Android’s “Scam Detection” protection in Google Messages will now be able to flag even more types of digital fraud.

Digital scammers have never been so successful. Last year Americans lost $16.6 billion to online crimes, with almost 200,000 people reporting scams like phishing and spoofing to the FBI. More than $470 million was stolen in scams that started with a text message last year, according to the Federal Trade Commission. And as the biggest mobile operating system maker in the world, Google has been scrambling to do something, building out tools to warn consumers about potential scams.

Ahead of Google’s Android 16 launch next week, the company said on Tuesday that it is expanding its recently launched AI flagging feature for the Google Messages app, known as Scam Detection, to provide alerts on potentially nefarious messages like possible crypto scams, financial impersonation, gift card and prize scams, technical support scams, and more. Combined with other AI security features for Google Messages—all of which run locally on users’ devices and do not share data or message content with the company—Android is now detecting roughly 2 billion suspicious messages a month.

“The fraud is truly heartbreaking,” says Dave Kleidermacher, vice president of engineering at Android’s security and privacy division. “There’s really a very huge amount—almost epidemic and a scourge to humanity—of financial scams that are all across the world.”

Scammers operate all over the world, but Chinese scam groups particularly are behind millions of fraudulent messages, demanding things like “toll” payments or information for alleged postal service deliveries. When people click the links and enter their details, including payment information, scammers steal their data. In some cases, the scams are designed as a sort of smash-and-grab, where attackers quickly trick users into giving up some crumbs of information, like a pair of login credentials or a credit card number. These scams tend to be more formulaic and are potentially easier to detect. The more complex challenge is in detecting highly involved investment or romance scams—often called pig butchering scams—that build and evolve over months of messaging while scammers build a rapport with their targets before tricking them into handing over their life savings or even going into debt to send more money.

“It takes time for them to get to the scam—it’s not just click on the link,” Kleidermacher says. “By having the AI on-device, you can actually watch and observe these more sophisticated conversations and then detect their scams.”

Courtesy of Google

Courtesy of Google

In a screenshot of the Scam Detection feature provided by Google, an encrypted RSC chat shows a typical scam message saying an EZ Pass toll payment is outstanding. The message adds that the “legal ability” to drive may be revoked if the payment is not made. The message includes a link that directs someone toward a malicious payment website. The Scam Detection overlay at the bottom of the screen says that “suspicious activity” has been detected in the message and offers a way to report and block the sender, alongside an option that allows people to flag that it is not a scam.

Google is far from the only company using AI to try to combat scammers and stop them from reaching people’s inboxes. Some have turned to using AI to directly fight back against scammers. The British telecom company O2, for example, created an “AI Granny” that is set up to keep scammers on the phone and waste their time. And the online scam baiter Kitboga has created a series of bots to make simultaneous calls to call centers that run scams.

Meanwhile, in recent months, Meta, which owns WhatsApp, Messenger, and Instagram, has started to introduce pop-up warnings when people are asked to make payments in chat messages. Elsewhere, cybersecurity company F-Secure has created a beta tool to help people identify if a message and sender are likely scammers and block messages. Putting a layer of friction in place that nudges people away from messaging accounts they don’t know or replying to messages asking for details can reduce the chances that scammers are successful.

Google’s Kleidermacher says that the company is seeing “really positive impact” from using its machine learning systems to detect potential scam messages in real time. As the protections continue to mature, he notes that the underlying system could eventually proliferate beyond just the Google Messages app into third-party communication platforms.

For now, some of that expansion is starting within Google’s own products. The company also said on Tuesday that it is in the early phases of testing ways to incorporate scam detection for phone calls, but the capability has not been widely deployed.

Google Is Using On-Device AI to Spot Scam Texts and Investment Fraud

Before a crackdown by Telegram, Xinbi Guarantee grew into one of the internet’s biggest markets for Chinese-speaking crypto scammers and money laundering. And all registered to a US address.

As the underground industry of crypto investment scams has grown into one of the world's most lucrative forms of cybercrime, the secondary market of money launderers for those scammers has grown to match it. Amid that black market, one such Chinese-language service on the messaging platform Telegram blossomed into an all-purpose underground bazaar: It has offered not only cash-out services to scammers but also money laundering for North Korean hackers, stolen data, targeted harassment-for-hire, and even what appears to be sex trafficking. And somehow, it's all overseen by a company legally registered in the United States.

According to new research released today by crypto-tracing firm Elliptic, a company called Xinbi Guarantee has since 2022 facilitated no less than $8.4 billion in transactions via its Telegram-based marketplace prior to Telegram’s actions in recent days to remove its accounts from the platform. Money stolen from scam victims likely represents the “vast majority” of that sum, according to Elliptic's cofounder Tom Robinson. Yet even as the market serves Chinese-speaking scammers, it also boasts on the top of its website—in Mandarin—that it's registered in Colorado.

“Xinbi Guarantee has served as a giant, purportedly US-incorporated illicit online marketplace for online scams that primarily offers money laundering services,” says Robinson. He adds, though, that Elliptic has also found a remarkable variety of other criminal offerings on the market: child-bearing surrogacy and egg donors, harassment services that offer to threaten or throw feces at any chosen victim, and even sex workers in their teens who are likely trafficking victims.

Xinbi Guarantee is the second such crime-friendly Chinese-language market that Robinson and his team of researchers have uncovered over the past year. Last July, they published a report on Huione Guarantee, a similar Cambodia-based service that Elliptic said in January had facilitated $24 billion in transactions—largely from crypto scammers—making it the biggest illicit online marketplace in history by Elliptic's accounting. That market's parent company, Huione Group, was added to a list of known money laundering operations by the US Treasury's Financial Crimes Enforcement Network earlier this month in an attempt to limit its access to US financial institutions.

After WIRED reached out to Telegram last week about the illicit activity taking place on Xinbi Guarantee’s and Huione Guarantee’s channels on its messaging platform, Telegram appears to have responded Monday by banning many of the central channels and administrator accounts used by both Xinbi Guarantee and Huione Guarantee. “Criminal activities like scamming or money laundering are forbidden by Telegram's terms of service and are always removed whenever discovered,” Telegram spokesperson Remi Vaughn wrote to WIRED in a statement. “Communities previously reported to us by WIRED or included in reports published by Elliptic have all been taken down.”

Telegram had banned several of Huione Guarantee’s channels in February following an earlier Elliptic report on the marketplace, but Huione Guarantee quickly re-created them, and it’s not clear whether the new removals will prevent the two companies from rebuilding their presence on Telegram again, perhaps with new accounts or even new branding. “These are very lucrative businesses, and they’ll attempt to rebuild in some way,” Robinson said of the two marketplaces following Telegram’s latest purge.

Elliptic’s accounting of the total lifetime revenue of the biggest online black markets.Courtesy of Elliptic

Xinbi Guarantee didn't respond to multiple requests for comment on Elliptic's findings that WIRED sent to the market's administrators on Telegram.

