-Fi to reach their final target. “Who knows how many devices or networks they compromised and were doing this on,” says Adair.

In fact, even after Volexity evicted the hackers from their customer's network, the hackers tried again that spring to break in via Wi-Fi, this time attempting to access resources that were shared on the guest Wi-Fi network. “These guys were super persistent,” says Adair. He says that Volexity was able to detect this next breach attempt, however, and quickly lock out the intruders.

Volexity had presumed early on in its investigation that the hackers were Russian in origin due to their targeting of individual staffers at the customer organization focused on Ukraine. Then in April, fully two years after the original intrusion, Microsoft warned of a vulnerability in Windows' print spooler that had been used by Russia's APT28 hacker group—Microsoft refers to the group as Forest Blizzard—to gain administrative privileges on target machines. Remnants left behind on the very first computer Volexity had analyzed in the Wi-Fi-based breach of its customer exactly matched that technique. “It was an exact one-to-one match,” Adair says.

The notion that APT28 would be behind the daisy-chained Wi-Fi hacking makes sense, says John Hultquist, the founder of Cyberwarcon who also leads threat intelligence at Google-owned cybersecurity firm Mandiant and has long tracked the GRU hackers. He sees the technique Volexity uncovered as the natural evolution of APT28's “close-access” hacking methods, in which the GRU has sent small traveling teams in person to hack into target networks via Wi-Fi if other methods failed.

“This is essentially a close-access op like they’ve done in the past, but without the close access,” Hultquist says.

The switch to hacking via Wi-Fi from a remotely compromised device rather than physically placing a spy nearby represents a logical next step following the GRU's operational security disaster in 2018, when its hackers were caught in a car in The Hague attempting to hack the Organization for the Prohibition of Chemical Weapons in response to the OPCW's investigation of the attempted assassination of GRU defector Sergei Skripal. In that incident, the APT28 team was arrested and their devices were seized, revealing their travel around the world from Brazil to Malaysia to carry out similar close-access attacks.

“If a target is important enough, they’re willing to send people in person. But you don’t have to do that if you can come up with an alternative like what we’re seeing here,” Hultquist says. “This is potentially a major improvement for those operations, and it’s something we’ll probably see more of—if we haven’t already.”

Russian Spies Jumped From One Network to Another Via Wi-Fi in an Unprecedented Hack

The company gave details for the first time on its approach to combating organized criminal networks behind the devastating scams.

Years into the escalating, multibillion-dollar global crisis of pig butchering scams, social media giant Meta released information for the first time on Thursday about its approach to combating the forced-labor compounds that fuel scam activity on its platforms and across the web.

The company says that for more than two years it has been focused on collaborating with global law enforcement and other tech companies to address the underlying problem of organized crime syndicates driving scam activity in Southeast Asia and the United Arab Emirates.

Meta says that so far this year it has done takedowns of more than 2 million accounts connected to scam compounds in Myanmar, Laos, Cambodia, the Philippines, and the UAE. The company has also been collaborating with external experts, including tech companies, NGOs, and coalitions working to counter online scams. As pig butchering scams generate significant revenue for criminals, though, and spread around the world, Meta notes that it has focused on working with law enforcement to directly track criminal syndicates.

“This is a highly adversarial space where we expect well-resourced and persistent criminal organizations to constantly evolve their tactics (both online and offline) in response to detection and enforcement to try and reconstitute across the internet,” a Meta spokesperson wrote in a statement. The company declined to share how many accounts it had removed prior to this year.

Longtime pig butchering researchers say that Meta has been slow to publicly and directly acknowledge the problem and the role its many platforms play in connecting scammers with potential victims. They emphasize that Meta’s services are far from the only platforms that scammers use to reach victims. But platforms like Facebook and Instagram are recognizable and trusted around the world, so it is inevitable, the researchers say, that scammers will gravitate to them. And Meta has warned its users broadly about investment and romance scams.

