The longtime cybersecurity professional says she’s taking the helm of the legacy security organization at “an inflection point” for tech and the world beyond.

Jen Easterly, a longtime public- and private-sector cybersecurity practitioner who led the US Cybersecurity and Infrastructure Security Agency for more than three years, has been appointed CEO of RSAC Conference, known as RSAC.

The organization puts on the prominent annual gathering of cybersecurity experts, vendors, and researchers that started in 1991 as a small cryptography event hosted by the corporate security giant RSA. RSAC is now a separate company with events and initiatives throughout the year, but its conference in San Francisco is still its flagship offering with tens of thousands of attendees each spring.

“The conference is the crown jewel, but now we are also a year-round global membership entity for cyber professionals,” Easterly tells WIRED. “We are internationalizing more deeply and I’m excited to expand the innovation sandbox, the early stage expo and startup ecosystem, and that’s really about supporting the next generation of AI-driven cyber companies and secure by design innovators to produce high-quality software. In many ways we are living through an inflection point.”

Easterly’s appointment as CEO certainly comes at a moment of great transition for the cybersecurity industry. AI tools are beginning to enhance the capabilities of both attackers and defenders, and security experts have a crucial role to play in securing AI platforms themselves along with the infrastructure supporting the services. At the same time, the Trump administration’s stark alterations to US foreign and domestic policy seem poised to alter private-sector cybersecurity and public-private partnerships in North America and around the world.

Easterly emphasizes that she is a lifelong independent and that cybersecurity crosses all administrations and borders. She had multiple deployments in the US Army, worked for the National Security Agency, helped establish US Cyber Command within the Department of Defense, and spent nearly five years in charge of Morgan Stanley’s global cybersecurity, all before joining CISA in 2021.

Trust building and collaboration have been some of the most important priorities of her career. But the Trump administration did not ask her to stay on at CISA during the transition at the end of 2024, and President Donald Trump has extensively criticized the election integrity work CISA had been doing under her leadership and that of her predecessor, Chris Krebs. Separately, in July, the Army directed the Military Academy at West Point to rescind an employment offer it had made to Easterly to become the Robert F. McDermott Distinguished Chair of the academy’s Department of Social Sciences.

“I don’t approach this leadership opportunity at RSAC through the lens of fear and speculation, I approach it with the same relentless optimism and belief in the power of community that’s been at the center of my service, public and private,” Easterly says. “Cybersecurity is not a political endeavor, RSAC is certainly not a political organization, and I am not a political person. I am a lifelong independent.”

Easterly says that RSAC Conference will continue to welcome insights and collaboration from officials of all governments as part of its efforts to facilitate community building and collaboration in cybersecurity. And she says that there is “magic” that can happen when the security community has supportive forums to come together.

“Security and resilience are issues that affect every country, every industry, every citizen,” she adds. “And RSAC’s strength is that it brings together operators and technologists and innovators and researchers and policymakers across administrations and across borders precisely because it is grounded in expertise and mission, not in politics.”

_Updated 9 am ET, January 15, 2026: Clarified that RSA Conference LLC's flagship event has now been rebranded as RSAC Conference._

Former CISA Director Jen Easterly Will Lead RSAC Conference

Flaws in how 17 models of headphones and speakers use Google’s one-tap Fast Pair Bluetooth protocol have left devices open to eavesdroppers and stalkers.

Flaws in how 17 models of headphones and speakers use Google’s one-tap Fast Pair Bluetooth protocol have left devices open to eavesdroppers and stalkers.

Photo-Illustration: WIRED Staff/Getty Images

Google designed the wireless protocol known as Fast Pair to optimize for ultra-convenient connections: It lets users connect their Bluetooth gadgets with Android and ChromeOS devices in a single tap. Now one group of researchers has discovered that the same protocol can also enable hackers to connect with that same seamless convenience to hundreds of millions of earbuds, headphones, and speakers. The result is an enormous collection of Fast Pair-compatible audio devices that allow any spy or stalker to take control of speakers and microphones, or in some cases track an unwitting target’s location—even if the victim is an iPhone user who has never owned a Google product.

Today, security researchers at Belgium’s KU Leuven University Computer Security and Industrial Cryptography group are revealing a collection of vulnerabilities they found in 17 audio accessories that use Google’s Fast Pair protocol and are sold by 10 different companies: Sony, Jabra, JBL, Marshall, Xiaomi, Nothing, OnePlus, Soundcore, Logitech, and Google itself. The hacking techniques the researchers demonstrated, which they’re collectively calling WhisperPair, would allow anyone within Bluetooth range of those devices—close to 50 feet in their testing—to silently pair with audio peripherals and hijack them.

Depending on the accessory, a hacker could take over or disrupt audio streams or phone conversations, play their own audio through the victim’s ear buds or speakers at whatever volume they chose, or undetectably take over microphones to listen to the victim’s surroundings. Worse yet, certain devices sold by Google and Sony that are compatible with Google’s device geolocation tracking feature, Find Hub, could also be exploited to allow stealthy, high-resolution stalking.

“You’re walking down the street with your headphones on, you're listening to some music. In less than 15 seconds, we can hijack your device,” says KU Leuven researcher Sayon Duttagupta. “Which means that I can turn on the microphone and listen to your ambient sound. I can inject audio. I can track your location.”

“The attacker now owns this device,” adds researcher Nikola Antonijević, “and can basically do whatever he wants with it.”

The researchers demonstrate their hacking and tracking techniques in the video below:

Google today published a security advisory in coordination with the researchers, acknowledging their findings and describing its efforts to fix the problem. Since the researchers first disclosed their work to the company in August, they say, Google appears to have alerted at least some of the vendors of vulnerable devices, many of whom have made security updates available. However, given that very few consumers ever think about updating the software of internet-of-things devices like headphones, earbuds, or speakers, the KU Leuven researchers warn that the WhisperPair vulnerabilities may still persist in vulnerable accessories for months or years to come.

In most cases, applying those updates requires installing a manufacturer app on a phone or computer—a step most users never take and often aren’t even aware is necessary. “If you don't have the app of Sony, then you'll never know that there's a software update for your Sony headphones,” says KU Leuven researcher Seppe Wyns. “And then you’ll still be vulnerable.”

When WIRED reached out to Google, a spokesperson responded in a statement thanking the researchers and confirming their WhisperPair findings. “We worked with these researchers to fix these vulnerabilities, and we have not seen evidence of any exploitation outside of this report’s lab setting,” the spokesperson writes. “We are constantly evaluating and enhancing Fast Pair and Find Hub security.”

Google also noted that it’s pushed out fixes for its own vulnerable audio accessories and an update to Find Hub in Android that the company says prevents rogue actors from using WhisperPair to track victims. Within hours of Google informing the researchers about that fix, however, they told WIRED that they had found a bypass for the patch and were still able to carry out their Find Hub tracking technique. Google didn't immediately respond to WIRED's request for comment on the researchers' bypass of its patch.

As for Google’s statement that it hadn’t seen exploitation of the WhisperPair vulnerability in the wild, the researchers note that Google would have no way to observe audio accessory hijacking that didn’t involve Google devices.

WIRED also reached out to all nine other companies whose accessories the KU Leuven researchers determined to be vulnerable. Xiaomi responded in a statement that it “has been in communication with Google and other relevant parties and is working with suppliers to roll out \[over-the-air\] updates” to its Redmi brand of earbuds. JBL, which is owned by Harman Audio, said in a statement that “Google has advised JBL about potential security vulnerabilities that could impact devices including headphones and speakers. We have received the security patches from Google and the software will be updated via JBL apps over the next few weeks.”

Jabra responded in a statement that it had pushed out patches for Bluetooth vulnerabilities in the Airoha chipset it uses in its accessories in June and July. Given that the researchers didn’t tell anyone about their findings until August, however, they suggest that Jabra may be confusing their work with unrelated findings from June.