Like Huione Guarantee, Xinbi Guarantee has offered a similar “guarantee” model of enabling third-party vendors to offer services by requiring a deposit from them to prevent fraud. Yet it's flown under the radar, even as it grew into one of the biggest hubs for crypto crime on the internet. In terms of scale of transactions prior to Telegram’s crackdown, it was second only to Huione's market, according to Elliptic.

Both services “offer a window into the China-based underground banking network,” Robinson says. “It's another example of these huge Chinese-language ‘guaranteed’ marketplaces that have thrived for years.”

On Xinbi Guarantee, Elliptic found numerous posts from vendors offering to accept funds related to “quick kills,” “slow kills,” and “pig butchering” transactions, all different terms for crypto investment scams and other forms of fraud. In some cases, Robinson explains, these Xinbi Guarantee vendors offer bank accounts in the same country as the victim so that they can receive whatever payment they're tricked into making, then pay the scammer in the cryptocurrency Tether. In other cases, the Xinbi Guarantee merchants offer to receive cryptocurrency payments and cash them out in the scammer's local currency, such as Chinese renminbi.

Aside from Xinbi Guarantee's central use as a cash-out point for crypto scammers, Elliptic also found that the market's vendors offered other wares for scammers such as stolen data that could be used for finding victims, as well as services for registering SIM cards and Starlink internet subscriptions through proxies.

North Korean state-sponsored cybercriminals also appear to have used the platform for money laundering. Elliptic found through blockchain analysis, for instance, that about $220,000 stolen from the Indian cryptocurrency exchange WazirX—the victim of a $235 million theft in July 2024, widely attributed to North Korean hackers—had flowed into Xinbi Guarantee in a series of transactions in November.

Those money-laundering and scam-enabling services, however, are far from the only shady offerings found on Xinbi Guarantee's market. Elliptic also found listings for surrogate mothers and egg donors, with one post showing faceless pictures of the donor's body. Other accounts have offered services that will, for a payment in Tether, place a funeral wreath at a target's door, deface their home with graffiti, post damaging statements around their home, have someone verbally threaten them, throw feces at them, or even, most bizarrely, surround their home with AIDS patients. One posting suggested these AIDS patients would carry “case reports and needles for intimidation."

Other listings have offered sex workers as young as 18 years old, noting the specific sex acts that are allowed and forbidden. Elliptic says that one of its researchers was even offered a 14-year-old by a Xinbi Guarantee merchant. (The account holder noted, however, that no transaction for sex with someone below the age of 18 would be guaranteed by Xinbi. The legal age of consent in China is 14.)

Exactly why Xinbi Guarantee is legally registered in the US remains a mystery. Its incorporation record on the Colorado Secretary of State's website shows an address at an office park in the city of Aurora that has no external Xinbi branding. The company appears to have been registered there in August of 2022 by someone named “Mohd Shahrulnizam Bin Abd Manap.” (WIRED connected that name with several people in Malaysia but couldn't determine which one might be Xinbi Guarantee's registrant.) The listing is currently marked as “delinquent,” perhaps due to failure to file more recent paperwork to renew it.

For fledgling Chinese companies—legitimate and illegitimate—incorporating in the US is an increasingly common tactic for “projecting legitimacy,” says Jacob Sims, a visiting fellow at Harvard's Asia Center who focuses on transnational Chinese crime. “If you have a US presence, you can also open US bank accounts,” Sims says. “You could potentially hire staff in the US. You could in theory have more formalized connections to US entities.” But he notes that the registration's delinquent status may mean Xinbi Guarantee tried to make some sort of inroads in the US in the past but gave up.

While Telegram has served as the chief means of communication for the two markets, the stablecoin cryptocurrency Tether has served as their primary means of payment, Elliptic found. And despite Telegram’s new round of removals of their channels and accounts, Xinbi Guarantee and Huione Guarantee are far from the only companies to use Tether and Telegram to create essentially a new, largely Chinese-language darknet: Elliptic is tracking close to 30 similar marketplaces, Robinson says, though he declined to name others in the midst of the company's investigations.

Just as Telegram shows new signs of cracking down on that sprawling black market, Tether, too, has the ability to disrupt criminal use of its services. Unlike other more decentralized cryptocurrencies such as Bitcoin, Tether can freeze payments when it identifies bad actors. Yet it’s not clear to what degree Tether has taken measures to stop Chinese-language crypto scammers and others on Xinbi Guarantee and Huione Guarantee from using its currency.

When WIRED wrote to Tether to ask about its role in those black markets, the company responded in a statement that it encourages “firms like Elliptic and other blockchain intelligence providers to share critical data with law enforcement so we can act swiftly and in coordination.”

“We are not passive observers—we are active players in the global fight against financial crime,” the Tether statement continued. “If you’re considering using Tether for illicit purposes, think again: it is the most traceable asset in existence. We will identify you, and we will work to ensure you are brought to justice.”

Despite that promise—and Telegram’s new effort to remove Huione Guarantee and Xinbi Guarantee from its platform—both tools have already been used to facilitate tens of billions of dollars in theft and other black market deals, much of it occurring in plain sight. The two largely illegal and very public markets have been “remarkable for both the scale at which they're operating and also the brazenness,” says Harvard’s Jacob Sims.

Given that brazenness and the massive criminal fortunes at stake, expect both markets to attempt a revival in some form—and plenty of competitors to try to take their place atop the Chinese-language crypto crime economy.

An $8.4 Billion Chinese Hub for Crypto Crime Is Incorporated in Colorado

As AI-driven fraud becomes increasingly common, more people feel the need to verify every interaction they have online.

These days, when Nicole Yelland receives a meeting request from someone she doesn’t already know, she conducts a multistep background check before deciding whether to accept. Yelland, who works in public relations for a Detroit-based nonprofit, says she’ll run the person’s information through Spokeo, a personal data aggregator that she pays a monthly subscription fee to use. If the contact claims to speak Spanish, Yelland says, she will casually test their ability to understand and translate trickier phrases. If something doesn’t quite seem right, she’ll ask the person to join a Microsoft Teams call—with their camera on.

If Yelland sounds paranoid, that’s because she is. In January, before she started her current nonprofit role, Yelland says, she got roped into an elaborate scam targeting job seekers. “Now, I do the whole verification rigamarole any time someone reaches out to me,” she tells WIRED.

Digital imposter scams aren’t new; messaging platforms, social media sites, and dating apps have long been rife with fakery. In a time when remote work and distributed teams have become commonplace, professional communications channels are no longer safe, either. The same artificial intelligence tools that tech companies promise will boost worker productivity are also making it easier for criminals and fraudsters to construct fake personas in seconds.

On LinkedIn, it can be hard to distinguish a slightly touched-up headshot of a real person from a too-polished, AI-generated facsimile. Deepfake videos are getting so good that longtime email scammers are pivoting to impersonating people on live video calls. According to the US Federal Trade Commission, reports of job and employment related scams nearly tripled from 2020 to 2024, and actual losses from those scams have increased from $90 million to $500 million.

