Plus: Ukrainian hackers reportedly knock out a key Russian internet provider, China’s Salt Typhoon hackers claim another victim, and the UK hits 23andMe with a hefty fine over its 2023 data breach.

Amid Israeli airstrikes this week and the imminent threat of further escalations by the United States, Iran started severely limiting internet connectivity for its citizens, limiting Iranians' access to crucial information and intentionally pushing them toward domestic apps that may not be secure. Meanwhile, the Israel-tied hacking group known as Predatory Sparrow is waging cyberwar on Iran’s financial system, attacking Iran’s Sepah Bank and destroying more than $90 million in cryptocurrency held by the Iranian crypto exchange Nobitex.

With the US still reeling from last weekend's violent shooting spree in Minnesota targeting Democratic state lawmakers and their families, an FBI affidavit indicates that the suspected shooter allegedly used data broker sites to find targets’ addresses and potentially other personal information about them. The finding highlights the potential dangers of widely available personal data.

This week, WIRED published its How to Win a Fight package, which includes our roundup of tools for tracking the Trump administration’s attacks on civil liberties, plus the most up-to-date versions of our guides to protecting yourself from government surveillance, protesting safely in the age of surveillance, and protecting yourself from phone searches at the US Border. While you're at it, don't forget to print your own copy of the How to Win a Fight zine! Better yet, print two and leave one at your local coffee shop or library.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**Israel Reports That Iran Is Hacking Security Cameras for Spying**

Israeli officials said this week that Iran is compromising private security cameras around Israel to conduct espionage as the two countries exchange missile strikes after an initial Israeli barrage. A former Israeli cybersecurity official warned on public radio this week that Israelis should confirm that their home security cameras are protected by strong passwords or shut them down. “We know that in the past two or three days, the Iranians have been trying to connect to cameras to understand what happened and where their missiles hit to improve their precision,” Refael Franco, the former deputy director general of the Israel National Cyber Directorate, said. Like many internet-of-things devices, surveillance cameras are notoriously vulnerable to takeover if they are not secured with strong account protections. They have previously been targeted in other conflicts for intelligence gathering.

**Ukrainian Hack Reportedly Caused Comms Blackouts, Data Deletion in Russia**

The Kyiv Post reported this week that hackers from Ukraine’s Main Intelligence Directorate (HUR) launched a cyberattack against Russian internet service provider Orion Telecom that disabled 370 servers, took down roughly 500 network switches, and wiped backup systems to hinder recovery. The attacks reportedly caused internet and television outages. Orion Telecom reportedly said that it was recovering from a large DDoS attack and would quickly restore service. The attack came on June 12, the national holiday known as Russia Day. “Happy holiday, disrespectful Russians," the attackers wrote in a message circulated on Telegram groups. "Soon you’ll be living in the Stone Age—and we’ll help you get there. Glory to Ukraine.” The attackers claim to be part of Ukraine's BO Team hacking group. Sources told the Kyiv Post that Russian security agencies working on the country's war against Ukraine use Orion Telecom and were affected by the connectivity outages.

**Viasat ID’ed as Another Victim in China’s Salt Typhoon Telecom Hacking Spree**

Bloomberg reported this week that the satellite communication firm Viasat discovered a breach earlier this year perpetrated by China's Salt Typhoon espionage-focused hacking group. In early December, US authorities revealed that Salt Typhoon hackers had embedded themselves in major US telecoms, including AT&T and Verizon. After revelations last year of the group's extensive telecom hacking spree in the US and elsewhere, WIRED reported in February that Salt Typhoon was still actively breaching new victims. Viasat says it has been cooperating with federal authorities to investigate its breach.

**23andMe Hit With UK Fine Over 2023 Data Breach**

The United Kingdom's Information Commissioner’s Office (ICO) said this week that it issued a £2.31 million ($3.1 million) fine to the beleaguered genetic testing company 23andMe as a result of the company's damaging 2023 data breach. Attackers were able to access user accounts and their data using stolen login credentials, because at the time 23andMe did not require that users set up two-factor authentication, which the ICO says violated the UK's data protection law. The company has since mandated this protection for all users. More than 155,000 UK residents had their data stolen in the breach, according to the ICO, which said that 23andMe “did not have additional verification steps for users to access and download their raw genetic data” when the breach occurred.

Israel Says Iran Is Hacking Security Cameras for Spying

Iran is limiting internet connectivity for citizens amid Israeli airstrikes—pushing people towards domestic apps, which may not be secure, and limiting their ability to access vital information.

For years, the Iranian regime has been building the technology and infrastructure needed for it to control, censor, and shut down internet access for more than 80 million Iranians. In 2019, the country shut off internet access as police sought to silence protesters, while in 2022 WhatsApp and Instagram connections were severed following protests after the death of 22-year-old Mahsa Amini in police custody. Each shutdown deprives people of information and has huge economic costs. Now as the conflict between Israel and Iran approaches the end of its first week, internet connections within Iran have been restricted again, limiting people’s access to information and stopping them connecting with loved ones who may be in peril.

Hours after Israel’s Air Force bombed targets in Iran on June 13, escalating the shadow conflict between the two countries, the first reports of self-imposed internet disruptions inside Iran emerged. Iran’s Ministry of Communication, according to semi-official state news agency Tasnim, said “temporary restrictions” had been imposed due to the “special conditions” the country was facing. Since then, Israel and Iran have traded fire, continually raising the stakes in the conflict. US president Donald Trump has indicated, but not confirmed, that the United States could support further Israeli efforts to destroy Iranian nuclear facilities.