“I'm glad that Meta is finally starting to talk about this work, but in the research community, we feel like we've been trying to get their attention for a long time and collaborate with them and they often aren't engaging with us,” says Ronnie Tokazowski, a longtime pig butchering researcher and cofounder of the nonprofit Intelligence for Good.

Since roughly 2020, when the earliest pig butchering scams started to emerge, more than 200,000 people have been trafficked and held in compounds—mostly in Myanmar, Cambodia, and Laos—where they are forced to play the role of an online scammer. If they refuse, the criminals who own the scam compounds, which are typically connected to Chinese organized crime, often beat or torture them. People have been trafficked from more than 60 countries around the world—often after seeing online ads promising them jobs that are too good to be true.

The forced scammers are compelled to send thousands of online messages to potential victims around the world on a daily basis. They are tasked with building relationships, often with the lure of friendship or romance, and eventually persuade their victims to send them money as part of lucrative “investment opportunities.” Individually, victims have lost hundreds of thousands of dollars, while the pig butchering criminal enterprises have collectively conned people out of around $75 billion in recent years.

“These scams can start on dating apps, text message, email, social media, or messaging apps, then ultimately move to scammer-controlled accounts on crypto apps or scam websites masquerading as investment platforms,” Meta writes in its report. “In addition to disrupting scam centers, teams across Meta are constantly rolling out new product features to help protect people on our apps from known scam tactics at scale.”

Pig butchering scams drive toward financial theft, but they start with either one-to-one cold communication between scammers and potential victims or contact that originates from social media groups or other communal forums. For example, Gary Warner, director of intelligence at the cybersecurity firm DarkTower, says that he tracks thousands of Facebook groups dedicated to luring people into cryptocurrency investment scams as well as groups that purport to be community dating resources where scammers are lurking.

Online moderation of scammers is a difficult and longstanding issue for Big Tech. As is the case with many types of inauthentic content, some pig butchering activity can skirt tech company standards—even when they are doing a large number of account takedowns—because the content isn’t explicit enough to meet the criteria for removal.

"So much of what is on platform is clearly the prelude to pig butchering, but Meta says it ‘doesn't violate community standards,’” Warner says.

Meta emphasizes, though, that in addition to its account takedowns and monitoring for scam activity on its platforms, the company is focused on working to directly combat scam compounds using its policies around dangerous organizations and individuals, as well as wider safety policies.

However, the owners of scam compounds have been quick to adopt new technologies into their operations, partly to make their scamming more efficient, but likely also to evade law enforcement and technology clampdowns. In recent months, researchers have spotted pig butchering scammers using artificial intelligence tools, integrating deepfakes into their campaigns, and using malware to expand their capabilities. For example, scammers are now able to easily generate understandable content in many languages using AI translation tools for both the scripts and messages they send potential victims, as well as job advertisements luring prospective workers into scam compounds.

Meta says one recent scam compound that it took action against, which was targeting Japanese and Chinese speakers, followed a tip from OpenAI threat researchers who had spotted the criminal operation using ChatGPT to translate messages that could be used in pig butchering.

A “cluster” of accounts that all appeared to come from Cambodia were spotted translating and generating comments using ChatGPT, OpenAI spokesperson Liz Bourgeois tells WIRED. The comments generated using AI would be shared on social media and appeared to be linked to scam activity. Bourgeois says OpenAI banned the accounts and reported the social media activity to Meta.

Meta Finally Breaks Its Silence on Pig Butchering

Chinese black market operators are openly recruiting government agency insiders, paying them for access to surveillance data and then reselling it online—no questions asked.

China has long been a billion-plus-person experiment in total state surveillance, with virtually no legal checks on the government's ability to physically and digitally monitor its citizens. When so much control of citizens' private data amasses within a few government agencies, however, it doesn't stay there. Instead, that bounty of private info has also leaked onto a lively black market—one where insiders sell off their own access to any scammer or stalker willing to pay.