Yelland says the scammers that approached her back in January were impersonating a real company, one with a legitimate product. The “hiring manager” she corresponded with over email also seemed legit, even sharing a slide deck outlining the responsibilities of the role they were advertising. But during the first video interview, Yelland says, the scammers refused to turn their cameras on during a Microsoft Teams meeting and made unusual requests for detailed personal information, including her driver’s license number. Realizing she’d been duped, Yelland slammed her laptop shut.

These kinds of schemes have become so widespread that AI startups have emerged promising to detect other AI-enabled deepfakes, including GetReal Labs and Reality Defender. OpenAI CEO Sam Altman also runs an identity-verification startup called Tools for Humanity, which makes eye-scanning devices that capture a person’s biometric data, create a unique identifier for their identity, and store that information on the blockchain. The whole idea behind it is proving “personhood,” or that someone is a real human. (Lots of people working on blockchain technology say that blockchain is the solution for identity verification.)

But some corporate professionals are turning instead to old-fashioned social engineering techniques to verify every fishy-seeming interaction they have. Welcome to the Age of Paranoia, when someone might ask you to send them an email while you’re mid-conversation on the phone, slide into your Instagram DMs to ensure the LinkedIn message you sent was really from you, or request you text a selfie with a time stamp, proving you are who you claim to be. Some colleagues say they even share code words with each other, so they have a way to ensure they’re not being misled if an encounter feels off.

“What’s funny is, the lo-fi approach works,” says Daniel Goldman, a blockchain software engineer and former startup founder. Goldman says he began changing his own behavior after he heard a prominent figure in the crypto world had been convincingly deepfaked on a video call. “It put the fear of god in me,” he says. Afterward, he warned his family and friends that even if they hear what they believe is his voice or see him on a video call asking for something concrete—like money or an internet password—they should hang up and email him first before doing anything.

Ken Schumacher, founder of the recruitment verification service Ropes, says he’s worked with hiring managers who ask job candidates rapid-fire questions about the city where they claim to live on their résumé, such as their favorite coffee shops and places to hang out. If the applicant is actually based in that geographic region, Schumacher says, they should be able to respond quickly with accurate details.

Another verification tactic some people use, Schumacher says, is what he calls the “phone camera trick.” If someone suspects the person they’re talking to over video chat is being deceitful, they can ask them to hold up their phone camera to show their laptop. The idea is to verify whether the individual may be running deepfake technology on their computer, obscuring their true identity or surroundings. But it’s safe to say this approach can also be off-putting: Honest job candidates may be hesitant to show off the inside of their homes or offices, or worry a hiring manager is trying to learn details about their personal lives.

“Everyone is on edge and wary of each other now,” Schumacher says.

While turning yourself into a human captcha may be a fairly effective approach to operational security, even the most paranoid admit these checks create an atmosphere of distrust before two parties have even had the chance to really connect. They can also be a huge time suck. “I feel like something’s gotta give,” Yelland says. “I’m wasting so much time at work just trying to figure out if people are real.”

Jessica Eise, an assistant professor studying climate change and social behavior at Indiana University Bloomington, says her research team has been forced to essentially become digital forensics experts due to the amount of fraudsters who respond to ads for paid virtual surveys. (Scammers aren’t as interested in the unpaid surveys, unsurprisingly.) For one of her research projects, which is federally funded, all of the online participants have to be over the age of 18 and living in the US.

“My team would check time stamps for when participants answered emails, and if the timing was suspicious, we could guess they might be in a different time zone,” Eise says. “Then we’d look for other clues we came to recognize, like certain formats of email address or incoherent demographic data.”

Eise says the amount of time her team spent screening people was “exorbitant” and that they’ve now shrunk the size of the cohort for each study and have turned to “snowball sampling,” or recruiting people they know personally to join their studies. The researchers are also handing out more physical flyers to solicit participants in person. “We care a lot about making sure that our data has integrity, that we’re studying who we say we’re trying to study,” she says. “I don’t think there’s an easy solution to this.”

Barring any widespread technical solution, a little common sense can go a long way in spotting bad actors. Yelland shared with me the slide deck that she received as part of the fake job pitch. At first glance, it seemed legit, but when she looked at it again, a few details stood out. The job promised to pay substantially more than the average salary for a similar role in her location and offered unlimited vacation time, generous paid parental leave, and fully covered health care benefits. In today’s job environment, that might have been the biggest tipoff of all that it was a scam.

_Update 5/12/2025, 6:34 PM ET: This article was updated to clarify the nature of a federally funded research project._

Deepfakes, Scams, and the Age of Paranoia

Plus: A DOGE operative’s laptop reportedly gets infected with malware, Grok AI is used to “undress” women on X, a school software company’s ransomware nightmare returns, and more.

A United States Customs and Border Protection request for information this week revealed the agency’s plans to find vendors that can supply face recognition technology for capturing data on everyone entering the US in a vehicle like a car or van, not just the people sitting in the front seat. And a CBP spokesperson later told WIRED that the agency also has plans to expand its real-time face recognition capabilities at the border to detect people exiting the US as well—a focus that may be tied to the Trump administration’s push to get undocumented people to “self-deport” and leave the US.

WIRED also shed light this week on a recent CBP memo that rescinded a number of internal policies designed to protect vulnerable people—including pregnant women, infants, the elderly, and people with serious medical conditions—while in the agency’s custody. Signed by acting commissioner Pete Flores, the order eliminates four Biden-era policies.

Meanwhile, as the ripple effects of “SignalGate” continue, the communication app TeleMessage suspended “all services” pending an investigation after former US national security adviser Mike Waltz inadvertently called attention to the app, which subsequently suffered data breaches in recent days. Analysis of TeleMessage Signal’s source code this week appeared to show that the app sends users’ message logs in plaintext, undermining the security and privacy guarantees the service promised. After data stolen in one of the TeleMessage hacks indicated that CBP agents might be users of the app, CBP confirmed its use to WIRED, saying that the agency has “disabled TeleMessage as a precautionary measure.”

A WIRED investigation found that US director of national intelligence Tulsi Gabbard reused a weak password for years on multiple accounts. And researchers warn that an open source tool known as “easyjson” could be an exposure for the US government and US companies, because it has ties to the Russian social network VK, whose CEO has been sanctioned.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**ICE’s Deportation Airline Hack Reveals Man “Disappeared” to El Salvador**

Hackers this week revealed they had breached GlobalX, one of the airlines that has come to be known as “ICE Air” thanks to its use by the Trump administration to deport hundreds of migrants. The data they leaked from the airline includes detailed flight manifests for those deportation flights—including, in at least one case, the travel records of a man whose own family had considered him “disappeared” by immigration authorities and whose whereabouts the US government had refused to divulge.