Logitech said it has “integrated a firmware patch for upcoming production units,” and points out that its affected device, the Wonderboom 4 speaker, doesn’t have a microphone that could be used for eavesdropping. OnePlus told WIRED that the company is looking into the issue. Marshall, Nothing, and Sony didn’t respond to WIRED’s request for comment.

The researchers’ WhisperPair attack takes advantage of a collection of flaws in the implementation of Fast Pair in the devices the team checked. Most fundamentally, Google’s specification for Fast Pair devices states that they shouldn’t be able to pair with a new computer or phone while already paired. But for the 17 vulnerable devices, anyone can silently pair with the target device, even if it’s already paired.

Using the Fast Pair vulnerabilities the researchers discovered, an attacker would only need to be in Bluetooth range and obtain a so-called Model ID value that’s specific to the target device model. The researchers note that these Model IDs can be obtained if an attacker owns or purchases a device of the same model as the target’s. They note, too, that in some cases, this ID is shared by the device when a computer or phone attempts to pair with it. And in addition to both of these methods of obtaining the right Model ID for a target device, the researchers also found that they could query a publicly available Google API for every possible Model ID and determine them for all devices.

In their experiments, the KU Leuven team used a low-cost Raspberry Pi 4 minicomputer to test their technique, attempting to pair with 25 different already-paired Fast Pair devices from 16 different vendors, and found that the majority of the devices and vendors they tested were vulnerable. They carried out their pairing techniques from about 14 meters (about 46 feet) from the target—though they think that greater distances would likely be possible—and the takeovers took between 10 and 15 seconds, they say.

The Google Pixel Buds Pro 2 earbuds and five models of Sony earbuds and headphones they tested also suffered from a distinct, disturbing security issue. If the devices weren’t previously linked to a Google account—say, because they were used only with an iPhone—then a hacker could use WhisperPair to not only pair with the target accessory, but also link it to _their_ Google account. Google’s system is designed to identify the first Android device that pairs with the headphones, or other peripherals, as their owner. That trick would allow the hacker to use Google’s Find Hub feature, which tracks the device’s geolocation based on its connections to surrounding devices, and follow the target user’s movements. “That means that I can now see _your_ device in _my_ Find Hub network wherever you go, at all times,” says Duttagupta.

With that tracking technique, the victim might at some point get a smartphone notification that a Find Hub device was tracking them, thanks to safety features designed by Google and Apple to prevent Find Hub devices from being used to follow an unwitting victim. But any victim who followed up on the alert would see that Google or Apple was warning them that it was their own device tracking them and likely assume the alert was just a glitch, the researchers argue.

For all of these issues, there’s no easy change in the settings of accessories that users can make to protect themselves. “There's no way to turn Fast Pair off, even if you'll never use it,” says Wyns. “You can factory-reset your device, and that will clear the attacker’s access, so they will have to do the attack again, but it’s enabled by default on all of the supported devices.”

The WhisperPair vulnerabilities seem to have emerged from a complex and interrelated set of problems. The researchers point out that it is common for both peripherals manufacturers and chipmakers to make mistakes in implementing the Fast Pair technical standard. Not all of these flaws result in security vulnerabilities, but the extent of the confusion raises questions about the strength of the standard, the researchers say.

Google offers a Validator App through the Play Store that vendors have to run as part of getting their products certified to use Fast Pair. According to its description, the app “validates that Fast Pair has been properly implemented on a Bluetooth device,” producing reports on whether a product has passed or failed an evaluation of its Fast Pair implementation. The researchers point out that all of the devices they tested in their work had their Fast Pair implementation certified by Google. That means, presumably, that Google’s app categorized them as passing its requirements, even though their implementations had dangerous flaws. On top of this, certified Fast Pass devices then go through testing in labs Google selects that review pass reports and then directly evaluate physical device samples before large-scale manufacturing to confirm that they align with the Fast Pair standard.

Google says that the Fast Pair specification provided clear requirements and that the Validator App was designed mainly as a supportive tool for manufacturers to test core functionality. Following the KU Leuven researchers’ disclosure, the company says it added new implementation tests specifically geared toward Fast Pair requirements.

Ultimately, the researchers say, it is difficult to determine whether the implementation issues that led to the WhisperPair vulnerabilities came from mistakes on the part of device manufacturers or chipmakers.

WIRED reached out to all the chipmakers who manufacture the chipsets used by the vulnerable audio accessories—Actions, Airoha, Bestechnic, MediaTek, Qualcomm, and Realtek—but none responded. In its comments to WIRED, Xiaomi noted, “We have confirmed internally that the issue you referenced was caused by a non-standard configuration by chip suppliers in relation to the Google Fast Pair protocol.” Airoha is the maker of the chip used in the Redmi Buds 5 Pro that the researchers identified as vulnerable.

Regardless of who is at fault for the WhisperPair vulnerabilities, the researchers emphasize that one conceptually simple change to the Fast Pair specification would address the more fundamental issue behind WhisperPair: Fast Pair should cryptographically enforce the accessory owner’s intended pairings and not allow a secondary, rogue “owner” to pair without authentication.

For now, Google and many device manufacturers have software updates ready to fix the specific vulnerabilities. But installations of those patches are likely to be inconsistent, as it almost always is in internet-of-things security. The researchers urge all users to update their vulnerable accessories, and they point users to a website they created that provides a searchable list of devices affected by WhisperPair. For that matter, they say that everyone should use WhisperPair as a more general reminder to update all of their internet-of-things devices.

The broader message of their research, they say, is that device manufacturers need to prioritize security when adding ease-of-use features. After all, the Bluetooth protocol itself contained none of the vulnerabilities they’ve discovered—only the one-tap protocol Google built on top of it to make pairing more convenient.

“Yes, we want to make our life easier and make our devices function more seamlessly,” says Antonijević. “Convenience doesn’t immediately mean less secure. But in pursuit of convenience, we should not neglect security.”

*   Billion-dollar data centers are taking over the world
    

Andy Greenberg is a senior writer for WIRED covering hacking, cybersecurity, and surveillance. He’s the author of the books _Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency_ and _Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers_. His books ... Read More

Lily Hay Newman is a senior writer at WIRED focused on information security, digital privacy, and hacking. She previously worked as a technology reporter at Slate, and was the staff writer for Future Tense, a publication and partnership between Slate, the New America Foundation, and Arizona State University. Her work ... Read More

Hundreds of Millions of Audio Devices Need a Patch to Prevent Wireless Hacking and Tracking

A major Verizon outage appeared to impact customers across the United States starting around noon ET on Wednesday. Calls to Verizon customers from other carriers may also be impacted.

Customers of the telecom giant Verizon began reporting cellular outages around the United States beginning around noon ET on Wednesday, saying they could not complete calls and did not have access to mobile data. Verizon broadband internet customers are also reporting issues. AT&T and T-Mobile customers also began reporting service outages in the same timeframe, however these reports may be linked to the Verizon outage.

Verizon spokesperson Christina Moon Ashraf told WIRED in a statement, “We are aware of an issue impacting wireless voice and data services for some customers. Our engineers are engaged and are working to identify and solve the issue quickly.”

A T-Mobile spokesperson told WIRED in a statement that its service is “operating normally and as expected” but added that T-Mobile “customers may not be able to reach someone with Verizon service at this time.” An AT&T spokesperson similarly said its network “is operating normally at this time” and added that issues with service are due to a separate carrier.

The outage tracking site DownDetector showed spikes in reports of service disruptions for all three primary US mobile carriers.

Many customers on both iOS and Android devices report that their phones are in SOS mode, meaning that they can only make emergency calls. In practice, though, some reports indicate that the situation may also prevent 911 calls.

Washington, DC’s official emergency alert channel said in a post at 12:57 pm ET that DC’s Office of Unified Communications “is aware of a nationwide Verizon Wireless outage that may be affecting some users to connect with 911. If you have an emergency and cannot connect using your Verizon Wireless device, please connect using a device from another carrier, a landline, or go to a police district or fire station to report the emergency.”

Similar incidents have occurred in the past in which an outage at one carrier appears to involve multiple telecoms, because of collateral impacts when the telecom that is down can’t route calls and data from customers of other providers.