At the Cyberwarcon security conference in Arlington, Virginia, on Friday, researchers from the cybersecurity firm SpyCloud plan to present their findings from monitoring a collection of black market services that offer cheap and easy searches of Chinese citizens' data. The vendors in many cases obtain that sensitive information by recruiting insiders from Chinese surveillance agencies and government contractors and then reselling their access, no questions asked, to online buyers. The result is an ecosystem that operates in full public view where, for as little as a few dollars worth of cryptocurrency, anyone can query phone numbers, banking details, hotel and flight records, or even location data on target individuals.

A screenshot of one of the Telegram-based data broker services' recruitment posts. The large text in Chinese translates to "Sincere cooperation, recruiting public security insiders."

Courtesy of SpyCloud

“China has created this massive surveillance apparatus,” says Aurora Johnson, one of the two SpyCloud researchers who has tracked how surveillance data leaks to the black market. “And ordinary individuals find themselves working in a system where there's not much economic and social mobility and where they have unfettered access to these databases of information based on their jobs in government or at technology companies. So they're abusing that access, in many cases by stealing data and selling it in criminal marketplaces.”

The SpyCloud researchers focused on Chinese-language data vendors that offer their services in accounts on the messaging service Telegram, including ones called Carllnet, DogeSGK, and X-Ray. The services, each of which has tens of thousands of members in its Telegram group, describe themselves as SGKs or “shègōng kù,” which the researchers translate as “social engineering libraries”—a name that suggests the services are perhaps primarily used by scammers. All three services use a point system in which customers can make payments—usually in the cryptocurrency Tether, though in some cases the Chinese payment services WePay and Alipay are accepted—for “points,” or earn them by inviting other customers. Customers can then cash in those credits to carry out searches based on identifiers ranging from names or email addresses to phone numbers to usernames on China's QQ, WeChat, or Weibo social networks.

In response to those search queries, the services promise data and records on targets including phone numbers, call records, bank accounts, marriage records, vehicle registrations, hotel bookings, and myriad other personal information. For higher payments that range into the hundreds of dollars, the services also offer premium searches for even more sensitive information like passport images or geolocation records, the SpyCloud researchers say, though they only conducted limited experiments on those premium searches. Some of the services specifically promise detailed access to data from China's “big three” state-owned telecommunications firms: China Telecom, China Unicom, and China Mobile.

WIRED reached out to Carllnet, DogeSGK, and X-Ray via Telegram, as well as the big three Chinese telecoms whose data they claim to have access to, but none of them responded to requests for comment.

In some cases, the services appear to draw on breached databases—collections of data that have been leaked online by hackers—as well as commercially collected data sources similar to those offered by Western data brokers, such as the location data hoovered up by many free smartphone apps. But they also appear to offer information from insiders at tech and telecom firms, banks, and China's state surveillance agencies, and even openly post ads seeking to recruit staffers of those organizations looking for an extra source of income. “Sincerely looking for public security personnel to establish cooperation,” reads one ad posted to Telegram, as translated by SpyCloud.

A translated screenshot of a post from one of the Telegram-based data brokers showing an example of geolocation tracking for a target individual.

Courtesy of SpyCloud

Another post from the X-Ray Telegram feed invites “internal personnel” from “public security, civil affairs, \[and\] banks” to cooperate with the service. “We welcome elites from all industries who have internal search conditions to join us!” reads a translation of the post.

According to one ad, insiders are paid more than 10,000 yuan—or nearly $1,400—a day, while another recruitment post promises twice that much and says some sources will receive payments as high as 70,000 yuan daily, or nearly $10,000. “There are many comrades who cooperate with us and have been cooperating with us stably for several years,” reads one recruitment post. To further assuage fears, it promises “a complete risk avoidance plan to protect you.”

