Russell Vought, acting director of the Consumer Financial Protection Bureau, has canceled plans to more tightly regulate the sale of Americans’ sensitive personal data.

The Consumer Financial Protection Bureau (CFPB) has canceled plans to introduce new rules designed to limit the ability of US data brokers to sell sensitive information about Americans, including financial data, credit history, and Social Security numbers.

The CFPB proposed the new rule in early December under former director Rohit Chopra, who said the changes were necessary to combat commercial surveillance practices that “threaten our personal safety and undermine America’s national security.”

The agency quietly withdrew the proposal on Tuesday morning, publishing a notice in the Federal Register declaring the rule no longer “necessary or appropriate.”

The CFPB received more than 600 comments from the public this year concerning the proposal, titled Protecting Americans from Harmful Data Broker Practices. The rule was crafted to ensure that data brokers obtain Americans’ consent before selling or sharing sensitive personal information, including financial data such as income. US credit agencies are already required to abide by such regulations under the Fair Credit Reporting Act, one of the nation’s oldest privacy laws.

In its notice, the CFPB’s acting director, Russell Vought, wrote that he was withdrawing the proposal “in light of updates to Bureau policies,” and that it did not align with the agency’s “current interpretation of the FCRA,” which he added the CFPB is “in the process of revising.”

The CFPB did not immediately respond to a request for comment.

Data brokers operate within a multibillion-dollar industry built on the collection and sale of detailed personal information—often without individuals’ knowledge or consent. These companies create extensive profiles on nearly every American, including highly sensitive data such as precise location history, political affiliations, and religious beliefs. This information is frequently resold for purposes ranging from marketing to law enforcement surveillance.

Many people are unaware that data brokers even exist, let alone that their personal information is being traded. In January, the Texas Attorney General’s Office, led by attorney general Ken Paxton, accused Arity—a data broker owned by Allstate—of unlawfully collecting, using, and selling driving data from over 45 million Americans to insurance companies without their consent.

The harms from data brokers can be severe–even violent. The Safety Net Project, part of the National Network to End Domestic Violence, warns that people-search websites, which compile information from data brokers, can serve as tools for abusers to track down information about their victims.

Last year, Gravy Analytics—which processes billions of location signals daily—suffered a data breach that may have exposed the movements of millions of individuals, including politicians and military personnel.

“Russell Vought is undoing years of painstaking, bipartisan work in order to prop up data brokers’ predatory, and profitable, surveillance of Americans,” says Sean Vitka, executive director of Demand Progress, a nonprofit that supported the rule. Added Vitka: “By withdrawing the CFPB’s data broker rulemaking, the Trump administration is ensuring that Americans will continue to be bombarded by scam texts, calls and emails, and that military members and their families can be targeted by spies and blackmailers.”

Vought, who also serves as director of the White House Office of Management and Budget, received a letter on Monday from the Financial Technology Association (FTA) calling for the rule to be withdrawn, claiming the rules exceed the agency’s statutory mandate and would be “harmful to financial institutions’ efforts to detect and prevent fraud.” The FTA is a US-based trade organization that represents the interests of fintech companies and their executives.

Privacy advocates have long pressed regulators to use the Fair Credit Reporting Act to crack down on the data broker industry. Common Defense, a veteran-led nonprofit, urged the CFPB to take action in November, blaming data brokers for recklessly exposing sensitive information about US service members that placed them at “substantial risk” of being blackmailed, scammed, or targeted by hostile foreign actors.

A 2023 study cited by the group—funded by the US Military Academy at West Point—concluded that the current data broker ecosystem is a threat to US national security, permitting the sale of sensitive personal data that can be used not only to identify service members and “other politically sensitive targets,” but also to offer details about medical conditions, financial problems, and political and religious beliefs. “Foreign and malign actors with access to these datasets could uncover information about high-level targets, such as military service members, that could be used for coercion, reputational damage, and blackmail,” the authors report.

Common Defense political director Naveed Shah, an Iraq War veteran, condemned the move to spike the proposed changes, accusing Vought of putting the profits of data brokers before the safety of millions of service members. "For the sake of military families and our national security, the administration must reverse course and ensure that these critical privacy protections are enacted," Shah says.

Investigations by WIRED have shown that data brokers have collected and made cheaply available information that can be used to reliably track the locations of American military and intelligence personnel overseas, including in and around sensitive installations where US nuclear weapons are reportedly stored.

WIRED reported in February that US data brokers were using Google's ad-tech tools to sell access to information about devices linked to military service members and national security decisionmakers, as well as federal contractors that manufacture and export classified defense-related technologies. Experts say it proves trivial for foreign adversaries to de-anonymize the data.