Syed Rafiul Hussain, a mobile network security researcher at Purdue University in Indiana, speculates that the outage may stem from a server configuration issue in Verizon’s core network. “It is unlikely a coordinated attack against the Verizon network,” he told WIRED.

Verizon Outage Knocks Out US Mobile Service, Including Some 911 Calls

Hundreds of records obtained by WIRED show thin intelligence on the Venezuelan gang in the United States, describing fragmented, low-level crime rather than a coordinated terrorist threat.

As the Trump administration publicly cast Venezuela’s Tren de Aragua (TdA) as a unified terrorist force tied to President Nicolás Maduro and operating inside the United States, hundreds of internal US government records obtained by WIRED tell a far less certain story. Intelligence taskings, law-enforcement bulletins, and drug-task-force assessments show that agencies spent much of 2025 struggling to determine whether TdA even functioned as an organized entity in the US at all—let alone as a coordinated national security threat.

While senior administration officials portrayed TdA as a centrally directed terrorist network active across American cities, internal tasking directives and threat assessments repeatedly cite “intelligence gaps” in understanding how the group operated on US soil: Whether it had identifiable leadership, whether its domestic activity reflecting any coordination beyond small local crews, and whether US-based incidents pointed to foreign direction or were simply the work of autonomous, profit-driven criminals.

The documents, marked sensitive and not intended for public disclosure, circulated widely across intelligence offices, law-enforcement agencies, and federal drug task forces throughout the year. Again and again, they flag unresolved questions about TdA’s US footprint, including its size, financing, and weapons access, warning that key estimates—such as the number of members operating in the US—were often inferred or extrapolated by analysts due to a lack of corroborated facts.

Together, the documents show a wide gap between policy-level rhetoric and on-the-ground intelligence at the time. While senior administration officials spoke of “invasion,” “irregular warfare,” and “narco-terrorism,” field-level reporting consistently portrayed Tren de Aragua in the US as a fragmented, profit-driven criminal group, with no indication of centralized command, strategic coordination, or underlying political motive. The criminal activity described is largely opportunistic—if not mundane—ranging from smash-and-grab burglaries and ATM “jackpotting” to delivery-app fraud and low-level narcotics sales.

In a March 2025 proclamation invoking the Alien Enemies Act, President Donald Trump claimed the gang had “thousands” of members who had “unlawfully infiltrated the United States” and were “conducting irregular warfare and undertaking hostile actions.” He claimed the group was “aligned with, and indeed has infiltrated, the Maduro regime,” warning that Venezuela had become a “hybrid criminal state” invading the US.

At the same time, however, an internal Border Patrol assessment obtained by WIRED shows officials could not substantiate those claims, relying instead on interview-based estimates rather than confirmed detections of gang members entering the US.

In a Fox News interview the same month, US attorney general Pam Bondi called TdA “a foreign arm of the Venezuelan government,” claiming its members “are organized. They have a command structure. And they have invaded our country.” Weeks later, in a Justice Department press release announcing terrorism and drug-distribution charges against a TdA suspect, Bondi insisted it “is not a street gang—it is a highly structured terrorist organization that put down roots in our country during the prior administration.”

Documents show that inside the intelligence community, the picture appeared far less settled. Although TdA’s classification as a foreign terrorist organization—following a February 2025 State Department designation—immediately reshaped policy, internal correspondence shows the group remained poorly understood even by senior counterterrorism officials, including those at the National Counterterrorism Center. Unresolved questions about TdA—alongside newly designated drug cartel entities in Mexico—ultimately prompted intelligence managers to issue a nationwide tasking order, directing analysts to urgently address the US government’s broad “knowledge gaps.”

The directive, issued May 2, 2025, underscores the breadth of these intelligence gaps, citing unresolved questions about whether the entities had access to weapons beyond small arms, relied on bulk-cash shipments, cryptocurrencies, or mobile payment apps, or were supported by corrupt officials or state-linked facilitators overseas.

In a statement, a spokesperson for Director of National Intelligence Tulsi Gabbard attributed the shortfall to competing priorities, telling WIRED that the “Intelligence Community was unable to devote collection resources towards TdA” prior to the Trump administration giving it the “terrorist” label. “This is where the ‘knowledge gaps’ stem from.”

The tasking order makes clear those uncertainties extended beyond TdA’s past activity to its potential response under pressure. Issued by national intelligence managers overseeing counterterrorism, cyber, narcotics, and transnational crime, it flagged a lack of insight into how TdA and several Mexican cartels might adapt their operations or shift tactics in response to intensified US enforcement.

Similar limits surface in records from White House-run interagency task forces known as HIDTA (High Intensity Drug Trafficking Areas), which show counter-narcotics officials, too, were working with a materially limited understanding of TdA’s activities. In a July 2025 bulletin, a Northern California task force acknowledged that available intelligence failed “to meet the Department of Justice definition of a drug trafficking organization,” adding that TdA subsets “appear to operate independently of each other and do not appear to operate as part of a larger coordinated effort.”

TdA members are “not known to have assigned roles,” the report notes, adding that “leadership formation has not yet been identified.”

Additional HIDTA reporting likewise fails to identify a sprawling narco-terror enterprise publicly described by senior officials. A “2026 Threat Assessment” covering North Texas and Oklahoma identifies Mexican cartels as the dominant narcotics threat, while characterizing TdA activity as “street level.” That assessment drew on survey responses from dozens of law enforcement agencies and was compiled by a task force that included police chiefs, sheriffs, US attorneys, district attorneys, and senior officials from the FBI, DEA, DHS, and Secret Service, among others.

Assessments by Customs and Border Protection broke sharply from broader law enforcement perspectives. Beginning in mid-March, CBP began producing its own intelligence products, quickly ascribing TdA with both the “capability and intent” to carry out attacks inside the United States; ranking it among the “most capable” foreign terrorist groups, listing it above Hezbollah and Iran’s Revolutionary Guard Corps, while also acknowledging it had no knowledge of any “specific or credible threat.”

CBP and the Department of Homeland Security did not respond to questions or requests for comment.

Just before April, CBP unveiled a much longer “sensitive but unclassified” assessment. The report describes TdA as a growing national security concern, citing its exploitation of US-bound migration and a range of criminal activity from money laundering, to extortion, to human smuggling. The report, which drew from across border enforcement, intelligence offices, and the FBI’s own gang intelligence center, warned readers on its interagency network that its findings relied on “analytical judgments that are not fact, knowledge, or proof,” adding that it might not always distinguish in print between assumption and fact.

The same report acknowledges significant uncertainty about TdA membership figures, identifying markers, and whether US-based subsets coordinate or respond to centralized leadership. In a section titled “Intelligence Gaps,” the agency outlines unresolved issues, including the movement of criminal proceeds and where the network might seek to expand in the US. Those uncertainties culminated in a question that, publicly, the White House claimed to have already answered: “Are US-based TdA members operating under the direction of foreign-based leadership?”

The following month, a classified National Intelligence Council assessment, first reported by The Washington Post, found no evidence that TdA was directed by the Venezuelan government. When asked about the findings, the Office of the Director of National Intelligence dismissed the assessment—representing the consensus view of most US intelligence agencies—as the work of “deep state actors” acting in conjunction with the media.

Elsewhere, the CBP report undercuts assertions that the government had a clear picture of TdA’s footprint in the US. It notes that it was “difficult for US law enforcement and the intelligence community to ascertain the exact number” of TdA members due to a “lack of determinate indicators” and the “adoption of the TdA name by unaffiliated groups and persons.” Ultimately, those limitations became justification for bending statistics to support the administration’s framing of a US-based terrorist threat numbering in the “thousands.”

Over a 22-month period, CBP’s own detection methods identified no more than 83 known TdA members at the border. To reach a much larger figure, the record shows analysts relied on a “sample set of interviews,” extrapolating that “upwards of 3,000” TdA members must have crossed the border during that same period—an estimate based on the assumption that roughly “one-half of one percent” of all Venezuelan migrants who entered the US through the southwest border had ties to TdA.