On Monday, reporters at 404 Media said that hackers had provided them with a trove of data taken from GlobalX after breaching the company’s network and defacing its website. “Anonymous has decided to enforce the Judge's order since you and your sycophant staff ignore lawful orders that go against your fascist plans,” a message the hackers posted to the site read. That stolen data, it turns out, included detailed passenger lists for GlobalX’s deportation flights—including the flight to El Salvador of Ricardo Prada Vásquez, a Venezuelan man whose whereabouts had become a mystery to even his own family as they sought answers from the US government. US authorities had previously declined to tell his family or reporters where he had been sent—only that he had been deported—and his name was even excluded from a list of deportees leaked to CBS News. (The Department of Homeland Security later stated in a post to X that Prada was in El Salvador—but only after a New York Times story about his disappearance.)

The fact that his name was, in fact, included all along on a GlobalX flight manifest highlights just how opaque the Trump administration’s deportation process remains. According to immigrant advocates who spoke with 404 Media, it even raises questions about whether the government itself had deportation records as comprehensive as the airline whose planes it chartered. “There are so many levels at which this concerns me. One is they clearly did not take enough care in this to even make sure they had the right lists of who they were removing, and who they were not sending to a prison that is a black hole in El Salvador,” Michelle Brané, executive director of immigrant rights group Together and Free, told 404 Media. “They weren't even keeping accurate records of who they were sending there.”

**The Computer of a DOGE Staffer With Sensitive Access Reportedly Infected With Malware**

Elon Musk’s so-called Department of Governmental Efficiency has raised alarms not just due to its often reckless cuts to federal programs, but also the agency’s habit of giving young, inexperienced staffers with questionable vetting access to highly sensitive systems. Now security researcher Micah Lee has found that Kyle Schutt, a DOGE staffer who reportedly accessed the financial system of the Federal Emergency Management Agency, appears to have had infostealer malware on one of his computers. Lee discovered that four dumps of user data stolen by that kind of password-stealing malware included Schutt’s passwords and usernames. It’s far from clear when Schutt’s credentials were stolen, for what machine, or whether the malware would have posed any threat to any government agency’s systems, but the incident nonetheless highlights the potential risks posed by DOGE staffers’ unprecedented access.

**Grok AI Will “Undress” Women in Public on X**

Elon Musk has long marketed his AI tool Grok as a more freewheeling, less restricted alternative to other large language models and AI image generators. Now X users are testing the limits of Grok’s few safeguards by replying to images of women on the platform and asking Grok to “undress” them. While the tool doesn’t allow the generation of nude images, 404 Media and Bellingcat have found that it repeatedly responded to users’ “undress” prompts with pictures of women in lingerie or bikinis, posted publicly to the site. In one case, Grok apologized to a woman who complained about the practice, but the feature has yet to be disabled.

**A Hacked School Software Company Paid a Ransom—but Schools Are Still Being Extorted**

This week in don’t-trust-ransomware-gangs news: Schools in North Carolina and Canada warned that they’ve received extortion threats from hackers who had obtained students’ personal information. The likely source of that sensitive data? A ransomware breach last December of PowerSchool, one of the world’s biggest education software firms, according to NBC News. PowerSchool paid a ransom at the time, but the data stolen from the company nonetheless appears to be the same info now being used in the current extortion attempts. “We sincerely regret these developments—it pains us that our customers are being threatened and re-victimized by bad actors,” PowerSchool told NBC News in a statement. “As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.”

**A Notorious Deepfake Porn Site Shuts Down After Its Creator Is Outed**

Since its creation in 2018, MrDeepFakes.com grew into perhaps the world’s most infamous repository of nonconsensual pornography created with AI mimicry tools. Now it’s offline after the site’s creator was identified as a Canadian pharmacist in an investigation by CBC, Bellingcat, and the Danish news outlets Politiken and Tjekdet. The site’s pseudonymous administrator, who went by DPFKS on its forums and created at least 150 of its porn videos himself, left a trail of clues in email addresses and passwords found on breached sites that eventually led to the Yelp and Airbnb accounts of Ontario pharmacist David Do. After reporters approached Do with evidence that he was DPFKS, MrDeepFakes.com went offline. “A critical service provider has terminated service permanently. Data loss has made it impossible to continue operation,” reads a message on its homepage. “We will not be relaunching.”

ICE’s Deportation Airline Hack Reveals Man ‘Disappeared’ to El Salvador

A CBP spokesperson tells WIRED that the agency plans to expand its program for real-time face recognition at the border, potentially aiding Trump administration efforts to track people who self-deport.

United States Customs and Border Protection plans to log every person leaving the country by vehicle by taking photos at border crossings of every passenger and matching their faces to their passports, visas, or travel documents, WIRED has learned.

The escalated documentation of travelers could be used to track how many people are self-deporting, or leave the US voluntarily, which the Trump administration is fervently encouraging to people in the country illegally.

CBP exclusively tells WIRED, in response to an inquiry to the agency, that it plans to mirror the current program it’s developing—photographing every person entering the US and match their faces with their travel documents—to the outbound lanes going to Canada and Mexico. The agency currently does not have a system that monitors people leaving the country by vehicle.

“Although we are still working on how we would handle outbound vehicle lanes, we will ultimately expand to this area,” CBP spokesperson Jessica Turner tells WIRED.

Turner could not provide a timeline on when CBP would begin monitoring people leaving the country by vehicle.

She tells WIRED that CBP currently matches photos of people coming into the country with “all documented photos, i.e., passports, visas, green cards, etc,” and adds that all “alien/non-US citizens encounter photos taken at border crossing” are stored by CBP. “The encounter photos can be used for subsequent crossings to verify identity,” Turner says. She did not specify whether CBP may integrate additional photos or data sources in the future.

When asked, Turner says it’s not currently evident that a purpose of the outbound face-matching system would be tracking self-deporations. “Not to say it won't happen in the future, though, with the way self-deportation is going,” Turner says. She later adds that the goal of an outbound system would be to “biometrically confirm departure from the US.” This differs from the purpose of tracking people coming into the US, she says, which also considers the “purpose and intent” of entering the country.

WIRED reported this week that CBP recently asked tech companies to send pitches on how they would ensure every single person entering the country by vehicle, including people two or three rows back, would be instantly photographed and matched with their travel documents. CBP has struggled to do this on its own. The results of a 152-day test of this system, which took place at the Anzalduas border crossing between Mexico and Texas, showed that the cameras captured photos of everyone in the car that met “validation requirements” for face-matching just 61 percent of the time.

Currently, neither CBP nor Immigration and Customs Enforcement have any publicly known tools for tracking self-deportations, aside from an ICE app that allows people to tell the agency when they leave the country.

Last month, ICE announced that it is paying the software company Palantir $30 million to build a tool called ImmigrationOS that would give the agency “near real-time visibility” on people self-deporting from the US, with the goal of having accurate numbers on how many people are doing so, according to a contract justification published a few days later.

When asked, CBP would not confirm or deny whether its monitoring of outbound vehicles would or could be integrated with ImmigrationOS. “CBP does not use Palantir Technologies,” Turner says. (CBP has paid for Palantir services three times, with the last payment in 2013.)