Internet connectivity in Iran saw a 54 percent drop on June 13, says Doug Madory, director of internet analysis at monitoring firm Kentik. Then, days later on June 17, there was an additional 49 percent drop from the already lower level of connectivity. After internet connections were briefly restored back to where they were earlier on Tuesday, it dropped again on Wednesday by another 90 percent, Madory says. “Numerous Iranian service providers \[are\] now offline in second national Internet blackout in as many days,” Madory posted on BlueSky on Wednesday. Multiple internet companies in Iran have been impacted by the restrictions, including cell providers.

“Things went to overdrive since yesterday,” says a researcher with internet freedom effort Project Ainita, who asked not to be named for safety reasons. “For a second day in a row, they have cut international connectivity, and this time it's even more severe than yesterday, affecting all domestic news sites as well.” Other internet monitoring efforts such as Cloudflare Radar and Netblocks have also observed the multiple internet shutdowns in recent days, with Netblocks calling the most recent a “near-total” blackout. Iranian news agency Khabar posted on its Telegram channel that international internet access in the country had been “temporarily restricted to prevent enemy abuse,” citing the Ministry of Communications.

Iran has reportedly also told officials to stop using internet-connected devices and claimed citizens should delete WhatsApp, which has previously introduced ways to circumvent censorship. Government officials have also said the shutdowns are to try to prevent potential cyberattacks. However, the widespread measures to control and restrict connectivity have left people in Iran struggling to communicate and find out vital information about the state of the conflict. The shutdowns come at a time when Trump has said the almost 10 million people living in the Iranian capital, Tehran, should “immediately evacuate” the area.

“This extensive censorship and internet disruption primarily serve the regime’s goal of maintaining control, especially over information,” says Mahsa Alimardani, a digital rights analyst of Iranian origin and the associate director of technology, threats, and opportunities at international human rights nonprofit Witness. “These internet blocks are jeopardizing people’s safety mainly in Tehran.”

Alimardani says that it appears mobile data services are patchy, and for many people virtual private networks, which can be used to avoid censorship, have stopped working. This means it has been difficult to reach people in the country and potentially for information to get out, Alimardani says. “Some family that left Tehran today were offline and disconnected from the internet and finally found some connectivity when they were 200 kilometers outside of Tehran in another province,” Alimardani explains. “My connections are primarily with people using home broadband Wi-Fi, but even that has been unstable.”

Over the last decade, countries have increasingly taken the draconian step of fully or partially shutting down internet connectivity for citizens in times of perceived crisis. There were 296 shutdowns last year, according to Access Now, an internet rights nonprofit that tracks the actions—the highest number of any on record. Shutdowns are often linked to repressive governments trying to restrict protests that could damage them, to limit people’s ability to gather and communicate freely, as part of conflicts, and even to try and stop cheating in exams.

“The internet is a lifeline, we have seen this in many places under conflict,” says Hanna Kreitem, director of internet technology and development at the Internet Society, which has been tracking the blackouts in Iran. Kreitem says that when the connectivity in Iran first started to drop on June 13, he heard from people with relatives in Iran that their services had significantly slowed down. “People under fire use it to get news, request help, learn of safer areas, and communicate with loved ones. And for people outside to learn about what is going on and know about their loved ones.”

To limit connectivity, countries use multiple different technical approaches. Iran has been developing its own internet alternative, an intranet system called the National Information Network, known as the NIN, for years. The NIN, according to analysis by Freedom House, allows “tiers” of internet access and lets the government censor content and push people towards home-grown Iran apps, such as alternatives messaging apps, that may have “weak privacy and security features.” (Freedom House rates Iran as “not free” in its most recent measures of internet freedom, highlighting persistent shutdowns, increasing costs, and efforts to push people to the domestic internet.)

Amir Rashidi, the director of digital rights and security at the Iran-focused human rights organization Miaan Group, says that amid the recent shutdowns, there have been increased efforts to push people towards Iranian apps. “In a climate of fear, where people are simply trying to stay connected with loved ones, many are turning to these insecure platforms out of desperation,” he posted online, telling WIRED that a messaging app called Bale appears to be getting attention. “Since they are hosted on NIN, they will work even during shutdown,” he says.

Iran is not the first country to restrict people’s access to the internet—and uncensored information—with the potential justification of protecting cybersecurity or security more broadly, says Lukasz Olejnik, an independent consultant and visiting senior research fellow at the Kings’ College London’s Department of War Studies. As global internet shutdowns have soared over the last decade, Olejnik says, officials in Myanmar, India, Russia, and Belarus have all cited security reasons for implementing blackouts.

“Internet shutdowns are largely ineffective against real-world state-level cyberattacks,” Olejnik says. He explains that military and critical infrastructure systems, like energy networks or transport systems, will typically operate on separate networks and not be accessible from the open internet. “Professional cyber operations could use other means of access, albeit it could indeed make it difficult to command and control some of the deployed malware (if this was the case),” Olejnik says. “What it would block primarily would be access to information for the society.”

Witness’ Alimardani says the technical details supporting any claims that the internet restrictions are meant to protect cybersecurity are “unclear,” and ultimately, the goal of these efforts may be to control people within Iran. “The official narrative from state news channels portrays a strong war against Israel and a path to victory,” Alimardani says. “Free and open access to media would undermine this narrative, and at worst, could incite Iranians to revolt, further eroding the regime's power.”

Iran’s Internet Blackout Adds New Dangers for Civilians Amid Israeli Bombings

After an attack on Iran’s Sepah bank, the hyper-aggressive Israel-linked hacker group has now destroyed more than $90 million held at Iranian crypto exchange Nobitex.

The Israel-linked hacker group known as Predatory Sparrow has carried out some of the most disruptive and destructive cyberattacks in history, twice disabling thousands of gas station payment systems across Iran and once even setting a steel mill in the country on fire. Now, in the midst of a new war unfolding between the two countries, they appear to be bent on burning Iran's financial system.