Payment to those sources, one ad suggests, comes in the form of “virtual currency,” and offers training in “mixing” and other withdrawal methods “comparable to those of dark network black market personnel,” according to SpyCloud's translation—suggesting that the insiders are likely paid in cryptocurrency, given that “mixing” services are typically used to defeat blockchain analysis-based cryptocurrency tracing. “You can receive money with peace of mind and withdraw money with confidence,” it reads.

As further evidence of government surveillance insiders moonlighting in the data broker market, the SpyCloud researchers point to a leak earlier this year of communications and documents from I-Soon, a cyberespionage contractor to the Ministry of Public Security and the Ministry of State Security. In one leaked chat conversation, one employee of the company suggests to another that “I am just hear here to sell qb,” and “sell some qb yourself.” The SpyCloud researchers interpret “qb” to mean “qíngbào,” or “intelligence.”

Given that the average annual salary in China, even at a state-owned IT company, is only around $30,000, the promise—however credible or dubious—of making nearly a third of that daily in exchange for selling access to surveillance data represents a strong temptation, the SpyCloud researchers argue. “These are not necessarily masterminds,” says Johnson. “They're people with opportunity and motive to make a little money on the side.”

That some government insiders are in fact cashing in on their access to surveillance data is to be expected amid China's perpetual struggle against corruption, says Dakota Cary, a China-focused policy and cybersecurity researcher at cybersecurity firm SentinelOne, who reviewed SpyCloud's findings. Transparency International, for instance, ranks China 76th in the world out of 180 countries in its Corruption Index, well below every EU country other than Hungary—with which it tied—including Bulgaria and Romania. Corruption is “prevalent in the security services, in the military, in all parts of the government,” says Cary. “It's a top-down cultural attitude in the current political climate. It’s not at all surprising that individuals with this kind of data are effectively renting out the access they have as part of their job.”

In their research, SpyCloud's analysts went so far as to attempt to use the Telegram-based data brokers to search for personal information on certain high-ranking officials of the Chinese Communist Party and the People's Liberation Army, individual Chinese state-sponsored hackers who have been identified in US indictments, and the CEO of cybersecurity company I-Soon, Wu Haibo. The results of those queries included a grab bag of phone numbers, email addresses, bank card numbers, car registration records, and “hashed” passwords—passwords likely obtained through a data breach that are protected with a form of encryption but sometimes vulnerable to cracking—for those government officials and contractors.

In some cases, the data brokers do at least claim to restrict searches to exclude celebrities or government officials. But the researchers say they were usually able to find a workaround. “You can always find another service that's willing to do the search and get some documents on them,” says SpyCloud researcher Kyla Cardona.

The result, as Cardona describes it, is an even more unexpected consequence of a system that collects such vast and centralized data on every citizen in the country: Not only does that surveillance data leak into private hands, it also leaks into the hands of those who are watching the watchers.

"It's a double-edged sword,” says Cardona. “This data is collected for them and by them. But it can also be used against them.”

China’s Surveillance State Is Selling Citizen Data as a Side Hustle

AI-generated influencers based on stolen images of real-life adult content creators are flooding social media.

Instagram is flooded with hundreds of AI-generated influencers who are stealing videos from real models and adult content creators, giving them AI-generated faces, and monetizing their bodies with links to dating sites, Patreon, OnlyFans competitors, and various AI apps.

The practice, first reported by 404 Media in April, has since exploded in popularity, showing that Instagram is unable or unwilling to stop the flood of AI-generated content on its platform and protect the human creators on Instagram who say they are now competing with AI content in a way that is impacting their ability to make a living.

According to our review of more than 1,000 AI-generated Instagram accounts, Discord channels where the people who make this content share tips and discuss strategy, and several guides that explain how to make money by “AI pimping,” it is now trivially easy to make these accounts and monetize them using an assortment of off-the-shelf AI tools and apps. Some of these apps are hosted on the Apple App and Google Play Stores. Our investigation shows that what was once a niche problem on the platform has industrialized in scale, and it shows what social media may become in the near future: a space where AI-generated content eclipses that of humans.