The same assumption underlies the report’s treatment of Venezuelan asylum communities, which it frames as potential risk environments shaped by “sanctuary city” policies and jurisdictions the agency views as “weak” on enforcement.

In remarks Tuesday, Trump leaned into the same framing, accusing Democratic-led cities of giving gangs room to operate. Speaking in Detroit, he said that, starting on February 1, the federal government would seek to economically punish cities and states that limit cooperation with the federal government, pledging to cut off “any payments to sanctuary cities or states having sanctuary cities,” which he accused of doing “everything possible to protect criminals.”

The speech came as federal enforcement operations have expanded into hostile occupations of major US cities—deployments and mass arrests that have swept up citizens as well as immigrants, prompting protests and legal challenges from states and municipalities.

Trump singled out Venezuela in particular. “I was so angry with Venezuela,” he said. “They emptied their prisons, almost entirely emptied their prisons, into the United States.”

At the FBI, TdA’s terrorism designation sat uneasily alongside the bureau’s own prior analysis. In internal assessments before the 2024 election, the FBI described TdA as an unsophisticated compared to traditional “South American theft groups,” finding its members favored “opportunistic,” often “spontaneous” crimes, with a focus on retail theft from big-box stores and exploiting other Venezuelan and South American migrants. While the bureau consistently warned of TdA’s propensity for violence, it failed to find any coordination among members inside the US or note any evidence of complex, preplanned operations.

In 2025, FBI field-level reporting appears to have remained focused on conventional crimes, including passing references to human, weapons, and narcotics trafficking with little accompanying detail. In April, a joint situation report filed by Alabama and Tennessee field offices linked TdA to a “retail theft crew” suspected of smash-and-grab burglaries at Walmart jewelry counters in the region. While the report notes similar incidents nationwide—with losses estimated at roughly $1.2 million—it implicates only a single “confirmed” Tren de Aragua member, and makes no reference to any national-security-level threat.

The reports sit alongside public statements from FBI director Kash Patel, who, also in April, described TdA publicly as “a direct threat to our national security,” vowing to eliminate what he called a “violent terrorist organization.” Inside the bureau, records show, its Terrorism Screening Center responded by convening a “Tren de Aragua Interagency Working Group” to coordinate watch listing changes. A distribution list obtained by WIRED shows an April 2025 meeting drew participants from numerous DHS and Justice Department components, both State and Treasury, and elements of the intelligence community and military, alongside dozens of state and local agencies and fusion centers.

Reached for comment, the FBI declined to respond to questions about differences between its internal reporting and how TdA was characterized publicly by leadership. It did not acknowledge the existence of any terrorist threat, saying only that it remains steadfast in its “commitment to working with our local, state, and federal partners to combat violent gang activity in our communities, including illegal acts carried out by the Venezuelan criminal gang, Tren de Aragua.”

Similar low-level depictions of TdA activity appear in regional drug-task-force reporting. A June 2025 Northern California threat assessment noted that TdA “did not appear to be directly involved in drug trafficking,” similarly linking the group instead primarily to organized retail theft, alongside suspected involvement in “at least two shootings.” A separate assessment covering North Texas and Oklahoma alleged a connection between TdA and Walmart’s delivery app, Spark, citing suspected identity theft used to “exploit the delivery driver profession to facilitate financial fraud.”

CBP issued a similar warning the following month citing an unattributed law enforcement report, alleging TdA members had been exploiting food delivery and rideshare platforms as a source of income and a means to allegedly facilitate routine criminal activity.

According to the bulletin, TdA members—including some with “direct ties to TdA leadership”—used services such as Uber, DoorDash, and Grubhub by renting or sharing accounts obtained through personal networks or online forums. One individual, “a known TdA member and Uber driver,” it claims, “frequently delivers food and drugs to individuals living in a migrant shelter.” Others were said to be using malicious software to “steal high-fee delivery orders from other drivers.”

Walmart, Uber, GrubHub, and DoorDash did not immediately respond to requests for comment.

The document mirrors myriad other reports of sporadic crimes being loosely attributed to the group using vague attribution and low-confidence language. In August, a law-enforcement bulletin on ATM “jackpotting,” circulated by the Texas Financial Crimes Intelligence Center, warned that suspects involved in ATM malware attacks “may be associated” with TdA.

In a separate August bulletin, the New York Police Department’s Intelligence & Counterterrorism Bureau warned partners that TdA members might be attempting to infiltrate the local music scene. People “allegedly affiliated with TdA have hosted parties involving DJs,” officials said, adding that the gatherings “may be” an effort “to potentially further engage in, or promote criminal activity.”

In written responses to WIRED, the Office of the Director of National Intelligence invoked America’s war in Afghanistan to explain the framework it applies to Venezuela, pointing to a conflict that stretched two decades, consumed trillions of dollars, and saw tens of thousands of civilians and security personnel killed, in addition to nearly 2,500 US service members. Just as it found no evidence to support the claim that Maduro’s government was directing TdA, the office added, “The Taliban was never assessed to be directing al-Qaeda’s attacks.”

Trump Warned of a Tren de Aragua ‘Invasion.’ US Intel Told a Different Story

A contract justification published in a federal register on Tuesday says that 31 ICE vehicles operating in the Twin Cities area “lack the necessary emergency lights and sirens” to be “compliant.”

More than two dozen Immigration and Customs Enforcement vehicles on the ground in the Minneapolis-St. Paul area “currently lack the necessary emergency lights and sirens” required to be “compliant with law enforcement requirements,” according to a contract justification published in a federal register on Tuesday.

The document justifies ICE paying Whelen Engineering Company, a Connecticut-based firm specializing in “emergency warning and lighting technology,” $47,330.49 for 31 “ATLAS1” kits—seemingly a typo of ATLAS, the name of the product sold by Whelen—which the company’s website describes as an “Adaptable Travel Light and Siren Kit.” The document explains that the ATLAS kits would “allow vehicles to be immediately operational and compliant with law enforcement requirements to support the current surge operation” out of Homeland Security Investigations (HSI)’s St. Paul office, which conducts operations in Minnesota, North Dakota, and South Dakota.

“These vehicles were deployed prior to being permanently retrofitted and currently lack the necessary emergency lights and sirens required for operational use,” the document says.

The document also says that because of the “the time-sensitive nature of the mission” that HSI agents are conducting, having to wait for “permanent retrofitting” of the agency’s vehicles with lights and sirens “would negatively impact operational readiness, law enforcement officer safety, and public safety.”

HSI’s most recent public handbook for agents conducting “emergency driving”—defined as driving during “official duties,” like low- or high-risk pursuits, that may require breaking speed limits or violating certain traffic laws—appears to have been published in 2012. It says that any HSI vehicles without lights and sirens “may not be used” in emergency driving, unless the officer “is conducting surveillance or is responding to an event that may adversely impact or threaten life, health, or property or requires an immediate law enforcement response.”

The handbook adds that if an HSI officer is emergency driving but their vehicle does not have lights or sirens, they “must terminate” their participation in a law enforcement operation, and an officer from another law enforcement agency that does have lights and sirens should take over. This HSI officer ”may continue to assist in a backup role, if necessary.”

The handbook does not specify the exact number or location of lights that have to be on an emergency vehicle, but it says that officers are responsible for reviewing any state statutes for emergency lights and sirens where they operate. Minnesota state law requires law enforcement and emergency drivers to “sound an audible signal by siren” and have at least one red light on the front of the vehicle, among other stipulations.

When reached for comment, Department of Homeland Security spokesperson Tricia McLaughlin told WIRED that ICE vehicles “meet federal regulations for law enforcement.”

“DHS is not going to confirm our vehicles and put an even larger target on our officers’ backs,” McLaughlin said. She also claimed that officers “clearly identify themselves as law enforcement while wearing masks to protect themselves from being targeted by highly sophisticated gangs.”