Predatory Sparrow, which often goes by its Farsi name, Gonjeshke Darande, in an effort to appear as a homegrown hacktivist organization, announced in a post on on its X account Wednesday that it had targeted the Iranian crypto exchange Nobitex, accusing the exchange of enabling sanctions violations and terrorist financing on behalf of the Iranian regime. According to cryptocurrency tracing firm Elliptic, the hackers destroyed more than $90 million in Nobitex holdings, a rare instance of hackers burning crypto assets rather than stealing them.

“These cyberattacks are the result of Nobitex being a key regime tool for financing terrorism and violating sanctions,” the hackers posted to X. “Associating with regime terror financing and sanction violation infrastructure puts your assets at risk.”

The incident follows another Predatory Sparrow attack on Iran's finance system on Wednesday, in which the same group targeted Iran's Sepah bank, claiming to have destroyed “all” the bank's data in retaliation for its associations with Iran's Islamic Revolutionary Guard Corps, and posting documents that appeared to show agreements between the bank and the Iranian military. “Caution: Associating with the regime's instruments for evading sanctions and financing its ballistic missiles and nuclear program is bad for your long-term financial health,” the hackers wrote. “Who's next?”

Sepah Bank's website was offline yesterday but appeared to be working again today. The bank didn't respond to WIRED's request for comment. Nobitex's website was offline today and the company couldn't be reached for comment.

As is often in the case in the fog of an unfolding war and its accompanying cyberattacks, what effects Predatory Sparrow's cyberattacks have had remain unclear. But Hamid Kashfi, an Iranian cybersecurity researcher living in Sweden and the founder of the cybersecurity firm DarkCell, says he has heard from contacts in Iran that Sepah's online banking and ATMs have been offline since the attacks began, causing widespread disruption to civilians' ability to access their funds. “There has been a lot of collateral damage,” Kashfi says. “It just seems to be straight up causing damage and chaos. I can't think of what other logic would be behind it. Yes, they provide services to the military. But they do for millions of regular joes and civilians as well.”

In the Nobitex attack, blockchain analysis reveals some of the details of Predatory Sparrow's sabotage: According to Elliptic, the eight-figure sum stolen from the exchange was moved to a series of crypto addresses that all started with variations on the phrase “FuckIRGCterrorists.” Those so-called “vanity” addresses typically can't be created in any way that offers control or recovery of funds held there, so Elliptic concludes that moving funds to those addresses was instead a pointed method of destroying the money. “The hackers clearly have political rather than financial motivations,” says Tom Robinson, Elliptic's cofounder. “The crypto they stole has effectively been burned.”

Elliptic also confirmed in its blog post about the attack that crypto tracing shows Nobitex does in fact have links with sanctioned IRGC operatives, Hamas, Yemen's Houthi rebels, and the Palestinian Islamic Jihad group. “It's also an act of sabotage, by attacking a financial institution that was pivotal in Iran's use of cryptocurrency to evade sanctions,” Robinson says.

Predatory Sparrow has long been one of the most aggressive cyberwarfare-focused groups in the world. The hackers, who are widely believed to have links to Israel's military or intelligence agencies, have for years targeted Iran with an intermittent barrage of carefully planned attacks on the country's critical infrastructure. The group has targeted Iran's railways with data-destroying attacks and twice disabled payment systems at thousands of Iranian gas stations, triggering nationwide fuel shortages. In 2022, it carried out perhaps the most physically destructive cyberattack in history, hijacking industrial control systems at the Khouzestan steel mill to cause a massive vat of molten steel to spill onto the floor, setting the plant on fire and nearly burning staff there alive, as shown in the group's own video of the attack posted to its YouTube account.

Exactly why Predatory Sparrow has now turned its attention to Iran's financial sector—whether because it sees those financial institutions as the most consequential or merely because its banks and crypto exchanges were vulnerable enough to offer a target of opportunity—remains unclear for now, says John Hultquist, chief analyst on Google's threat intelligence group and a longtime tracker of Predatory Sparrow's attacks. Almost any conflict, he notes, now includes cyberattacks from hacktivists or state-sponsored hackers. But the entry of Predatory Sparrow in particular into this war suggests there may yet be more to come, with serious consequences.

“This actor is very serious and very capable, and that's what separates them from many of the operations that we'll probably see in the coming weeks or months,” Hultquist says. “A lot of actors are going to make threats. This is one that can follow through on those threats.”

_Updated June 18, 2025, at 10:52 am EDT: Added additional context and comments from cybersecurity researcher Hamid Kashfi._

Israel-Tied Predatory Sparrow Hackers Are Waging Cyberwar on Iran’s Financial System

The shooter allegedly researched several “people search” sites in an attempt to target his victims, highlighting the potential dangers of widely available personal data.

The man who allegedly assassinated a Democratic Minnesota state representative, murdered her husband, and shot a state senator and his wife at their homes in a violent spree early Saturday morning may have gotten their addresses or other personal details from online data broker services, according to court documents.

Suspect Vance Boelter, 57, is accused of shooting Minnesota representative Melissa Hortman and her husband, Mark Hortman, in their home on Saturday. The couple died from their injuries. Authorities claim the suspect also shot state senator John Hoffman and his wife Yvette Hoffman in their home earlier that night. The pair are currently recovering and are “incredibly lucky to be alive,” according to a statement from their family.

According to an FBI affidavit, police searched the SUV believed to be the suspect's and found notebooks that included handwritten lists of “more than 45 Minnesota state and federal public officials, including Representative Hortman’s, whose home address was written next to her name.” According to the same affidavit, one notebook also listed 11 mainstream search platforms for finding people's home addresses and other personal information, like phone numbers and relatives.

The addresses for both lawmakers targeted on Saturday were readily available. Representative Hortman's campaign website listed her home address, while Senator Hoffman's appeared on his legislative webpage, The New York Times reports.