Elaina St James, an adult content creator who promotes her work on Instagram, said she and other adult content creators are now directly competing with these AI rip-off accounts, many of which use photographs and videos stolen from adult content creators and Instagram models. She said that while there may be other changes to Instagram’s algorithm that could have contributed to this, since the explosion of AI-generated influencer accounts on Instagram her “reach went down tremendously,” from a typical 1 million to 5 million views a month to not cracking a million in the last 10 months, and sometimes coming in under 500,000 views.

“This is probably one of the reasons my views are going down,” St James told us in an interview. “It's because I'm competing with something that's unnatural.”

Alexios Mantzarlis, the director of the security, trust, and safety initiative at Cornell Tech and formerly principal of trust and safety intelligence at Google, compiled a list of around 900 accounts that 404 Media reviewed in its investigation. Mantzarlis, who stumbled on one of these accounts while casually using Instagram, said he started researching the AI-generated influencer accounts because it might show us where AI-generated content is taking social media and the internet more broadly, where he sees a “a rising blended unreality.” Mantzarlis believes he could have easily found 900 more accounts and that the only reason he didn’t get more is that Instagram restricted the account he used to scrape the platform.

“It felt like a possible sign of what social media is going to look like in five years,” Mantzarlis said in an interview. “Because this may be coming to other parts of the internet, not just the attractive-people niche on Instagram. This is probably a sign that it's going to be pretty bad.”

**The Accounts**

Out of more than 1,000 AI-generated Instagram influencer accounts we reviewed, 100 included at least some deepfake content which took existing videos, usually from models and adult entertainment performers, and replaced their face with an AI-generated face to make those videos seem like new, original content consistent with the other AI-generated images and videos shared by the AI-generated influencer. The other 900 accounts shared images that in some cases were trained on real photographs and in some cases made to look like celebrities, but were entirely AI-generated, not edited photographs or videos.

Out of those 100 accounts that shared deepfake or face-swapped videos, 60 self-identify as being AI-generated, writing in their bios that they are a “virtual model & influencer” or stating “all photos crafted with AI and apps.” The other 40 do not include any disclaimer stating that they are AI-generated.

One of the bigger accounts in the latter category is “Chloe Johnson,” who has a verified account on Instagram and 171,000 followers. This account was deleted by Meta within the past few weeks.

Inside the Booming ‘AI Pimping’ Industry

More than 3 billion phone coordinates collected by a US data broker expose the detailed movements of US military and intelligence workers in Germany—and the Pentagon is powerless to stop it.

Anyone Can Buy Data Tracking US Soldiers and Spies to Nuclear Vaults and Brothels in Germany

Built to combat terrorism, fusion centers give US Immigration and Customs Enforcement a way to gain access to data that’s meant to be protected under city laws limiting local police cooperation with ICE.

On the campaign trail and in recent days, Donald Trump has detailed extensive plans for immigration crackdowns and mass deportations during his second term as United States president. These initiatives would, he has said, include aggressive operations in areas known as “sanctuary cities” that have laws specifically curtailing local law enforcement collaboration with US Immigration and Customs Enforcement (ICE).

With these promises looming, a new report from researchers at the Surveillance Technology Oversight Project (STOP), a pro-privacy nonprofit, details the ways that federal/local data-sharing centers known as “fusion centers” already result in cooperation between federal immigration authorities and sanctuary-city law enforcement.

Run by the US Department of Homeland Security, of which ICE is a part, fusion centers emerged in the wake of the September 11, 2001, attacks as a counterterrorism initiative for integrating intelligence between federal, state, and local law enforcement. Fusion centers spent $400 million in 2021, according to public records. And, as STOP researchers point out, in more than two decades the centers have never proven their worth for their stated purpose of addressing terrorism in the US. Unnamed DHS officials told a Senate panel in 2012, for example, that fusion centers produce “predominantly useless information” and “a bunch of crap.”