According to Whelen’s website, the ATLAS kit includes several items that are also sold separately by the company, including lightheads and lightbars, as well as a siren amplifier and speaker. The kit comes in a portable case resembling a wheeled suitcase, and it includes a small device with a microphone and buttons for controlling the other items in the kit. Whelen describes ATLAS as being “designed for quick installation” on any vehicle, regardless of make or model, and ideal for “on-the-go law enforcement.”

The listing comes six days after ICE officer Jonathan Ross fatally shot 37-year-old Renee Nicole Good in her car in Minneapolis, sparking massive protests and an influx of right-wing influencers trying to capitalize on the chaos. After DHS secretary Kristi Noem announced that hundreds of additional ICE officers would join the 2,000 already in the Minneapolis area, the state of Minnesota and the cities of Minneapolis and St. Paul filed a federal lawsuit against DHS and its top officials, asking the judge to halt the federal immigration enforcement operation underway in the state.

In sworn testimony that Ross gave in federal court last December, in connection to an incident in which he was injured while attempting to arrest an individual named Roberto Carlos Muñoz-Guatemala for possible deportation, he made several mentions of his unmarked vehicle, which he used to trail Muñoz-Guatemala prior to the incident.

For instance, Ross explained that he drove a “gold Chevy Tahoe,” which he said is a formal "law enforcement vehicle." He said the car was “unmarked” and designed to look like a regular vehicle driven by a civilian, but had lights on the grill, upper visor, and back window, in the side-rear area, and inside the headlights and taillights.

Bernardo Medellin, a special agent for the FBI, also testified last month in the same case that on the day Ross was injured, he was assisting ICE and driving a “bureau-owned” white Nissan Rogue with flashing red and blue police lights on the front grill, top windshield, and rear.

_Updated 12:10 pm ET, January 13, 2026, to amend details regarding Ross’ and Medellin's December testimony._

_Updated 8:22 pm ET, January 13, 2026: Added comment from DHS._

Dozens of ICE Vehicles in Minnesota Lack ‘Necessary’ Lights and Sirens

With federal agents storming the streets of American communities, there’s no single right way to approach this dangerous moment. But there are steps you can take to stay safe—and have an impact.

With federal agents storming the streets of American communities, there's no single right way to approach this dangerous moment. But there are steps you can take to stay safe—and have an impact.

ICE agents stand watch as protestors gather outside the Bishop Henry Whipple Federal Building in Saint Paul, Minnesota, on January 8, 2026.Photograph: OCTAVIO JONES/Getty Images

If federal immigration agents are coming to your area—or have already arrived—you may be frantically making plans to lay low at home, or perhaps grabbing your whistle and lacing up your sneakers to join a neighborhood watch. It’s a terrifying situation for undocumented residents and all American immigrants, and the climate has even become fraught for US citizens too. There are no simple answers for how to protect yourself and others in every scenario, but there are frameworks you can use for weighing your options.

The presence of immigration agents in cities and towns around the country has starkly increased in recent months, and tensions have escalated in step. On Wednesday, a federal agent shot and killed 37-year-old Minneapolis resident and US citizen Renee Nicole Good in her car during an Immigration and Customs Enforcement (ICE) operation. Having already deployed 2,000 agents to Minnesota, DHS reportedly planned this week to send 1,000 more. "There are now more ICE agents in Minnesota than there are combined in Minneapolis police force and St. Paul police force,” Minnesota Senator Amy Klobuchar said on Friday. “So they are outnumbering our own local police officers out on the streets." (Minnesota and Illinois have since filed lawsuits in federal court to end the ICE “invasion” in those states.)

Elsewhere, Customs and Border Protection agents shot two people in a car in Portland, Oregon, on Thursday, hospitalizing both. These tragedies are just the latest in a series of violent incidents involving immigration agents that have escalated since US president Donald Trump took office a year ago with a sweeping anti-immigration agenda. In addition to intense activity in Minneapolis and Portland, ICE and CBP have carried out deportation operations across the US.

“The number of ICE agents has dramatically increased, the sheer presence in people’s communities is larger,” says Jennifer Whitlock, senior policy counsel at the National Immigration Law Center. “And this means that the risk of encountering an ICE officer has really increased for people, even if you’re not in any way attached to immigration.”

**Pause**

Problems have persisted for years with ICE and CBP actions—including arrests and detentions—that accidentally ensnare US citizens and other documented residents. Additionally, the agencies’ operations have a history of aggression and mistreatment in dealing with suspects. Immigration infractions are typically civil, not criminal offenses. Over the last year, though, the Department of Homeland Security’s budget for immigration enforcement has expanded substantially at the same time that public unrest about the activity has grown. The result is a charged climate in which standard interactions can quickly, and dangerously, escalate.

“We’re surging operations because of the dangerous situation we see in this country,” homeland security secretary Kristi Noem said in a press conference on Wednesday. “We should all work together to protect our citizens.”

Many see immigration enforcement’s track record and current activity very differently, though.

“For its entire existence, ICE has been a very violent agency and a very unaccountable agency without a lot of oversight or transparency,” says Nithya Nathan-Pineau, policy attorney and strategist at the Immigrant Legal Resource Center.

She notes that as immigration officers have been involved in more and more violent incidents in recent months, it has become harder than ever to offer simple, definitive advice to people about assessing risk in interactions with federal agents.

Numerous sources told WIRED that their trainings and materials about interacting with federal immigration agents are actively evolving to reflect the current moment. For example, one core point has long been to explain the difference between a judicial warrant signed by a judge that gives law enforcement the right to, say, enter a person’s home versus the administrative warrants that ICE agents often carry that do not give them that right. “Don’t open the door for ICE” is a common refrain. But this type of information, while still accurate, does not fully account for the chaotic intensity of current US immigration enforcement.

“In the past, we would encourage people to exercise your right to protest or record video to document,” the National Immigration Law Center's Whitlock says. “We always talked about risk assessment and how some people are more vulnerable than others, but now it's not just risk of arrest at a protest, it’s risk of physical harm. I don't think we fully anticipated how ICE and CBP would ignore and violate people’s constitutional rights.”

In short, there is some risk inherent in any interaction with federal immigration officials, whether you're a US citizen or not. Even if you aren't willing to expose yourself in that way, though, you can still take action to meaningfully and concretely help people in your community affected by the Trump administration's policies.

**Plan Ahead**

Depending on your situation, you should make a plan in case you end up interacting with immigration enforcement while out and about.

In its online guidance, the nonprofit National Immigrant Justice Center says individuals and communities can create a “safety plan” to help be best prepared in case ICE operatives arrive in the area. Such a plan could involve identifying trusted family members, friends, or colleagues who can act as emergency contacts for people who could be the target of federal immigration actions, or anyone who could come into contact with agents. Memorize their phone numbers and also make sure that your child's school or daycare has emergency contacts on file. If you know you are at specific risk of deportation, you may consider additional steps, too, related to establishing an emergency guardian for children and a power of attorney for yourself.

Given that US citizens are not safe from violence or arrest at the hands of federal immigration agents, immigrants with an established status, visa, or permanent residency are potentially at even higher risk if they participate in community safety efforts or other activities that put them near immigration agents.

In December, DHS vehemently denied to WIRED that its agents engage in racial profiling as part of immigration operations. Multiple sources emphasized to WIRED, though, that nonwhite Americans should consider being extra cautious about proximity to immigration agents. This is particularly true in light of a September 2025 US Supreme Court decision in which Justice Brett Kavanaugh concluded that someone’s apparent ethnicity may be a “relevant factor” that could justify detaining someone during an immigration enforcement action—something now derisively known as a “Kavanaugh stop.”

You should consider taking precautions to protect yourself against potential digital surveillance if you know you are going to be proximal to immigration authorities. CBP and ICE both have digital surveillance capabilities that are increasing all the time. You can’t always anticipate when you might encounter federal agents, of course, but people who could specifically be the target of an immigration enforcement action should consider taking extra digital precautions if they can.

Looking broadly, sources told WIRED that political polarization and rising tensions across the US are key contexts in assessing potential risks.