“Boelter stalked his victims like prey,” acting US attorney Joseph Thompson alleged at a press conference on Monday. “He researched his victims and their families. He used the internet and other tools to find their addresses and names, the names of their family members.” Thompson also alleged that the suspect surveilled victims' homes.

The suspect faces several charges of second-degree murder.

Privacy and public safety advocates have long argued that the US should regulate data brokers to guarantee that people have better control over the sensitive information available about them. The US has no comprehensive data privacy legislation, and efforts to regulate data brokers from within federal agencies have largely been quashed.

“The accused Minneapolis assassin allegedly used data brokers as a key part of his plot to track down and murder Democratic lawmakers,” Ron Wyden, the US senator from Oregon, tells WIRED. “Congress doesn't need any more proof that people are being killed based on data for sale to anyone with a credit card. Every single American's safety is at risk until Congress cracks down on this sleazy industry.”

In many cases, basic information like home addresses can be found through public records, including voter registration data (which is public in some states) and political donations data, says Gary Warner, a longtime digital scams researcher and director of intelligence at the cybersecurity firm DarkTower. Anything that isn't readily available through public records is almost always easy to find using popular “people search” services.

“Finding a home address, especially if someone has lived in the same place for many years is trivial,” Warner says. He adds that for “younger people, non-homeowners, and less political people, there are other favorite sites” for finding personal information.

For many in the general public as well as in politics, Saturday's violent crime spree brings new urgency to the long-standing question of how to protect sensitive personal data online.

“These are not the first murders that have been abetted by the data broker industry. But most of the previous targets were relatively unknown victims of stalking and abuse,” alleges Evan Greer, deputy director of the digital rights group Fight for the Future. “Lawmakers need to act before they have more blood on their hands.”

Minnesota Shooting Suspect Allegedly Used Data Broker Sites to Find Targets’ Addresses

The White House has undertaken initiatives to crack down on immigration, suppress speech, and curtail US public health efforts. These online tools are tracking the rapidly changing US landscape.

In just a few months, Donald Trump’s second presidential term has drastically reshaped the United States federal government and moved to consolidate the power of the executive branch. At the behest of the president, numerous federal agencies have undertaken aggressive, invasive initiatives to crack down on immigration, police speech, investigate political opponents, curtail US public health efforts and emergency preparedness, and more.

With so much happening at once, numerous organizations and individuals have launched databases, interactive maps, and other trackers to catalog these government actions and their impacts on people’s civil rights across the US. Using open source intelligence, public data, news coverage, and other research, these tools are vital resources for documenting, contextualizing, and analyzing the flood of federal activity that is fundamentally reshaping the US. Here are a few prominent examples.

**The Impact Map**

**by The Impact Project, Americans for Public Service**

This interactive map tracks changes to US federal government funding, workforce, and policy across the country, documenting things like mass worker firings, hiring freezes, funding cuts, and lease terminations. The tool also shows places where funding has subsequently been unfrozen, federal workers have been rehired or may be, or the federal government has added a new service or benefit.

The map includes notations to specifically document impacts in rural US counties, areas in which the population is majority non-white, places where 20 percent or more of the population live below the poverty line, and indigenous lands. It also catalogs responses to these initiatives, including legal actions as well as local and state responses to funding cuts.

**United States Disappeared Tracker**

**by Danielle Harlow, data analyst**

This dashboard tallies the number of people impacted by the Trump administration’s mass deportations carried out by US Immigration and Customs Enforcement (ICE). The number is already over 4,000. The tool also monitors the status of each individual to the degree that information is available, noting their names, original country of origin, and where they are being detained, when available.

The tracker crucially follows each individual’s status, noting whether they are in ICE custody, have been released temporarily or permanently, have been deported, have “self-deported,” or have died in ICE custody. The tool also lists how many days their ordeal has continued.

**ICE Flight Tracking**

**by Tom Cartwright, immigration rights advocate**

Tom Cartwright is a retired JP Morgan executive who uses flight monitoring data from around the country to track ICE Air deportation flights, return flights, and flights within the US. He posts regular, specific updates on his Bluesky social media page and produces monthly reports for the immigration rights group Witness at the Border about ICE Air flights and tallies. In the past 12 months, Cartwright has collected data on roughly 8,000 ICE Air flights, including 824 in April. More than 1,500 of that 12-month total were “removal flights,” while about 1,400 were “removal return” flights. The other roughly 5,000 trips were “ICE Air domestic flights” within the US.

**Regulatory Changes Tracker**

**by The Brookings Institution**

The think tank Brookings has built a database cataloging significant regulatory changes implemented since the start of the second Trump administration. It includes new executive orders and regulatory freezes as well as Trump administration changes to executive orders that were issued by past administrations. For example, the White House rescinded a 2022 Biden executive order aimed at lowering the cost of prescription drugs and another from that year calling for research into cryptocurrency regulation.

**Trump Administration Litigation Trackers**

**by Just Security and Lawfare**

The law and policy publications Just Security and Lawfare each offer databases that track lawsuits challenging Trump administration initiatives. The tools include case names, docket numbers, and jurisdictions, as well as the executive action being challenged and the status of the litigation. In most cases, the Trump administration has pursued its agenda without congressional oversight or corresponding legislation, and a number of Trump administration efforts that have been challenged in court thus far have either been paused or permanently blocked from continuing.

**Far Right Groups Targeting Pride Month**

**by Teddy Wilson, Radical Reports**

Anti-LGBTQ+ groups, including fundamentalist Christian nationalists and white supremacist extremist groups, have targeted Pride Month events previously and are expected to again this June, particularly given the Trump administration’s violent rhetoric and executive actions related to trans rights. This map is tracking Pride Month events around the country and indications that radical opposition groups plan to target the gatherings.