"Data brokers inflict severe harm on individuals by degrading privacy, threatening national security, enabling scams and fraud, endangering public officials and survivors of domestic violence, and putting immigrant populations at risk,” says Caroline Kraczon, law fellow at the Electronic Privacy Information Center focused on consumer protection.

“The CFPB had a critical opportunity to address these harms by clarifying that data brokers must follow the Fair Credit Reporting Act,” adds Kraczon. “This withdrawal is deeply disappointing and another attack in the administration’s war against consumers on behalf of corporate interests."

Last month, more than 1,400 CFPB employees had their positions at the agency terminated, leaving the agency with a staff of around 300 people. Elon Musk, whose so-called Department of Government Efficiency (DOGE) has spearheaded the White House's efforts to radically restructure the federal government by slashing the size of its workforce, last November called on President Donald Trump to “delete” the CFPB, whose job includes shielding Americans from predatory lending practices.

_Update 10 am ET, May 15, 2025: Clarified the types of companies represented by the Financial Technology Association._

CFPB Quietly Kills Rule to Shield Americans From Data Brokers

Security researchers are publishing 1,000 email addresses they claim are linked to North Korean IT worker scams that infiltrated Western companies—along with photos of men allegedly involved in the schemes.

The young developers are having the time of their lives. They pop open bottles of sparkling wine, eat steak dinners, play soccer together, and lounge around in a luxurious private swimming pool, all of their activity captured in photos that were later exposed online. In one picture, a man poses in front of a life-sized _Minions_ cardboard cutout. But despite their exuberance, these are not successful Silicon Valley entrepreneurs; they’re IT workers from the Hermit Kingdom of North Korea, who infiltrate Western companies and send their wages back home.

Two members of a cluster of North Korean developers, who allegedly operated out of Southeast Asian country Laos before being relocated to Russia by the beginning of 2024, are today being identified by researchers at cybersecurity company DTEX. The men, who DTEX believes have used the personas ‘Naoki Murano’ and ‘Jenson Collins,’ are alleged to have been involved in raising money for the brutalist North Korean regime as part of the widespread IT worker epidemic, with Murano alleged to have previously been linked to a $6 million heist at crypto firm DeltaPrime last year.

For years, Kim Jong-un’s North Korea has posed one of the most sophisticated and dangerous cyber threats to Western countries and businesses, with its hackers stealing the intellectual property needed to develop its own technology, plus looting billions in crypto to evade sanctions and create nuclear weapons. In February, the FBI announced that North Korea pulled off the biggest ever crypto heist, stealing $1.5 billion from crypto exchange Bybit. Alongside its skilled hackers, Pyongyang’s IT workers, who often are based in China or Russia, trick companies into employing them as remote workers and have become an increasing menace.

“What we’re doing isn’t working, and if it is working, it’s not working fast enough,” says Michael ‘Barni’ Barnhart, a leading North Korean cyber researcher and principal investigator at DTEX. As well as identifying Murano and Collins, DTEX, in a detailed report about North Korean cyber activity, is also publishing more than 1,000 email addresses that it alleges to have been identified as linked to North Korean IT worker activity. The move is one of the largest disclosures of North Korean IT worker activity to date.

North Korea’s broad cyber operations can’t be compared with those of other hostile nations, such as Russia and China, Barnhart explains in the DTEX report, as Pyongyang operates like a “state-sanctioned crime syndicate” rather than more traditional military or intelligence operations. Everything is driven by funding the regime, developing weaponry, and gathering information, Barnhart says. “Everything is tied together in some way, shape, or form.”

**The Misfits Move In**

Around 2022 and 2023, DTEX claims both Naoki Murano and Jenson Collins—their real names are not known—were based in Laos and also travelled between Vladivostok, in Russia. The pair appeared among a wider group of possible North Koreans in Laos, and a cache of their photos were first exposed in an open Dropbox folder. The photos were discovered by a collective of North Korean researchers who often collaborate with Barnhart and call themselves a “Misfit” alliance. In recent weeks, they’ve posted numerous images of purported North Korean IT workers online.

North Korea’s IT workers are prolific in their activities, often trying to infiltrate multiple companies simultaneously by using stolen identities or creating false personas to try to appear legitimate. Some use freelance platforms; others try to recruit international facilitators to run laptop farms. While their online personas may be fake, the country—where millions do not have basic human rights or access to the internet—steers talented children into its education pipeline where they can become skilled developers and hackers. That means many of the IT workers and hackers are likely to know each other, potentially since they were children. Despite being technically adept, they often leave a trail of digital breadcrumbs in their wake.