“It’s no longer Officer Friendly out there,” Whitlock says. “This is not to give any excuse, but I can imagine there is a mindset within the field ICE agents and CBP where they really do think they’re under attack and being threatened. And no one is above the law, but I think it’s important for people to understand that there are going to be limited forms of trying to hold these officers accountable in practice.”

**On the Scene**

If you find yourself witnessing an immigration enforcement action, there are some things to keep in mind if you want to stick around.

“The goal is to be an observer and to document what is happening,” says Nathan-Pineau of the Immigrant Legal Resource Center. “The goal is not to go and try to intervene in the law enforcement action.”

Training materials from Siembra NC, a North Carolina–based grassroots organization working to defend its local communities from exploitation, say that the priority when ICE is present is letting agents know they are being observed and reminding people of their right to remain silent, while deescalating whenever possible and promoting safety. The group advises that if ICE operatives are conducting an arrest or traffic stop, responders should try to approach within their line of sight and identify themselves in the process.

Filming ICE behavior can let agents know they are being watched, potentially creating some accountability for their actions, as well as a digital evidence trail for any legal cases or proceedings that may occur at a later date. When interacting with federal agents as part of a group effort responding to ICE, Siembra NC recommends identifying yourself as a volunteer, and asking agents who they are, what they are doing, and what agency they work for. Then you can state that you will remain present to observe, while also recording any models of vehicles, license plates, and operatives at the scene.

“We always advise people that if the law enforcement officer that you are filming tells you to step back, you should step back and you should say it out loud—‘I’m stepping back, I’m stepping back.’ That way you’re recording that you’re complying with their order,” Nathan-Pineau says.

Multiple sources reiterated that recording federal agents has a dual purpose, because if your own behavior and that of the people around you is appropriate to the situation, this will be captured in your documentation as well as any officer misconduct. The fact remains, though, that peacefully filming interactions can be interpreted as aggressive or escalatory precisely because it is an accountability mechanism.

Proximity is one of the most important risks to assess when on the scene, says Xavier de Janon, director of mass self-defense at the National Lawyers Guild. “The closer people have been to federal agents or property, the more likely they’ve been charged, tackled, or arrested,” he says.

More and more, federal prosecutors are seeking criminal charges against people for allegedly assaulting federal officers, even if the cases ultimately don’t succeed and later get dropped. The NLG recently published a guide on how protesters and observers can assess risks related to the federal assault law.

**Work From Home**

Even if you can’t risk hitting the streets, there are other important ways to contribute to community safety efforts.

Civil liberties groups have been campaigning nationwide to ban real-time surveillance platforms and end lucrative contracts that feed information to ICE. You can contact the offices of your local officials and tell them to cancel surveillance contracts and stop information-sharing and other law enforcement cooperation that fuels ICE operations.

“It's good that local officials in cities targeted by ICE are speaking out and condemning their brutal tactics—but talk is cheap,” says Evan Greer, director of the digital rights activist organization Fight for the Future. “ICE violence is enabled by ICE surveillance, often with help from local police and city-run surveillance systems. If local leaders want to protect their residents from ICE's gestapo tactics, one of the most immediate things they can do is roll back and limit surveillance by canceling contracts with surveillance vendors like Flock and banning the use of facial recognition and other forms of biometric surveillance, either through executive action or city ordinance.”

For those who are not direct targets of the federal immigration crackdown, Kathy O’Leary, a member of the Catholic peace organization New Jersey Pax Christi, recommends listening to neighbors who are directly affected and figuring out what they need. Every week, she and other volunteers go to Delaney Hall Detention Facility in New Jersey to support families who are visiting their loved ones in detention. The volunteers bring chairs and water for the visitors—who are forced to wait outside—and help visitors navigate the rules of the facility.

For example, she said, her group started bringing extra clothing because they realized that visitors were being turned away because of dress code violations. She said it started when a woman who had traveled all the way from Boston to visit her father in detention was turned away because she was wearing ripped jeans. A volunteer realized she was the same size and offered to switch pants.

“That was a serious act of resistance,” O’Leary says. “The system was creating a hurdle to see her father. The system tries to limit contact with families; it’s about stealing people’s hope and trying to break people.”

O’Leary and other volunteers also give out gift cards to grocery stores to visitors, since many families’ breadwinners are the ones in detention. O’Leary says that people who want to figure out how to get involved in their communities can see if they live near a local member of the Detention Watch Network. If there isn’t a member in their state, sometimes groups in neighboring states will know who’s active in their area.

Working with local mutual aid organizations, food pantries, and other humanitarian support groups contributes to overall community strength and safety. And simply contributing to digital ICE watch trackers as you go about your regular activities can give others valuable information.

“It’s about what lever matches your risk tolerance, matches the resources that are available to you,” says Matt Mitchell, CEO of the risk-mitigation firm Safety Sync Group. “Not everyone has the same privileges. Some people want to donate money, some people want to write letters, some people want to read up on what law enforcement and CBP and ICE can and can’t do. Some people want to put their bodies in the space and assemble because that is our right, some people want to document. There are many different levels.”

What to Do If ICE Invades Your Neighborhood

The state of Minnesota, along with the Twin Cities, have sued the US government and several officials to halt the flood of agents carrying out an Immigration and Customs Enforcement operation.

The State of Minnesota and the cities of Minneapolis and St. Paul on Monday filed a sweeping federal lawsuit to halt what they call an unprecedented and unlawful surge of US federal agents in the Twin Cities, arguing that the deployment amounts to a constitutional violation and a direct threat to public safety.

The 80-page complaint, filed in US district court in Minnesota, targets the US Department of Homeland Security and senior federal officials, including DHS secretary Kristi Noem. It asks a judge to immediately block what the federal government calls “Operation Metro Surge,” a large-scale immigration operation that plaintiffs say has sent thousands of armed, masked federal agents into Minnesota communities far from the border, overwhelming local infrastructure and law enforcement.

At a press conference Monday afternoon, Minnesota attorney general Keith Ellison said the lawsuit is intended to stop what he described as an unlawful federal escalation. “This is, in essence, a federal invasion of the Twin Cities and Minnesota, and it must stop.” He accused DHS agents of sowing “chaos and terror” across the metro area through warrantless arrests, excessive force, and enforcement actions at schools, churches, hospitals, and other sensitive locations.

Ellison said the surge has forced school closures and lockdowns, hurt local businesses, and diverted police resources away from routine public safety work. He cited more than 20 ICE-related incidents, including reports of people being pulled into unmarked vehicles by masked agents and vehicles left abandoned in the streets, calling it an “unlawful commandeering of police resources.”

The lawsuit also points to the recent fatal shooting of Minneapolis resident Renee Nicole Good by an ICE agent as a turning point that intensified fear and unrest. Ellison said that the killing, along with subsequent federal rhetoric, left families and entire communities feeling unsafe in public spaces.

Good, 37, was a wife and mother of three. She was fatally shot by an ICE officer during a Minneapolis enforcement operation on January 7. The FBI has assumed sole jurisdiction over the investigation, effectively barring Minnesota authorities from accessing evidence or taking part in the probe, a move state officials say undermines transparency and the integrity of law enforcement in the public eye.

Plaintiffs argue the federal operation violates the Tenth Amendment, federal administrative law, and long-standing limits on immigration enforcement. They also accuse the Trump administration of “retaliatory conduct based on Minnesota’s lawful exercise of its sovereign authority.”

Asked by a reporter from PBS Frontline, who said his crew had been pepper-sprayed by federal agents earlier in the day, whether the litigation sought to curb the use of crowd-control weapons, Ellison urged journalists to file complaints. “Part of what our case is about is First Amendment protection,” he said. “The press is protected by the First Amendment, and it’s vitally important in this moment.”

In a separate lawsuit Monday, the state of Illinois and the city of Chicago sued DHS and senior federal officials, accusing the Trump administration of unleashing a militarized immigration operation that has “rampaged for months through Chicago and surrounding areas, lawlessly stopping, interrogating, and arresting residents, and attacking them with chemical weapons.”