6 Tools for Tracking the Trump Administration’s Attacks on Civil Liberties

Right now, everyone seems ready to throw down. More than ever, it’s important to fight smart—and not give up until you land a decisive blow.

I don’t think there’s anything quite so satisfying as winning a fight—especially when you land that victory with a resounding and definitive punch to your opponent’s gut.

In some instances, that’s a literal victory. Just ask my third-grade playground nemesis; it’s the one and only time I ever threw that kind of breathtaking slug, and yeah, she had it coming.

But much more often, that feeling comes during fights that transcend the physical. Especially right now, when it feels like there are more of them than ever. The American electorate wants to fight President Trump, or Congress, or one another; Tesla owners, and Tesla haters, want to fight Elon Musk; Elon Musk wants to fight the entire internet, including Trump himself. (Musk later apologized, which Trump said was “nice.”) On a more serious note, scores of people—from student activists to federal workers, from immigrants to the LGBTQ+ community—find themselves forced to fight deportation, government surveillance, and the drastic erosion of fundamental human rights. Just this past weekend millions of people took to the streets in hundreds of US cities to protest Trump’s policies.

That latter battle is one for all of us to take on. It might be more possible to win than you think: Erica Chenoweth, from Harvard’s Carr Center for Human Rights Policy, theorizes that modern-day nonviolent protests involving more than 3.5 percent of a given population have never failed to catalyze change. Physical protests can be effective, but remember that there are plenty of ways to deliver that metaphorical gut punch—to really, decisively, _win_ a fight.

WIRED is here to help. In our latest package, we’re exploring the myriad battles—both big and small, existential and elementary—playing out all around us, and how they can best be won. WIRED reporters are here to tell you the definitive story of the Tesla Takedown, and we’re partnering with our colleagues at Them to walk you through the battle over the future of gender-affirming care. We’re also chatting with the internet’s most impressive shitposters to get their advice on out-trolling the trolls, and talking to a Hollywood stunt performer about the skills required to vanquish adversaries.

Finally, we’ve got all the guidance you could possibly need to fight the Big Fights in this moment, from locking down your digital security to protesting safely amid increasing—and increasingly dangerous—government surveillance.

So put on your big-person pants, shake off any lingering nerves, and remember: Whatever you’re fighting for in this moment, don’t stop until you land that victory blow. But please, not a physical one. WIRED doesn’t condone violence, and I still feel kinda bad about that third grade thing.

Why We Made a Guide to Winning a Fight

Plus: Spyware is found on two Italian journalists’ phones, Ukraine claims to have hacked a Russian aircraft maker, police take down major infostealer infrastructure, and more.

With demonstrations ramping up against the Trump administration, this week was all about protests. With President Donald Trump taking the historic step to deploy US Marines and the National Guard to Los Angeles, we dove into the “long-term dangers” of sending troops to LA, as well as what those troops are permitted to do while they’re there.

Of course, it’s not just the military getting involved in the LA protests against the heavy crackdowns by Immigration and Customs Enforcement (ICE). There’s also Customs and Border Protection (CBP), which further escalated federal involvement by flying Predator drones over LA. And there are local and state authorities, who’ve used “nonlethal” weapons and chemical agents like tear gas against protesters. Even Waymo’s self-driving taxis—some of which were set on fire during last weekend’s LA protests—could be used to investigate people who commit crimes during demonstrations thanks to their surveillance capabilities.

In addition to protests, the undocumented community is pushing back against ICE’s enforcement activities by turning social media platforms into DIY alert systems for ICE raids and other activities. And with thousands of protests scheduled to take place this weekend, we updated our guide to protecting your privacy—in addition to your physical safety—while demonstrating.

Even if you’re not an immigrant nor attending any protests, it’s possible your data is still getting shared with immigration authorities. In partnership with WIRED, 404 Media this week revealed that a data broker owned by major airlines sold domestic US flight data to CBP and instructed the agency to not reveal that it did so. 404 also detailed a bug that allowed a researcher to discover the phone numbers connected to any Google accounts. (The bug has since been fixed.) Finally, we dissected Apple’s AI strategy, which appears to bank more on privacy than on splashy features.

And that’s not all. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

The Trump administration quietly ordered the transfer of Medicaid data belonging to undocumented individuals to deportation officials this week, according to the Associated Press, in a move legal experts warn is likely to erode public trust in the government's handling of personal data and result in a chilling effect among undocumented people desperate for medical care.

The transfer, which was reportedly ordered by Health and Human Services secretary Robert F. Kennedy Jr.'s office and included names, addresses, immigration status, and health claims, pertains to millions of enrollees, many in states that pay for the coverage using their own funds, the AP reports. The transfer may also be illegal, violating the Social Security Act and other data-handling statutes. According to the AP, Medicaid officials warned the administration that they did not have legal authority to disclose the records and that doing so would carry legal and reputation risks that could lead states to begin refusing to share information with the federal government, impacting the agency's operational functions.

California governor Gavin Newsom, whose state is occupied by undesired federal military forces and ICE agents conducting continuous sweeps across neighborhoods heavily populated by immigrants, condemned the act, calling it “potentially illegal.” An HHS official rejected the claim, saying the agency acted in full compliance with the law, while declining to clarify to reporters how the data would actually be used.

**2 Italian Journalists’ Phones Hacked With Paragon Spyware**

Move over, NSO Group. Two Italian journalists were hacked with spyware made by Israeli phone-focused surveillance firm Paragon, Citizen Lab revealed this week in a report based on forensic analyses of their phones. Two other Italians, both staffers at the immigrant rescue nonprofit Mediterranea Saving Humans, also had their phones compromised with the same malware. Paragon’s Graphite malware, like NSO’s Pegasus, infects phones with a zero-click technique that requires no interaction from the victim—in this case using a vulnerability in iPhones that was patched in iOS version 18.3 earlier this year. While Citizen Lab couldn’t determine the Paragon customer behind the intrusions, there’s reason to suspect the Italian government, given that an Italian parliamentary committee determined in a report earlier this month that two Italian intelligence agencies are Paragon customers.