ICE has not specified where Palantir would get the data to power the ImmigrationOS. However, the agency notes that Palantir could create ImmigrationOS by configuring the case management system that the company has provided to ICE since 2014.

This case management system integrates all of the information ICE may have about a person from investigative records or government databases, according to a government privacy assessment published in 2016. At the time of the assessment, it stored information about people’s physical attributes—like hair and eye color, height and weight, and any scars or tattoos—as well as any "location-related data” from “covert tracking devices” and any data from license plate readers, which can provide a detailed travel history.

DHS noted in a 2024 report that CBP has struggled to get biometric data from people leaving the country over land—meaning, people traveling via "cars, trains, buses, bicycles, trucks, and on foot.” The report says that CBP wants to create a “biometric-based departure program” to monitor when people considered aliens leave the country, which DHS notes is required under US law.

The Trump administration is strongly encouraging self-deportation. In March, the Department of Homeland Security revoked the legal status of more than half a million people from Cuba, Haiti, Nicaragua, and Venezuela who were given temporary parole to stay in the US due to instability in their home countries. A judge temporarily blocked the move, but the government is challenging this in court.

In April, the Social Security Administration listed more than 6,000 of these people who had temporary parole as dead, as a way of effectively ending their financial lives in the US. DHS also sent emails to an unknown number of people claiming that their legal parole had been revoked and demanding them to self-deport. Then, this week, the Trump administration offered to pay people in the country illegally $1,000 for a plane ticket to self-deport.

_Updated 2:25 pm ET, May 9, 2025: Added additional details provided by CBP._

US Customs and Border Protection Plans to Photograph Everyone Exiting the US by Car

CBP’s acting commissioner has rescinded four Biden-era policies that aimed to protect vulnerable people in the agency’s custody, including mothers, infants, and the elderly.

US Customs and Border Protection (CBP) has quietly rescinded several internal policies that were designed to protect some of the most vulnerable people in its custody—including pregnant women, infants, the elderly, and people with serious medical conditions.

The decision, outlined in a memo dated May 5 and signed by acting commissioner Pete Flores, eliminates four Biden-era policies enacted over the last three years. These policies were intended to address CBP’s long-standing failures to provide adequate care for detainees who are most at risk—failures that have, in some cases, proved fatal.

The May 5 memo was distributed internally to top agency leadership but was not announced publicly.

CBP justified the rollback by stating in the memo–titled Rescission of Legacy Policies Related to Care and Custody–that the policies were “obsolete” and “misaligned” with the agency’s current enforcement priorities.

Together, the now rescinded policies laid out standards for detainees with heightened medical needs—requiring, for instance, access to water and food for pregnant people, ensuring privacy for breastfeeding mothers, and mandating diapers and unexpired formula be stocked in holding facilities. They also instructed agents to process at-risk individuals as quickly as possible to limit time in custody.

“It's appalling and it's just an extension of the culture of cruelty that the administration is trying to perpetrate,” says Sarah Mehta, deputy director of government affairs for the ACLU’s Equality Division. Rescinding the policies, she says, “is a damning statement about the way that this administration thinks and cares about people with young children.”

CBP did not immediately respond to WIRED’s request for comment.

One of the world’s largest law enforcement agencies, CBP is primarily responsible for apprehending and detaining individuals who cross the US border without authorization. While Immigration and Customs Enforcement (ICE) oversees longer-term detention and deportation proceedings, CBP handles the earliest stages of custody, when migrants are held and processed in short-term facilities that have repeatedly drawn criticism for poor medical care and overcrowding

In January the Senate Judiciary Committee issued a damning report revealing dysfunction in CBP's medical operations. The investigation revealed chronic understaffing, improper use of medical record systems, and vague or nonexistent guidance for treating children, pregnant individuals, and others with complex medical needs.

The report was prompted by the death of 8-year-old Anadith Danay Reyes Álvarez, who died in May 2023 at a CBP facility in Harlingen, Texas. The Panamanian girl, who had a known history of heart problems and sickle cell anemia, reportedly pleaded for help along with her mother. Both were ignored. She died in custody, her final hours spent in a facility whose staff were unequipped—and seemingly unwilling—to provide critical care.

“Just last week in letters to the Trump administration, I raised serious concerns about transparency, accountability, and the humane treatment of detained individuals, particularly in light of repeated reports of detainee mistreatment and inadequate medical care,” US senator Dick Durbin, chairman of the Senate Judiciary Committee, tells WIRED. “Instead of taking actions to course-correct, the Trump administration rescinded several internal policies aimed at protecting some of the most vulnerable individuals in CBP custody—including pregnant women, children, the elderly, and those with serious medical conditions. This is unacceptable. We are a nation of values, and these values should be represented in the care of vulnerable people in our government’s custody.”

Policy reversals have come to define the Trump administration's immigration tactics, from attempts to revoke the status of 500,000 immigrants from Cuba, Haiti, Nicaragua, and Venezuela living legally in the US to purging student visas. In January, a day after President Donald Trump's inauguration, the Department of Homeland security reversed a Biden-era policy that forbade ICE and CBP officers from arresting people in "protected areas," including schools, places of worship, and hospitals.

As the number of people held in ICE detention has climbed–reaching roughly 47,928 in April, according to the Transactional Records Access Clearinghouse–apprehensions at the southern US border have fallen sharply, dropping to levels not seen in decades.

CBP says that its personnel will continue to follow broader standards under the National Standards on Transport, Escort, Detention, and Search (TEDS), and remain bound by the Flores agreement, which requires that children be given safe and sanitary quarters. The Trump administration has previously argued that the original settlement does not require that children be allowed to sleep or wash themselves with soap.

US Customs and Border Protection Quietly Revokes Protections for Pregnant Women and Infants

CBP says it has “disabled” its use of TeleMessage following reports that the app, which has not cleared the US government’s risk assessment program, was hacked.

The United States Customs and Border Protection agency confirmed on Wednesday that it uses at least one communication app made by the service TeleMessage, which creates clones of popular apps like Signal and WhatsApp with the addition of an archiving mechanism for compliance with records-retention rules.

“Following the detection of a cyber incident, CBP immediately disabled TeleMessage as a precautionary measure,” CBP spokesperson Rhonda Lawson tells WIRED. “The investigation into the scope of the breach is ongoing.”

President Donald Trump's now former national security adviser Mike Waltz was photographed last week using TeleMessage Signal during a cabinet meeting, and the photo seemed to show that he was communicating with other high-ranking officials, including Vice President JD Vance, US director of national intelligence Tulsi Gabbard, and what appears to be US secretary of state Marco Rubio.

In the days since the photo was published, TeleMessage has reportedly suffered a series of breaches that illustrate concerning security flaws. Analysis of the app's Android source code also appears to indicate fundamental flaws in the service's security scheme. As these findings emerged, TeleMessage—an Israeli company that completed an acquisition last year by the US-based company Smarsh—imposed a service pause on its products pending investigation.