Murano was first linked to North Korean operations publicly by cryptocurrency investigator ZachXBT, who published the names, cryptocurrency wallet details, and email addresses of more than 20 North Korean IT workers last year. Murano was then linked to the DeltaPrime heist in reporting by Coinbase in October.. Members of the Misfits collective have shared photos of Murano looking pleased with himself while eating steak and a picture of an alleged Japanese passport.

Meanwhile, Collins, who DTEX included in its report and who was featured in swimming pool photos included in the Dropbox folder, was most commonly involved in IT work that generated revenue for Pyongyang, says narcass3 a member of the Misfits who asked to be identified by their online handle. “He seems to have mainly just worked on crypto/blockchain projects, including one which seems to be completely DPRK backed or primarily made up of IT workers,” narcass3 says.

Evan Gordenker, a consulting senior manager at the Unit 42 threat intelligence team of cybersecurity company Palo Alto Networks, says he is familiar with the two personas identified by DTEX and other outlets and the cluster of North Korean workers that were based in Laos. The group were putting out a lot of job applications, creating fake personas, and searching for potential accomplices, the researcher says. “It seemed to me like they also enjoyed a level of autonomy that I don't think you tend to see for some of the \[IT worker\] groups,” Gordenker says. “I don't know if that’s because they generated more money and earned more privileges or just because they happened to have a group lead that operated in that way.”

An email address in Murano’s name bounced back when contacted by WIRED. Meanwhile an email address in Collins’ name did not respond to a request for comment.

**Hiding in Plain Sight**

Pyongyang’s IT workers have been operating for the best part of a decade, but attention on their activities has intensified in the last 12 months as Fortune 500 companies realized they have inadvertently hired North Koreans. Teams of hackers and IT workers are set “earnings quotas” by Kim Jong-un’s regime, Barnhart says, with IT workers operating from multiple different North Korean military and intelligence organizations. One IT worker that made $5,000 per month could keep $200 of it, the investigator says.

Malicious IT workers, who may be likely to steal as well as earning money, are a part of the country’s recently revealed AI organization called 227 Research Center, which is part of the the primary intelligence agency the Reconnaissance General Bureau, while others are part of teams at the Ministry of National Defense, according to a cyber organization chart published by Barnhart in the DTEX report. IT workers that solely try to generate revenue from their jobs may be part of the Munitions Industry Department, the research says.

The relatively recent uptick in scrutiny around IT workers has come amid a growing US government crackdown: In May 2023, it sanctioned North Korean company Chinyong Information Technology Cooperation Company for employing IT workers in Laos and Russia, while at the start of this year, two North Korean front companies and their China- and Laos-based bosses were sanctioned by the US Treasury Department. The Treasury said IT worker groups earn “hundreds of millions of dollars” for the regime, and thousands of IT workers are dispatched around the world.

“IT workers play the numbers game and are applying for remote roles in volume,” says Rafe Pilling, director of threat intelligence, at Sophos’ Counter Threat Unit. That means they often make errors. “They seem to operate at such a pace that they can make mistakes like leaving Github repositories of CVs and tools publicly accessible, leaving comments in code and scripts, making mistakes across CV’s that make them easier to spot as fakes, and slip-ups on camera during interviews that can reveal subterfuge.”

Alongside identifying Murano and Collins, DTEX also published more than 1,000 email addresses allegedly linked to North Korean IT worker operations that have been gathered through investigations and collaboration with researchers. Each email address has been provided by multiple sources, Barnhard says. A WIRED analysis of almost two dozen of the emails, using open-source intelligence tools and a database of material leaked online, shows few of them appear to have any signs of authentic online behavior; some email addresses are linked to online developer tools or freelancing websites, with others having very little online presence.

“There’s quite a bit of reuse of personas and some of them last years and years,” Unit 42’s Gordenker says. Others might be used just once, Gordenker says, but the scammers can quickly create new personas if needed. “You’ll see a persona that works, for instance, can sometimes have four or five, six different jobs across the lifespan.”

As more IT workers are identified, they are increasingly adopting their tactics to try to make themselves harder to spot. Multiple cybersecurity researchers have found North Koreans using face-changing software during video interviews or using AI assistants to help answer questions in real-time.

**Changing Faces**

The IT worker stands in the middle of the cramped room and poses for his photo. A clock on the wall reads 11:30. In the background, three other men wearing military uniforms hunch over computers. A rack of laundry appears at the back of the room in the photo, which was first published by DTEX. “There’s a lot to unpack in that one image,” Barnhart says.