**Ukraine Says It Hacked a Russian Aircraft Maker That Produces Strategic Bombers**

In its latest salvo against the Russian air force, Ukraine’s HUR military intelligence agency said that it had hacked into the network of Tupolev, an aerospace company that manufactures and services Russia’s strategic bombers. According to the cybersecurity news outlet The Record, the Ukrainian state hackers claim to have stolen 4.4 gigabytes of data, including internal communications, meeting notes, personnel files, and purchase records. Specifically, HUR says it was targeting data about individuals involved in the servicing and maintenance of Russia’s bomber fleet, which has targeted Ukrainian cities. The hackers also defaced the homepage of Tupolev’s website to show an owl clutching a Russian aircraft. “There is nothing secret left in Tupolev's activities for Ukrainian intelligence,” HUR said in a statement. “The result of the operation will be noticeable both on the ground and in the sky.” The move follows Ukraine’s unprecedented drone operation earlier this month that damaged or destroyed 41 Russian aircraft, including bombers and spy planes.

**International Law Enforcement Conducts Major Takedown of Infostealer Infrastructure**

On Wednesday, a consortium of cops from Interpol and 26 countries announced a takedown, dubbed “Operation Secure,” of domains and other digital infrastructure linked to 69 infostealer malware variants. In recent years, malicious hackers have leaned more and more on information-stealing malware, or infostealers, that grab sensitive information like passwords, cookies, and search histories to make it easier for attackers to target specific organizations and individuals. Operation Secure ran from January to April this year, Interpol said, and involved takedowns of more than 20,000 malicious IP addresses or domains and seizure of 41 servers as well as more than 100 GB of data. A total of 32 people were also arrested in connection with the investigation in Vietnam, Sri Lanka, Nauru, and elsewhere. Interpol described the operation as a “regional initiative” organized by the Asia and South Pacific Joint Operations Against Cybercrime Project.

**Meta Sues a Nudify App for Advertising on Instagram**

Meta sued Hong Kong–based Joy Timeline HK Limited for repeatedly advertising an app on Instagram called CrushAI that offers “nudify” deepfakes, using artificial intelligence to remove the clothes from anyone in a photo. Meta said in its announcement of the lawsuit that the company had repeatedly violated its terms of service for advertisers and that the move is part of a larger crackdown on similar deepfake apps pushed by “adversarial advertisers,” as it dubs the companies who violate its terms. “We’ll continue to take the necessary steps—which could include legal action—against those who abuse our platforms like this,” Meta wrote in a statement.

RFK Jr. Orders HHS to Give Undocumented Migrants’ Medicaid Data to DHS

Army intelligence analysts are monitoring civilian-made ICE tracking tools, treating them as potential threats, as immigration protests spread nationwide.

As protests continue to swell across the United States in response to aggressive Immigration and Customs Enforcement actions, civilians are turning to homebrew digital tools to track ICE arrests and raids in real time. But restricted government documents, obtained by the nonprofit watchdog Property of the People, show that US intelligence agencies are now eyeing the same tools as potential threats. A law enforcement investigation involving the maps is also apparently underway.

Details about Saturday’s “No Kings” protest—specifically those in California—are also under watch by domestic intelligence centers, where analysts regularly distribute speculative threat assessments among federal, state, and local agencies, according to an internal alert obtained exclusively by WIRED.

A late-February bulletin distributed by a Vermont-based regional fusion center highlights several websites hosting interactive maps that allow users to drop “pins” indicating encounters with ICE agents.

The bulletin is based on information initially shared by a US Army threat monitoring center known as ARTIC. While it acknowledges that most of the users appear to be civilians working to avoid contact with federal agents, it nevertheless raises the specter of “malicious actors” potentially relying on such open-source transparency tools to physically target law enforcement.

ARTIC, which operates under the umbrella of the Army’s Intelligence and Security Command, could not be immediately reached for comment.

Property of the People, a nonprofit focused on transparency and national security, attempted to obtain additional details about the maps using public records laws. The group was informed by the Northern California Regional Intelligence Center (NCRIC) that all relevant information is “associated with active law enforcement investigations.”

The NCRIC did not immediately respond to WIRED’s request for comment.

“Law enforcement is sounding the alarm over implausible, hypothetical risks allegedly posed by these ICE raid tracking platforms,” Ryan Shapiro, executive director of Property of the People, tells WIRED. “But transparency is not terrorism, and the real security threat is militarized secret police invading our communities and abducting our neighbors.”

The documents identify maps and information shared across Reddit and the website Padlet, which allows users to collaborate and build interactive maps. An “OPSEC” warning concerning the maps was also separately issued in February by the Wisconsin Statewide Intelligence Center (WSIC). That report indicates the sites are being treated as a “strategic threat” and are under monitoring by a special operations division.

WSIC, which could not be immediately reached for comment, warned in its report about persistent online threats aimed at ICE officers, highlighting posts on social media apps like X and TikTok that include messages calling for Americans to stockpile weapons and “shoot back.” While some posts were judged to contain “explicit threats,” most appear to reflect cathartic outrage over the Trump administration’s punitive immigration enforcement tactics, with intelligence analysts noting that many of the users were “discussing hypothetical scenarios.” Nevertheless, the analysts flagged the sheer volume and tone of the content as a genuine officer safety concern.

Each document is marked for law enforcement eyes only—a warning not to discuss details with the public or press.