“TeleMessage is investigating a potential security incident. Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation,” a Smarsh spokesperson told WIRED in a statement on Monday. “Out of an abundance of caution, all TeleMessage services have been temporarily suspended. All other Smarsh products and services remain fully operational.”

WIRED contacted CBP about its potential use of the software after some data stolen from TeleMessage in one of the recent breaches indicated that CBP was potentially a customer.

US senator Ron Wyden called for the Department of Justice to investigate TeleMessage in a letter on Tuesday, alleging that the service is “a serious threat to US national security.” TeleMessage is a federal contractor, but the consumer apps it offers are not approved for use under the US government's Federal Risk and Authorization Management Program, or FedRAMP. In his letter, Wyden referenced that “several federal agencies” use TeleMessage, asserting that the company “sold dangerously insecure communications software to the White House and other federal agencies.”

There is still no complete public accounting of US government officials and agencies that have used the software.

Customs and Border Protection Confirms Its Use of Hacked Signal Clone TeleMessage

In the wake of SignalGate, a knockoff version of Signal used by a high-ranking member of the Trump administration was hacked. Today on Uncanny Valley, we discuss the platforms used for government communications.

All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.

When former national security adviser Mike Waltz had a picture taken of him last week, he didn’t expect for the whole world to see that he was using TeleMessage, a messaging app similar to Signal. Now the app has been hacked, with portions of data linked to government entities like Customs and Border Protection (CBP) and companies like Coinbase. Today on the show, we’re joined by WIRED senior writer Lily Hay Newman to discuss what this incident tells us about the growing vulnerabilities in government communications.

Articles mentioned in this episode:  
**Mike Waltz Has Somehow Gotten Even Worse at Using Signal**, by Lily Hay Newman  
**The Signal Clone the Trump Admin Uses Was Hacked** , by Joseph Cox and Micah Lee  
**The Signal Clone Mike Waltz Was Caught Using Has Direct Access to User Chats**, by Lily Hay Newman

You can follow Zoë Schiffer on Bluesky at @zoeschiffer and Lily Hay Newman on Bluesky at @lhn. Write to us at uncannyvalley@wired.com.

**How to Listen**

You can always listen to this week's podcast through the audio player on this page, but if you want to subscribe for free to get every episode, here’s how:

If you're on an iPhone or iPad, open the app called Podcasts, or just tap this link. You can also download an app like Overcast or Pocket Casts and search for “Uncanny Valley.” We’re on Spotify too.

**Transcript**

_Note: This is an automated transcript, which may contain errors._

**Zoë Schiffer:** Hi, this is Zoë. Before we start, I want to take the chance to remind you that we want to hear from you. If you have tech-related questions that have been on your mind or a topic that you wish we'd cover, write to us at uncannyvalley@WIRED.com. And if you listen to and enjoy the show, please rate it and leave a review on your podcast app of choice. It really honestly makes a difference. Welcome to WIRED's _Uncanny Valley_. I'm WIRED's director of business and industry, Zoë Schiffer. Today on the show, the hacking scandal surrounding TeleMessage, the knockoff version of Signal, which is used by at least one high-ranking member of the Trump administration. The app has temporarily suspended its services while it investigates the incident. We're going to talk about how former national security adviser Mike Waltz was seen last week using the app in a cabinet meeting and what this latest incident tells us about the growing vulnerabilities in government communication. I'm joined by Lily Hay Newman, senior writer at WIRED. Lily, welcome to the show.

**Lily Hay Newman:** It's a pleasure to be here.

**Zoë Schiffer:** What exactly is TeleMessage?

**Lily Hay Newman:** Yeah. So TeleMessage is a company that's been around since the late ’90s. It was founded in Israel, and it creates apps that are sort of mirror images or clones of existing communication apps, and then adds in an archiving feature. So this is especially perhaps wanted for apps that are securing communications, such that it's difficult to retain copies of the messages. So if you need copies for compliance or you need a record, the idea is that these services are giving the same functionality as apps you know, like WhatsApp or Telegram or Signal, but with the addition of these archiving features.

**Zoë Schiffer:** And that's important, obviously, for people who work in government because, technically, members of the press and other people are supposed to be allowed to access a lot of the communications that aren't classified by submitting Freedom of Information Act requests. And you can't do that if the messages are disappearing.

**Lily Hay Newman:** Correct. There are record retention laws in the US and other countries for transparency and information requests, as you said. But historically, the way governments and other institutions have complied with that is by using communication platforms that are built for the purpose of government communications, tailor-built to be in compliance in a number of ways. So all of this is coming up because now the Trump administration in recent months has been sort of departing from the standard ways that officials in the US have communicated to use consumer platforms, particularly the secure messaging platform Signal, to talk to each other, but doing so in a very ad hoc consumer way like in the same way that you and I would set up a Signal conversation. That's what they've been doing, and that's where you get into this whole question of how do you comply with records requirements. How do you comply with safety requirements when you're just kind of using off-the-shelf tech in a regular way? And so that's where TeleMessage comes in.

**Zoë Schiffer:** Well, it seems like one of the people, as we mentioned earlier, who was using TeleMessage was Mike Waltz, the now former national security adviser, who at this point is best known for starting that infamous Signal group chat a few weeks back that accidentally added a senior member of The Atlantic Newsroom. How did we find out that he was using TeleMessage in the first place?

**Lily Hay Newman:** So his screen, the screen of his phone, was sort of inadvertently captured in a photo of a cabinet meeting, a Reuters photo, that Mike Waltz was participating in, was sitting at the table with Trump and a number of officials. The photo is a bit funny because it seems like he thinks no one can see him using his phone, or he is kind of checking his phone. I mean, we've all been there, looking under the conference table at our phone. But additionally, his screen shows what appears to be Signal. So we're really going, zooming in deep into this photo, right. We're looking over his shoulder at his phone. Now we're seeing this notification. And then in the notification, instead of the normal words that would be there, people noticed that the Signal … where it would normally say Signal, was being referred to as TM Signal. And that's how people realized that, actually, he was using this other app called TeleMessage.

**Zoë Schiffer:** Got it. Yeah. Nothing makes me love reporters more than the absolute psychotic behavior of zooming in on a tiny little phone screen to be like, “What exactly is going on here?” But kudos to 404 Media, because I think they were the first ones to point that out. You wrote in a recent WIRED article that Mike Waltz has inexplicably gotten even worse at using Signal. So, I guess what did you mean by that? How is he getting worse at using this end-to-end encrypted app?

**Lily Hay Newman:** This whole revelation about his use of TM Signal is building on this previous situation called Signal Gate. Mike Waltz was the person who inadvertently added Jeffrey Goldberg, the top editor of The Atlantic, to the chat. And so already Mike Waltz was not having a great track record, and then disappearing messages were on the whole time. And so, one of the many criticisms was that this was not in compliance with government record-retention laws. So we don't know this, but presumably then he started using TM Signal as a solution to that aspect of the issues raised. But I just want to be clear. We don't know. It could be that they were already using it, or he was already using TM Signal at the time. I'm not sure. But one might suspect that hearing some of this criticism, he was like, “OK, let me find a solution that does retain records and does have an archiving feature.” And that's where TeleMessage would come in.