Minnesota Sues to Stop ICE ‘Invasion’

The testimony also calls into question whether Ross failed to follow his training during the incident in which he reportedly shot and killed Minnesota citizen Renee Good.

In testimony last month in federal court in Minnesota, FBI special agent Bernardo Medellin appeared to directly contradict a claim that ICE agent Jonathan Ross made under oath about whether a man they were trying to detain had asked to speak to his attorney.

Medellin’s testimony, which details federal training for interactions with drivers, also calls into question whether Ross followed his training during the interaction that led to the shooting and killing of Renee Nicole Good, a 37-year-old mother, last week. Ross has been identified by multiple media outlets as the shooter; while the Trump administration has declined to confirm those reports, details about the shooter shared by Vice President JD Vance match details of Ross’ biography.

As WIRED previously reported, in December Ross testified that last June he led a team seeking to apprehend a man named Roberto Carlos Muñoz-Guatemala, who had an administrative warrant out for being in the US without authorization. According to his testimony, after following Muñoz-Guatemala in an unmarked car, Ross—who was wearing ranger green and gray and had his badge on his belt—approached the man and asked him to roll down his window and open his door. He then broke the rear driver side window with a special tool and reached into the vehicle. Muñoz-Guatemala accelerated, eventually shaking Ross, who’d fired his Taser at him with the vehicle in motion. Ross testified that he needed 33 stitches due to his injuries; Muñoz-Guatemala was later convicted of assault on a federal officer with a dangerous weapon.

At trial, prosecutors sought to establish that Muñoz-Guatemala understood that Ross was a federal law enforcement officer during their initial interaction. Ross testified that he repeatedly told Muñoz-Guatemala that he was law enforcement in both English and Spanish, and that he had “no concerns” Muñoz-Guatemala didn’t speak English because he replied to Ross in English.

“When you say, ‘replied back in English,’” asked assistant US attorney Raphael Coburn, “what do you mean?”

“He would—he would reply back he wants his attorney, I believe he said,” responded Ross.

During the trial, this became a point of contention because it had not come up during pretrial interviews, and was thus a surprise to both Muñoz-Guatemala’s attorney, Eric Newmark, and to US prosecutors.

“I was, frankly, quite shocked that he said it,” Newmark told district court judge Jeffrey Bryan. “It was not in any of his previous statements, and it's my understanding he never—the government was as surprised as I was that he said it.” Newmark went on to explain that Ross’ claim pertained to whether his client “believed he was talking to law enforcement or someone who was trying to do him harm,” and that he intended to cross-examine Ross on the fact that Muñoz-Guatemala’s purported request for a lawyer had come up neither during an interview Ross gave the FBI nor during pretrial preparation—something neither Bryan nor Coburn, the government lawyer, objected to. Under questioning from Newmark, Ross conceded it was “fair to say” he had not previously made this claim.

The question came up again as Newmark cross-examined Medellin, an FBI special agent who took part in the operation under Ross’ leadership. Medellin testified that Muñoz-Guatemala—whose English he described as limited, and for whom the court provided an interpreter during the two-day trial—had asked Ross repeatedly who he was.

“You never heard Mr. Muñoz-Guatemala ask for an attorney, did you?” asked Newmark.

“No,” said Medellin, who affirmed that he had overheard most or all of the conversation, and said again that he had never heard Muñoz-Guatemala ask for a lawyer.

In response to a WIRED question about his opinion of the credibility of Ross’ testimony, Newmark said: “I'm not commenting about this case as it is still pending, but I think you can tell by my questioning of him and others what I thought about that.”

In response to a request for comment, Department of Homeland Security spokesperson Tricia McLaughlin said, “You’re referring to the case with the child sexual predator?” (Muñoz-Guatemala pleaded guilty in 2023 to criminal sexual conduct with a victim who “was at least 16 but under 18 years of age at the time of the sexual contact,” according to Minnesota court records.) The FBI declined to comment.

Since Good’s killing, experts speaking to outlets like CNN and The Washington Post have raised questions about whether Ross was following his training, as McLaughlin has repeatedly said he was while defending his actions. Further testimony from Medellin raises questions about whether Ross complied specifically with FBI training about interactions with drivers during his confrontations with both Muñoz-Guatemala and Good. This training would have been relevant to Ross, who, Medellin testified, “works as an FBI task force officer in the Minneapolis Field Office.”

“Typically, when we conduct traffic stops, it's in a supportive role. So if a local marked unit or a federal partner is executing a traffic stop, we typically find ourselves near the rear of the vehicle,” Medellin testified. “If we are to have agents near the front of the vehicle or near the driver's side door, passenger side door, we train to place ourselves in a position where we minimize the chance that we will be hit by the vehicle or run over by the vehicle or potentially taken away by the vehicle if it decides to—to leave or flee.”

While agents placing themselves near the front of a vehicle seems to run counter to FBI training, a 2013 independent review of Customs and Border Protection’s use-of-force policies, as well as more than a dozen cases in which shots were fired at vehicles, reportedly found an apparent pattern of Border Patrol agents intentionally staking out ground in front of vehicles to justify the use of deadly force. Of the cases reviewed, the independent agency found that most cases “involved non-violent suspects who posed no threat other than a moving vehicle,” and concluded that “there is little doubt that the safest course for an agent faced with an oncoming vehicle is to get out of the way of the vehicle.”

Ross testified that he was a member of Border Patrol from 2007 to 2015. According to his own sworn testimony in December, Ross has also acted as a firearms instructor for ICE, as well as a member of a Special Response Team—ICE’s version of a SWAT team—and a leader of teams drawn from multiple federal agencies including the FBI.

According to Medellin’s December testimony, the plan, which was originated by Ross as team lead, was to just interview Muñoz-Guatemala; but because Ross exited his vehicle and soon drew his gun, Medellin told the court that he, too, unholstered his weapon to “provide coverage with lethal force.” The incident escalated as soon as Ross approached the vehicle, Medellin testified, because he believed Ross “had seen something that made him very uncomfortable and I wanted to be in a good position to support him.” Ross ultimately approached to break the window and got his arm stuck between the car’s B pillar and the headrest.

Medellin further testified that during the initial stop, his foot had been placed on the driver’s-side tire.

“It's an early indicator, a touch point, so to speak. If—if a vehicle is going to flee or to leave, the tires might turn before the vehicle actually starts moving,” Medellin said. “So if the tires start moving, somebody in that position with their foot up against the tire would feel it immediately.”

Even before the release of first-person footage of the killing of Good showed her turning the wheel of her vehicle away from immigration agents immediately before she was shot, video analyses by The New York Times and The Washington Post showed that her wheels were turning away from, not toward, Ross—who does not appear in any footage to maintain contact between his foot and her tires. In the video footage, Ross appears to stand directly in front of the car, parallel to the car’s hood.

FBI Agent’s Sworn Testimony Contradicts Claims ICE’s Jonathan Ross Made Under Oath

The fundraiser for the ICE agent in the Renee Good killing has stayed online in seeming breach of GoFundMe’s own terms of service, prompting questions about selective enforcement.

The crowdfunding platform GoFundMe is allowing a fundraising campaign tied to the potential legal defense of an Immigration and Customs Enforcement (ICE) agent who fatally shot a civilian to remain online, despite company rules barring fundraisers connected to violent crimes and past enforcement actions against similar campaigns.

The fundraiser, titled “ICE OFFICER Jonathan Ross,” seeks at least $550,000 to support potential legal expenses for the ICE agent identified as having shot and killed Renee Nicole Good, a mother of three and widow of a military veteran, during an encounter with immigration agents in Minneapolis.

The officer was first identified as Jonathan Ross, 43, by the Minnesota Star Tribune.

The GoFundMe campaign’s stated purpose—raising money for legal services following a killing—directly conflicts with GoFundMe’s terms of service, which specifically bars fundraisers that are intended to support the legal defense of people accused of financial or violent crimes.