A separate report obtained by WIRED and dated mid-May shows the Central California Intelligence Center (CCIC) monitoring plans for the upcoming “No Kings” protests. It identifies Sacramento, Fresno, and Stockton, among dozens of other protest sites. The information is widely available online, including on the No Kings website.

The bulletin notes the protests are promoted as a “nonviolent action,” but says the agency plans to produce additional intelligence reports for “threat liaison officers.” It concludes with boilerplate language that states the CCIC recognizes the right of citizens to assemble, speak, and petition the government, but frames the need to gather intelligence on “First Amendment-protected activities” as essential to “assuring the safety of first responders and the public.”

Roughly 2,000 protests are scheduled to take place nationwide concurrent with a military parade in Washington, DC, expected to feature 6,600 US Army soldiers, 150 military vehicles, including 28 M1 Abrams tanks, rocket launchers, and precision-guided missiles.

Protests have erupted in Los Angeles and cities nationwide over the past week in response to a Trump-ordered immigration crackdown and the deployment of federal troops, including Marines and National Guard units, to support law enforcement.

Demonstrators are pushing back against what they view as an authoritarian show of force—as surveillance drones fly overhead and armored vehicles roll through immigrant-heavy neighborhoods. Tensions have flared between protesters and police, fueling concerns about surveillance, civil liberties, and the legality of using military force to suppress civil unrest.

The use of military-grade equipment and limits on troop authority have emerged as key flashpoints in a broader debate over executive power and immigration enforcement.

The No Kings organizers frame the demonstrations as a nationwide day of defiance: “From city blocks to small towns, from courthouse steps to community parks, we’re taking action to reject authoritarianism—and show the world what democracy really looks like.”

'No Kings’ Protests, Citizen-Run ICE Trackers Trigger Intelligence Warnings

Customs and Border Protection flying powerful Predator B drones over Los Angeles further breaks the seal on federal involvement in civilian matters typically handled by state or local authorities.

On Wednesday, United States Customs and Border Protection confirmed to 404 Media that it has been flying Predator drones over Los Angeles amid the LA protests. The military drones, a CBP statement said, “are supporting our federal law enforcement partners in the Greater Los Angeles area, including Immigration and Customs Enforcement, with aerial support of their operations.”

State-level law enforcement agencies across the US use various types of drones and other vehicles, like helicopters, to conduct aerial surveillance, and other agencies use drones in their operations as well. For example, the California Department of Forestry and Fire Protection “doubled its use of drones” this year, according to the office of Governor Gavin Newsom, as part of efforts to combat forest fires. However, CBP's MQ-9 Reaper drones, also known as Predator B drones, are military-caliber UAVs used for aerial reconnaissance that can be armed.

In 2020, during President Donald Trump's first administration, CBP flew a Predator drone over Minneapolis during the George Floyd protests. And, in the intervening years, researchers have tracked Department of Homeland Security Predator drones flying over various US cities with no clear explanation. In the case of LA, Trump has deployed more than 700 active-duty Marines and federalized the National Guard, sending nearly 4,000 guardsmen to California over Newsom's objections. In combination with these actions, the presence of the CBP drones paints a picture of expanding federal involvement—and potentially control—over what are typically state matters.

“Military gear has been used for domestic law enforcement for a long time, but flying military gear over LA at a time when the president has sent military units against the wishes of the governor is noteworthy," says Matthew Feeney, a longtime emerging technologies researcher and advocacy manager at the nonpartisan UK civil liberties group Big Brother Watch. “If the federal government portrays immigration as a national security issue, we shouldn’t be surprised if it openly uses the tools of national security—i.e., military hardware—in response.”

Carrying powerful cameras and other sensors, Predator drones can record clear, detailed footage of events like protests from high altitudes.

CBP's “Air and Marine Operations (AMO) is providing aerial support to federal law enforcement partners conducting operations in the Greater Los Angeles area,” CBP told WIRED in a statement responding to questions about whether the operation over LA is routine or anomalous. “AMO’s efforts are focused on situational awareness and officer safety support as requested.”

Patrick Eddington, a senior fellow in homeland security and civil liberties at the Cato Institute, warns that “the more the protests spread to other cities, the more of that kind of surveillance we’ll see.”

CBP told 404 Media this week that “AMO is not engaged in the surveillance of first amendment activities.” That statement aligns with a commitment the US Department of Homeland Security made in December 2015. “Unmanned aircraft system-recorded data should not be collected, disseminated or retained solely for the purpose of monitoring activities protected by the US Constitution, such as the First Amendment’s protections of religion, speech, press, assembly, and redress of grievances (e.g., protests, demonstrations),” a DHS “Privacy, Civil Rights & Civil Liberties Unmanned Aircraft Systems Working Group” wrote at the time.

In practice, though, it is unclear how the Predator surveillance could “support” ICE agents and other federal law enforcement without monitoring the protests and capturing images of protesters.

While researchers note that the use of Predator drones over LA is not unprecedented—and, at this point, perhaps not surprising—they emphasize that this pattern of activity over time only makes it more likely that the federal government will deploy such monitoring in the future, regardless of how a state is handling a situation.

“It’s not new or even all that unexpected from a spooked Trump administration, but it’s still a terrible use of military technology on civilian populations,” says UAV researcher Faine Greenwood. “It’s basically continuing a worrying trend, but also people should be angry about it and refuse to normalize it.”

CBP's Predator Drone Flights Over LA Are a Dangerous Escalation

Pentagon rules sharply limit US Marines and National Guard activity in Los Angeles, prohibiting arrests, surveillance, and other customary police work.

For the first time in decades, active-duty US Marines are rolling into Los Angeles—not for disaster relief or training drills, but to guard federal buildings during a protest crackdown that legal experts say threatens long-standing limits on military power at home.