**Zoë Schiffer:** So the national security advisoer sets up this group chat, presumably not in compliance, then switches to one that looks like it might be in compliance, and then that version is promptly hacked. Do we know at this point who is behind the hacking?

**Lily Hay Newman:** More and more is coming out about potential hacks of TeleMessage or sort of ability to intercept messages and see messages in memory. First, 404 Media and Micah Lee published a piece with an unnamed hacker providing evidence that they could breach TeleMessage. And then, on Monday, NBC News published an additional report with an additional unnamed hacker. So clearly there's a lot of insecurity here. And the criticism of TM Signal from this company, TeleMessage, is that it claims to have all the same security features as real Signal and to sort of preserve that, and just add on this archiving feature. But, definitionally, adding in the archiving feature breaks Signal security. The way signal is designed and other end-to-end encrypted apps like WhatsApp, when you add in this other party, it's virtually impossible that the security guarantees could be preserved. And then, on top of that, it seems like from source code review that's starting to come out, and research that's starting to happen, and analysis into TM Signal, that actually it's just not constructed in a very secure way at all. So, just a lot of layers to get to the point, which is that this was a wildly insecure app for Mike Waltz to be using, sitting at a table with the top cabinet members and the president of the United States. It's wild.

**Zoë Schiffer:** We're going to get into what exactly was accessed in this hack. But before we do that, we're going to take a short break.

\[_break_\]

**Zoë Schiffer:** We are back. So let's get into what exactly was accessed when it looks like multiple hackers were able to break into TM Signal, which was being used by at least one member of the Trump administration.

**Lily Hay Newman:** So far, these researchers, what they've shown is that some messages, sometimes at least, are being sent to the archiving server in plain text, meaning they are readable. That's precisely what a platform like genuine Signal is trying to avoid. And so that's what's happening. So these were sort of fragments or pieces or whole messages, but not whole conversations, things like that, so far. One thing that 404 Media reported on from these leaks was evidence that US Customs and Border Patrol agents have been using TM Signal. It's not totally clear what's going on with this. WIRED reached out to CBP. We've been trying to get clarification on what this leaked data means. There seem to be confirmed CBP phone numbers associated with these accounts that came out of this breach. CBP has told WIRED just that they're looking into it. But that's an example that is really concerning, it would potentially show that this app is in wider use across other agencies in the US government.

**Zoë Schiffer:** Is there a national security concern with the fact that this app was developed in Israel, regardless of the fact that it was acquired by a US company recently?

**Lily Hay Newman:** The thing is, even without getting into any specific geopolitics, the point of the protocols that exist for the US government to use its own purpose-built communication platforms is that any and all foreign governments conduct espionage. The US does it. Everyone does it. So, for your most sacred and sensitive national communication, you want to do that on a platform that you completely control, that you have built and vetted yourself, and just all parameters are controlled by you. You don't want to involve any other parties. So Israeli espionage groups are known for being very aggressive, very innovative, very cunning. So, for that reason, particularly, perhaps it's a concern that TeleMessage was founded in the country and has those ties. But just in general, regardless of what country it is, I think it's important conceptually to understand that it doesn't make sense to use the app in this way.

**Zoë Schiffer:** After this reporting came out, TeleMessage has paused or stopped its services. What's the status of the company right now?

**Lily Hay Newman:** Right. So clearly, they have concerns, and their parent company, Smarsh, has concerns about these findings as well. They say that they are investigating a potential breach and have employed a third-party firm to help them with that. And they've taken down all the content from the TeleMessage website and paused TeleMessage operations, essentially. So they say it's a pause and pending the investigation, but a pretty big reaction here to these findings.

**Zoë Schiffer:** That's a good place to end it. When we come back, we'll share our recommendations for what to check out on WIRED.com this week. Welcome back to _Uncanny Valley_. I'm Zoë Schiffer, WIRED's director of business and industry. I'm joined today by WIRED senior writer Lily Hay Newman. Before we take off, Lily, tell our listeners what they absolutely have to read on WIRED this week.

**Lily Hay Newman:** I'm just fascinated by this story by our colleague Caroline Haskins. US border agents are asking for help taking photos of everyone entering the country by car. And this is, we're just continuing our CBP discussions for today. CBP has apparently released a request for information seeking pitches, essentially for companies to help them do vehicle surveillance at the border and face recognition technology to see specifically who is in cars, not just the front seat. And I think it's really important for all of us to be aware of the extensive and expansive surveillance dragnet at the US border and all different types of US border crossings. The southern border of the US has long been known as sort of like a forefront of surveillance technology. And so it's dark, but interesting to hear that CBP feels like they don't yet have what they need to do this type of analysis and face recognition in cars, but that they want it, and they're trying to expand the analysis they can do on who is in every car.

**Zoë Schiffer:** Right. And it'll be interesting to see which company gets this contract. OK. Well, I wanted to flag a piece that we published yesterday by Paresh Dave and Kylie Robison. It's about OpenAI announcing that it is not, in fact, going to restructure its company to make the nonprofit arm not in control. In other words, the nonprofit arm is going to remain in control of the company. And this is a reversal of a prior announcement where it said it was going to become a public benefit corporation, likely to make fundraising easier. But after the plan was announced, the company got a ton of pushback from a variety of civic organizations and also Elon Musk, who was involved in the founding of the company before an acrimonious split in 2018. These groups don't usually agree on a lot, but they agreed on this, that becoming a for-profit company was in violation of OpenAI's founding mission. So we have a lot of good reporting on how people are taking this news and what it means for the future of the company. That's our show for today. We'll link to all the stories we spoke about in the show notes. Make sure to check out Thursday's episode of _Uncanny Valley_, which is about Trump's meme coin saga and the conflict of interest that come with it. Adriana Tapia produced this episode. Amar Lal at Macro Sound mixed this episode. Jordan Bell is our executive producer. Condé Nast's head of global audio is Chris Bannon. And Katie Drummond is WIRED's global editorial director.

The Trump Administration Sure Is Having Trouble Keeping Its Comms Private

A new analysis of TM Signal’s source code appears to show that the app sends users’ message logs in plaintext. At least one top Trump administration official used the app.

The communication app TeleMessage Signal, used by at least one top Trump administration official to archive messages, has already reportedly suffered breaches that illustrate concerning security flaws and resulted in its parent company imposing a service pause this week pending investigation. Now, according to detailed new findings from the journalist and security researcher Micah Lee, TM Signal's archiving feature appears to fundamentally undermine Signal's flagship security guarantees, sending messages between the app and a user's message archive without end-to-end encryption, thus making users' communications accessible to TeleMessage.