GoFundMe has not publicly explained why the Ross fundraiser remains active despite its terms of service stating users agree not to “use the Service or Platform to raise funds” for the “the legal defense of financial and violent crimes, including those related to money laundering, murder, robbery, assault, battery, sex crimes or crimes against minors.”

Ross has not been formally charged with any crime. The shooting is being investigated exclusively by the FBI after federal authorities effectively blocked Minnesota investigators from participating, prompting the state attorney general and Hennepin County attorney to launch a parallel effort to collect evidence independently.

In an email, a GoFundMe spokesperson told WIRED on Sunday night that it was in the process of reviewing all fundraisers tied to the shooting. “During the review process, all funds remain safely held by our payment processors,” the spokesperson said. “GoFundMe’s Terms of Service prohibit fundraisers that raise money for the legal defense of anyone formally charged with a violent crime. Any campaigns that violate this policy will be removed.”

The company added that it was working directly with the organizer of the Ross fundraiser to “gather additional information.” The organizer is identified on the site as Clyde Emmons of Mount Forest, Michigan. WIRED could not immediately reach Emmons or confirm his identity.

On Sunday night, Emmons’ fundraiser stated that “funds will go to help pay for any legal services this officer needs.” That language was removed after WIRED’s inquiry and replaced by Monday morning with the phrase, “Funds will go to help him.”

GoFundMe did not respond to multiple follow up requests for comment, including questions as to whether it had advised the organizer to change the description to better comport with its rules.

Despite the changes, several slides in a carousel at the top of the Ross fundraising page—which remain active at time of writing—make the purpose of the fundraising explicitly clear: “Give to cover Jonathan’s legal defense” and “Officer Jonathan Ross’s legal defense fund pays attorney fees and court costs.”

GoFundMe’s inaction contrasts with its handling of earlier cases involving law enforcement officers and civilians killed during encounters with police.

In 2015, GoFundMe removed a Baltimore City Fraternal Order of Police fundraiser for Baltimore police officers charged in the death of Freddie Gray, citing violations of its rules against supporting legal defenses in violent cases. That same year, the platform removed a campaign for a South Carolina officer charged in the fatal shooting of Walter Scott.

Said a company spokeswoman at the time of the Gray fundraiser: “GoFundMe cannot be used to benefit those who are charged with serious violations of the law. The campaign clearly stated that the money raised would be used to assist the officers with their legal fees, which is a direct violation of GoFundMe’s terms."

Good, 37, was gunned down during a January 7 encounter with ICE agents in Minneapolis. Video recorded by bystanders shows Good in a dark red SUV reversing as masked agents approach. One agent, identified in the press as Ross, is shown circling the vehicle with his cell phone raised, then stepping into position almost directly in front of the idling SUV before firing as it moves past him.

The video evidence sharply conflicts with public accounts offered by senior Trump administration officials, including DHS statements describing Good as a “domestic terrorist” who “weaponized” her vehicle, as well as President Donald Trump’s claim that “she ran him over.”

State officials said over the weekend that the Minnesota Bureau of Criminal Apprehension had been cut off from the crime scene and no longer had access to key evidence, including Good’s vehicle and witness interviews. Local prosecutors claimed that without access to the FBI’s case file, it may be impossible for the state to assess whether charges are warranted, even though the shooting is well documented, occurred in Hennepin County, and involves a Minnesota resident.

A separate fundraiser for Good’s widow and family has currently raised more than $1.5 million.

GoFundMe Ignores Own Rules by Hosting a Legal-Defense Fund for the ICE Agent Who Killed Renee Good

Plus: Iran shuts down its internet amid sweeping protests, an alleged scam boss gets extradited to China, and more.

After a federal agent shot and killed 37-year-old Renee Good in Minneapolis on Wednesday, WIRED surfaced December federal court testimony from the reported ICE shooter, Jonathan Ross. In it, he said he was a firearms trainer and that he has had “hundreds” of encounters with drivers in a professional capacity during enforcement actions. Separately, we looked at how the tactics behind protest policing are moving toward intentional antagonism. If you haven’t seen it, here’s our guide to protesting safely in the age of surveillance.

Meanwhile, the artificial-intelligence-powered chatbot Grok, developed by Elon Musk’s xAI, was everywhere this week because the platform has been expanding access to digital “undressing” capabilities that allow users to generate naked images of people and then post them to the social media platform X. A WIRED review found that Grok has been generating graphic content—including violent sexual images and videos, as well as media that depicts apparent minors—that has been available on Grok’s official website that’s even more explicit than content on X. All of this has led researchers and activists to ask why Grok and X are still available in Apple’s and Google’s app stores when the companies have removed other “nudify” apps for violating their terms. On Friday, X seemed to take steps to limit who can generate images with Grok to paid, “verified” users. In practice, though, the chatbot is still being used to create sexualized “undressing” images on the platform, even if the capability isn’t quite as accessible as it was before.

If you, like billions of other people globally, are a WhatsApp user, we’ve got tips about features in the end-to-end encrypted communication app that can boost its privacy and security even more. Plus, while invasive spyware is still relatively rare, it continues to proliferate around the world, so we have a guide to protecting your smartphone.

And there’s more! Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**ICE’s New Surveillance Tools Can Monitor Whole Neighborhoods and Track People**

Materials obtained by 404 Media shed new light on how the surveillance tools Tangles and Webloc from a company called Penlink can provide information to ICE agents after the agency contracted for the services in September. The social-media and phone-surveillance platforms can be used to monitor neighborhoods or city blocks for mobile phones and track the devices over time, potentially revealing where people live, work, and visit. Penlink purchases vast troves of commercial location data to augment and expand the dragnet.

“This is a very dangerous tool in the hands of an out-of-control agency. This granular location information paints a detailed picture of who we are, where we go, and who we spend time with,” Nathan Freed Wessler, deputy project director of the American Civil Liberties Union’s Speech, Privacy, and Technology Project, told 404 Media.

**Iran Shuts Down the Internet Again as Mass Protests Unfold**

For the past two weeks, thousands of Iranians have been protesting against the country’s brutal regime and leadership, calling for reform after protests initially broke out over poor economic conditions. In response to the growing unrest, the country’s supreme leader has indicated harsh potential crackdowns may happen. As part of the country’s response, it has initiated a total internet blackout: As of January 9, Iranians had been without connectivity for more than 24 hours. Reports indicate that people have not been able to access social media, leaving them out of contact with family members, as well as preventing them from using ATMs and bank cards.

It is not the first time that Iran has shut down the internet for millions of people. The country, which has been building out the technical capability to digitally isolate itself from the global internet for years, previously shut down connections in 2025, 2022, and 2019. Often these internet shutdowns have been designed to stop protesters from communicating with one another and organizing, to limit the spread of news, and to stop video footage of law enforcement brutality from spreading around the world. They also cause huge self-inflicted economic damage to Iran.

**Alleged $15 Billion Scam-Center Boss Extradited to China**

In October, officials in the United States and United Kingdom sanctioned Cambodian national Chen Zhi and his company, Prince Holding Group, for allegedly running forced labor scam compounds across Cambodia—and a $15 billion fraudulent operation in the process. This week, Chen was extradited to China from Cambodia. He was shown on television wearing a hood and handcuffs as he was escorted off a plane in Beijing. The Guardian reports it is “not immediately clear” what charges Chen faces in China, although officials said his case is part of a wider crackdown on notorious scam compounds that have stolen billions from people around the world.

**China’s “Salt Typhoon” Hackers Breached Email Accounts of US Congressional Committee Staffers**

The notorious Chinese state-backed espionage hackers Salt Typhoon reportedly compromised the email accounts of a number of US congressional committee staffers as part of a campaign detected in December. Attackers targeted House China Committee staff communications as well as those from the Intelligence Committee, Armed Services Committee, and Foreign Affairs Committee. The incident is just the latest in a sprawling series of public and private sector breaches carried out by Salt Typhoon that have given Chinese intelligence extensive insight into US government communications.

Source

Wired