The deployment, announced by President Donald Trump on Monday, involves more than 700 Marines from the 2nd Battalion, 7th Regiment of the 1st Marine Division, based at Camp Pendleton and Twentynine Palms. Mobilized under Title 10 orders, the Marines have been commanded to protect federal property and personnel from mounting protests over aggressive immigration raids and neighborhood sweeps. It is a rare and forceful use of federal military power on US soil.

The mobilization follows Trump’s June 7 order that federalized as many as 4,000 California national guardsmen, overriding the objections of state officials and igniting a high-stakes legal fight.

A US district judge on Thursday ordered Trump to return control of the guardsmen to the state of California, saying the takeover was unlawful, only likely to inflame tensions in the city, and had deprived the state of resources necessary “to fight fires, combat the fentanyl trade, and perform other critical functions.” The injunction was quickly stayed, however, by a federal appeals court, pending a hearing next week.

Protests began Friday in Westlake, an immigrant-heavy neighborhood near downtown LA, where residents rallied in response to sweeping ICE raids that targeted day laborers outside local businesses. Demonstrators marched, held signs, and chanted for several hours before tensions escalated after police declared an unlawful assembly and advanced on the crowd. LAPD officers and federal agents deployed a range of crowd control weapons, including batons, tear gas, pepper spray, and flash-bang grenades. Reports from journalists and observers describe nonviolent protesters—and members of the press—being struck by rubber bullets and stun devices during the crackdown.

Widespread protests are expected in LA and at some 2,000 other locations around the US this weekend.

While the president holds broad emergency powers, legal scholars say that without invoking the Insurrection Act—a statute that permits domestic troop deployments only in cases of a rebellion or civil rights violations—federal law sharply limits what active-duty forces can do. Marines may not act as a _posse comitatus_, or function as law enforcement. They're barred from conducting surveillance and, in general, crowd control, as well as _officially_ arresting people, and may otherwise only support police in narrowly defined ways, according to Defense Department rules.

Pentagon directives governing “civil disturbance operations” reinforce these limits. Federal troops are prohibited from arresting civilians, searching property, and collecting evidence. They may not conduct surveillance of US persons. That includes not just individuals but vehicles, locations, and “transactions.” They may not serve as undercover agents, informants, or interrogators. Unless a crime is committed by a service member or on military property, Title 10 forces are likewise banned from engaging in any kind of forensics for the benefit of civilian police—unless they are willing to put in writing that such evidence was obtained by consent.

US Northern Command, which oversees military support to nonmilitary authorities in the contiguous 48 states, said Friday that Marines would not conduct “arrests” but are authorized to "temporarily hold" people in "specific circumstances" until police arrive to make a _formal_ arrest. The clarification follows the emergence of a video showing Marines in LA detaining a civilian with plastic handcuffs before awaiting police—the first known instance of such an action during the current deployment.

There are numerous other scenarios in which the military can provide assistance to police, including by giving them “information” obtained “in the normal course” of their duties, unless applicable privacy laws prohibit it. Military members can also provide police with a wide variety of assistance so long as it’s in a “private capacity” and they’re off duty. Additionally, they can provide “expert advice,” so long as it doesn’t count as serving a function core to civilian police work.

The Department of Defense did not immediately respond to a request for comment; however, a staff member in the Office of the Under Secretary of Defense for Policy confirmed for WIRED by phone the current set of policies under which deployed federal troops must operate.

There is one major caveat to the military’s restrictions. During an “extraordinary emergency,” military commanders may take limited, immediate action to prevent massive destruction or to restore critical public services, but only so long as presidential approval is “impossible” to obtain in advance. And while military personnel are naturally expected to maintain order and discipline at all times, under no circumstances are they required to stand down when their lives, or the lives of others, are in immediate danger.

Still, enforcement of these rules in the field is far from guaranteed. Legal experts warn that adherence often varies in chaotic environments. Trump administration officials have also demonstrated a willingness to skirt the law. Last week, homeland security secretary Kristi Noem asked the Pentagon to authorize military assistance in conducting arrests and to deploy drone surveillance, according to a letter obtained by The San Francisco Chronicle—a move experts say directly contradicts standing legal prohibitions.

At a press conference on Thursday, Noem stated the federal government was on a mission to “liberate” Los Angeles from “socialists” and the “leadership” of California governor Gavin Newsom and LA mayor Karen Bass. US Senator Alex Padilla, who represents the citizens of California, was forcibly removed from the press conference after attempting to question Noem. Outside the press conference room, federal agents forced the senator to the ground, where he was temporarily placed in handcuffs.

Unlike the National Guard, which is well trained for domestic crowd control, active-duty Marines generally receive relatively little instruction in handling civil unrest. Those who do typically belong to military police or specialized security units. Nonetheless, the Marine Corps has published footage online showing various task forces training with riot-control tactics and “nonlethal” weapons. Constitutional concerns do not arise, however, when Marines face off against foreign mobs—such as in civilian zones during the Afghanistan war or on the rare occasion protesters breach the perimeter of a US embassy. And wartime rules of engagement are far more lenient than the rules of force by which Marines must adhere domestically.

In a statement on Wednesday, Northern Command confirmed the Marines had undergone training in all “mission essential tasks,” including “de-escalation” and “crowd control.” They will reportedly be accompanied by legal and law enforcement experts.

Constitutional experts warn that deploying military forces against civilian demonstrators blurs the line between law enforcement and military power, potentially setting a dangerous precedent for unchecked presidential authority. The risk deepens, they say, if federal troops overstep their legal bounds.

If lines are crossed, it could open a door that may not close easily—clearing the way for future crackdowns that erode Americans’ hard-won civil liberties.

_Updated 7:40 pm ET, June 13, 2025: This story has been updated to include details about the first known arrest in 2025 of a protester by US Marines._

Source

Wired