Lee conducted a detailed analysis of TM Signal's Android source code to assess the app's design and security. In collaboration with 404 Media, he had previously reported on a hack of TM Signal over the weekend, which revealed some user messages and other data—a clear sign that at least some data was being sent unencrypted, or as plaintext, at least some of the time within the service. This alone would seem to contradict TeleMessage's marketing claims that TM Signal offers “End-to-End encryption from the mobile phone through to the corporate archive.” But Lee says that his latest findings show that TM Signal is not end-to-end encrypted and that the company could access the contents of users' chats.

“The fact that there are plaintext logs confirms my hypothesis,” Lee tells WIRED. “The fact that the archive server was so trivial for someone to hack, and that TM Signal had such an incredible lack of basic security, that was worse than I expected.”

TeleMessage is an Israeli company that completed its acquisition last year by the US-based digital communications archiving company Smarsh. TeleMessage is a federal contractor, but the consumer apps it offers are not approved for use under the US government's Federal Risk and Authorization Management Program, or FedRAMP.

Smarsh did not return WIRED's requests for comment about Lee's findings. The company said on Monday, “TeleMessage is investigating a potential security incident. Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation.”

Lee's findings are likely significant for all TeleMessage users but have particular significance given that TM Signal was used by President Donald Trump's now-former national security adviser Mike Waltz. He was photographed last week using the service during a cabinet meeting, and the photo appeared to show that he was communicating with other high-ranking officials, including Vice President JD Vance, US Director of National Intelligence Tulsi Gabbard, and what appears to be US Secretary of State Marco Rubio. TM Signal is compatible with Signal and would expose messages sent in a chat with someone using TM Signal, whether all participants are using it or some are using the genuine Signal app.

Lee found that TM Signal is designed to save Signal communication data in a local database on a user's device and then send this to an archive server for long-term retention. The messages, he says, are sent directly to the archive server, seemingly as plaintext chat logs in the cases examined by Lee. Conducting the analysis, he says, “confirmed the archive server has access to plaintext chat logs.”

Data taken from the TeleMessage archive server in the hack included chat logs, usernames and plaintext passwords, and even private encryption keys.

In a letter on Tuesday, US senator Ron Wyden called for the Department of Justice to investigate TeleMessage, alleging that it is “a serious threat to US national security.”

“The government agencies that have adopted TeleMessage Archiver have chosen the worst possible option,” Wyden wrote. “They have given their users something that looks and feels like Signal, the most widely trusted secure communications app. But instead, senior government officials have been provided with a shoddy Signal knockoff that poses a number of serious security and counterintelligence threats. The security threat posed by TeleMessage Archiver is not theoretical.”

The Signal Clone Mike Waltz Was Caught Using Has Direct Access to User Chats

Now the US director of national intelligence, Gabbard failed to follow basic cybersecurity practices on several of her personal accounts, leaked records reviewed by WIRED reveal.

Tulsi Gabbard, the director of national intelligence, used the same easily cracked password for different online accounts over a period of years, according to leaked records reviewed by WIRED. Following her participation in a Signal group chat in which sensitive details of a military operation were unwittingly shared with a journalist, the revelation raises further questions about the security practices of the US spy chief.

WIRED reviewed Gabbard's passwords using databases of material leaked online created by the open-source intelligence firms District 4 Labs and Constella Intelligence. Gabbard served in Congress from 2013 to 2021, during which time she sat on the Armed Services Committee, its Subcommittee on Intelligence and Special Operations, and the Foreign Affairs Committee, giving her access to sensitive information. Material from breaches shows that during a portion of this period, she used the same password across multiple email addresses and online accounts, in contravention of well-established best practices for online security. (There is no indication that she used the password on government accounts.)

Two collections of breached records published in 2017 (but breached at some previous unknown date), known as “combolists,” reveal a password that was used for an email account associated with her personal website; that same password, according to a combolist published in 2019, was used with her Gmail account. That same password was used, according to records dating to 2012, for Dropbox and LinkedIn accounts associated with the email address tied to her personal website. According to records dating to 2018 breaches, she also used it on a MyFitnessPal account associated with a me.com email address and an account at HauteLook, a now-defunct ecommerce site then owned by Nordstrom.

Records of these breaches have been available online for years and are accessible in commercial databases.

The password associated with all of the accounts in question includes the word “shraddha,” which appears to have personal significance to Gabbard: Earlier this year, The Wall Street Journal reported that she had been initiated into the Science of Identity Foundation, an offshoot of the Hare Krishna movement into which she was reportedly born and which former members have accused of being a cult. Several former adherents told The Journal that they believe Gabbard received the name “Shraddha Dasi” when she was allegedly received into the group. Gabbard’s deputy chief of staff, Alexa Henning, responded to questions from The Journal at the time by posting them on X and accusing the news media of publicizing “Hinduphobic smears and other lies.”

“The data breaches you’re referring to occurred almost 10 years ago, and the passwords have changed multiple times since,” wrote Olivia Coleman, a Gabbard spokesperson, in response to questions from WIRED. “As our deputy chief of staff has already made clear on a number of occasions, the DNI has never and doesn’t have affiliation with that organization. Attempting to smear the DNI as being in a cult is bigoted behavior.“

“Your bigoted lies and smears of a cabinet member and your story fomenting hinduphobia is noted,” wrote Henning in response to a follow-up question about the probability of Gabbard’s password containing the same name she was reportedly received into Science of Identity Foundation with, given her denials that she has ever been affiliated with the group. “This was well litigated during her confirmation hearing so congrats on being about 6 months late to this story. Great job.”

Science of Identity did not respond to a request for comment.

Security experts advise people to never use the same password on different accounts precisely because people often do so. If a password for one account is revealed in a breach, hackers will often attempt to use it to access other accounts controlled by the same person. Reusing passwords is especially dangerous with email, because a compromised email account can be used to reset credentials for other accounts or systems.

The Cybersecurity Infrastructure and Security Agency, the top US government authority on digital security, advises members of the public to use a password manager to generate a different password of at least 16 characters, consisting of random strings of mixed-case numbers, letters, and symbols or at least four unrelated words, for every account they use.

As director of national intelligence, Gabbard oversees the 18 organizations comprising the US intelligence community, including the Central Intelligence Agency and the National Security Agency, and their budget of roughly $100 billion. By statute, she is the principal adviser to the president and the National Security Council on intelligence matters relating to national security, and so is charged with maintaining the security of much of the most sensitive information in the government. The Democratic National Committee, citing a 2019 statement that Syrian dictator Bashar al-Assad was “not the enemy of the United States,” news reports on the support she has enjoyed from Russian state media, and her ties to “conspiracy theorists,” has characterized Gabbard as a “direct threat to our national security.”

Gabbard addressed these criticisms during her Senate confirmation hearings in January.

“Those who oppose my nomination imply that I am loyal to something or someone other than God, my own conscience, and the constitution of the United States, accusing me of being Trump’s puppet, Putin’s puppet, Assad’s puppet, a guru’s puppet, Modi’s puppet, not recognizing the absurdity of simultaneously being the puppet of five different puppet masters,” she said. “The fact is, what truly unsettles my political opponents is I refuse to be their puppet.”

Source

Wired