In addition to aggressive investigative tactics like pulling data from schools and abortion clinics, ICE agents have leaned on fusion centers for years to get everything from photos of suspects to license plate location data and more—often in a pipeline that includes input from law enforcement working in sanctuary cities.

“This is an area where it’s highly profitable for localities to cooperate with ICE, and because it’s not highly visible it oftentimes faces less pushback," says STOP executive director Albert Fox Cahn. “This sort of information sharing capacity on this scale across all these agencies. tapping into everything from local utility records and DMV records to school records has the potential to be deployed in any number of chilling scenarios.”

ICE did not immediately return a request from WIRED for comment.

Fox Cahn adds that the concept of sanctuary cities wasn't always viewed by regional cops as an inconvenience to work around. “Until recently a lot of law enforcement agencies were very vocal in supporting sanctuary city protections, because they feared that ICE collaboration would actually hurt public safety if immigrants were not willing to come forward when they were victims of a crime or witness to a crime,” he says. “But police have become much more politically engaged on immigration in recent years.”

Fusion centers give ICE officers a forum through which to request data from local law enforcement databases in sanctuary cities and take advantage of regional surveillance tools, including publicly deployed face recognition systems, that can't be directly used to aid deportation efforts under sanctuary laws. STOP argues that when cops from sanctuary cities share data with ICE through fusion centers, it believes they may be violating local laws, but the activity is less obviously a violation than if the sharing happened through a direct channel.

In addition to undermining the entire purpose and premise of sanctuary city laws, STOP researchers point out, such erosion of guardrails around data sharing broadly could easily become a national security issue if a foreign actor were to infiltrate a fusion center. And domestically, the free-wheeling environment within fusion centers means that law enforcement could easily turn the spotlight onto additional types of investigations without warning.

“What we’ve seen over and over again is that the policing infrastructure we’ve built up in the name of combatting one evil then gets re-purposed for another," Fox Cahn says. “People who maybe don’t care as much about immigration need to recognize that if this infrastructure can be re-targeted at undocumented communities the way it has been today, it can be repurposed for any number of policing priorities in the future.”

Fusion centers will almost certainly play a role in the Trump administration's immigration agenda, but the STOP research is a reminder that these information-sharing hubs may well be at the center of other far-flung law enforcement initiatives as well.

Immigration Police Can Already Sidestep US Sanctuary City Laws Using Data-Sharing Fusion Centers

Plus: An “AI granny” is wasting scammers’ time, a lawsuit goes after spyware-maker NSO Group’s executives, and North Korea–linked hackers take a crack at macOS malware.

In perhaps the most adorable hacker story of the year, a trio of technologists in India found an innovative way to circumvent Apple’s location restrictions on AirPod Pro 2s so they could enable the earbuds’ hearing aid feature for their grandmas. The hack involved a homemade Faraday cage, a microwave, and a lot of trial and error.

On the other end of the tech-advancements spectrum, the US military is currently testing an AI-enabled machine gun that is capable of auto-targeting swarms of drones. The Bullfrog, built by Allen Control Systems, is one of several advanced weapons technologies in the works to combat the growing threat of cheap, small drones on the battlefield.

The US Department of Justice announced this week that an 18-year-old from California has admitted to making or orchestrating more than 375 swatting attacks across the United States.

Then, of course, there’s the Donald Trump of it all. This week, we published a practical guide to protecting yourself from government surveillance. WIRED has covered the dangers of government surveillance for decades, of course. But when the president-elect is explicitly threatening to jail his political enemies—whoever that may be—now’s probably a good time to brush up on your digital best practices.

In addition to potential dragnet surveillance of US citizens, US Immigration and Customs Enforcement started ramping up its surveillance arsenal the day after Trump won reelection. Meanwhile, experts are expecting the incoming administration to roll back cybersecurity rules instituted under president Joe Biden while taking a harder line against adversarial state-sponsored hackers. And if all this political upheaval has you in the mood to protest, beware: An investigation copublished by WIRED and The Marshall Project found that mask bans instituted in several states add a complicated new layer to exercising freedom of speech.

And that’s not all. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

In August 2016, approximately 120,000 bitcoin—at the time worth around $71 million—were stolen in a hack on the Bitfinex cryptocurrency exchange. Then in 2022, as the value of cryptocurrency had rocketed skywards, law enforcement officials in New York arrested husband and wife Ilya Lichtenstein and Heather Morgan in relation to the hack and laundering the much-inflated $4.5 billion of stolen cryptocurrency. (At the time, $3.6 billion of the funds were recouped by law enforcement investigators.)

This week, after pleading guilty in 2023, Lichtenstein was sentenced to five years of jail time for conducting the hack and laundering the profits. With subsequent cryptocurrency spikes and additional seizures related to the hack, the US government has now been able to recover more than $10 billion in assets. A series of operational security failures by Lichtenstein made much of the illicit cryptocurrency easy for officials to seize, but investigators also applied sophisticated crypto-tracing methods to unpick how the funds had been stolen and subsequently moved around.

Aside from the brazen scale of the heist, Lichtenstein and Morgan gained online prominence and ridicule after their arrests due to a series of Forbes articles written by Morgan and rap videos posted to YouTube under the name of “Razzlekhan.” Morgan, who also pleaded guilty, is due to be sentenced on November 18.

**An ‘AI Granny’ Is Wasting Phone Scammers’ Time**

Scammers are increasingly adopting AI as part of their criminal toolkits—using the technology to create deepfakes, translate scripts, and make their operations more efficient. But artificial intelligence is also being turned against the scammers. British telecoms firm Virgin Media and its mobile operator O2 have created a new “AI granny” that can answer phone calls from scammers and keep them talking. The system uses different AI models, according to The Register, that listen to what a scammer says and respond immediately. In one case, the company says it kept a scammer on the line for 40 minutes and has fed others fake personal information. Unfortunately, the system (at least at the moment) can’t directly answer calls made to your phone; instead, O2 created a specific phone number for the system, which the company says it has managed to get placed in lists of numbers that scammers call.

**Alleged NSO Group Spyware Victim Adds NSO Founders and Executive to Lawsuit**

In a new legal strategy for those attempting to hold commercial spyware vendors responsible, lawyer Andreu Van den Eynde, who was allegedly hacked with NSO Group spyware, is directly accusing two of the company’s founders, Omri Lavie and Shalev Hulio, and one of its executives, Yuval Somekh, of hacking crimes in a lawsuit. The Barcelona-based human rights nonprofit Iridia announced this week that it filed the complaint in a Catalan court. Van den Eynde was reportedly a victim of a hacking campaign that used NSO’s notorious Pegasus spyware against at least 65 Catalans. Van den Eynde and Iridia originally sued NSO Group in a Barcelona court in 2022 along with affiliates Osy Technologies and Q Cyber Technologies. “The people responsible for NSO Group have to explain their concrete activities,” a legal representative for Iridia and Van den Eynde wrote in the complaint, which was written in Catalan and translated by TechCrunch.

**North Korea-Backed Hackers Are Exploring New macOS Malware**

Research published this week by the mobile device management firm Jamf found that hackers who have been linked to North Korea have been working to implant malware inside macOS applications built with a particular open-source software development kit. The campaigns focused on cryptocurrency-related targets and involved infrastructure similar to systems that have been used by North Korea’s notorious Lazarus Group. It’s unclear if the activity resulted in actual victim compromise or if it was still in a testing phase.

Financially motivated and state-backed hackers have less occasion to use malware targeting Apple’s Mac computers than hacking tools that infect Microsoft Windows or Linux desktops and servers. So when Mac malware crops up, it’s typically a niche point, but it can also be a revealing indicator of trends and priorities among hackers.

Source

Wired