Barnhart explains that while much is unknown about the photo, it reveals some details about how the group of IT workers operate. One of the men, in the far right corner of the photograph, appears to have WhatsApp messages open on his computer screen, with multiple chats ongoing. Attached to the wall above him is a surveillance camera.

“The MSS watches them so they don’t become defectors,” Barnhart says, referring to North Korea’s counterintelligence agency and secret police, the Ministry of State Security. As the men are based out of a small work space, they are likely to lower down the pecking order of IT workers and will, like their compatriots, also face digital surveillance when they use their computers, he says. Barnhart says software he has seen monitors what the IT workers type and send on their devices. “They hate it,” he says. “It sends flags out to external servers whenever sexual imagery or sexual content is talked about or if Kim Jong-un is \[mentioned\].” Other researchers have spotted suspected IT workers ending job interviews when asked a variation on the question: “How fat is Kim Jong-un?”

While it’s unclear where the men in the room may be physically located, there are signs that the portrait photograph of the central subject has been used to create a false persona. Subsequent images obtained by Barnhart show the man edited into different clothes and turned into a cartoon-style illustration of his face.

“It shows him messing with the hairline. It shows him altering features, it shows him basically getting his profiles ready,” Barnhart says. One of these photos—of him edited into a leather jacket—appears on the website of “Benjamin Martin,” a self-styled web3 and full-stack developer.

Aside from appearing to be the North Korean from the IT worker photo, two of the companies listed on Martin’s online CV tell WIRED they have not heard of the persona, let alone employed him. One of the firms said it was not fully incorporated during most of the time the Martin persona listed he was working there. Martin did not respond to messages sent to the email listed on the developer webpage while a Telegram account linked to a phone number on Martin’s website responded “yes” in a limited Chinese-language exchange when asked if they were a North Korean IT worker.

Ultimately, Barnhart says, people need to understand how North Korean hackers and IT workers are operating, with fluidity between groups and approaches, before significant disruption of their efforts can take place. “We need to refocus, we need to reshape,” Barnhart says. “North Korea has already moved on to their next point and now they're subcontracting and creating another layer of obfuscation there, too.”

North Korean IT Workers Are Being Exposed on a Massive Scale

A new extra-secure mode for Android 16 will let at-risk users lock their devices down.

With the rise of mercenary spyware and other targeted threats, tech giants like Apple, Google, and Microsoft have spent the last few years trying to figure out how to protect the digital lives of their most at-risk, vulnerable users around the world. On mobile, the launch of Apple's iOS Lockdown Mode in 2022 was one concerted effort to shed nonessential functionality in favor of maximum security—a trade-off most users wouldn't want to make, but that could be very worth it for a public figure, activist, journalist, or dissident living under daily scrutiny and threat of attack. For years, Google has offered a program for a similar demographic called Advanced Protection that focuses on adding additional layers of monitoring and security to vulnerable users' Google accounts, a core piece of many people's digital lives that could be devastating if compromised. Now, Google is extending Advanced Protection with a suite of features for Android 16.

On Tuesday, the company announced an Advanced Protection mode for phones running the newest version of Android. At its core, the mode is designed around imposing strong security settings on all apps and services to silo data as much as possible and reduce interactions with unsecured web services and previously unknown, untrusted individuals. Advanced Protection on Android is meant to be as usable and flexible as possible, though, leaning on Google's rapidly expanding on-device AI scanning capabilities to provide monitoring and alerts without having to completely eliminate features. Still, the mode imposes restrictions that can't be turned off, like blocking phones from connecting to historic 2G data networks and disabling Chrome's Javascript optimizer, which could alter or break some web functionality on some sites.

“There are two classes of things that we use to defend the user. One is you obviously harden the system, so you try to lock things down, you prevent many forms of attacks," says Dave Kleidermacher, vice president of engineering at Android’s security and privacy division. "But two is you can't always prevent every attack entirely. But if you can detect that you've been compromised, you can take some sort of corrective action. In consumer security on mobile this detection has never really been a possibility, so that's one of the big things we've done here."

This monitoring and detection capability, known as Intrusion Logging, uses end-to-end encryption to indelibly store logs from your device in the cloud such that they can't be accessed by Google or any party aside from you, but also in a form that can't be deleted or modified, even if your device and Google account are compromised.

Logging and system monitoring tools are common on laptops and desktops—not to mention in enterprise IT environments—but offering the capabilities for consumers on mobile devices is more unusual. As with any scheme that takes data off a device and puts it in the cloud, the system does introduce some new risks, but Google and Google Cloud Services already run many end-to-end encrypted platforms for users, and Kleidermacher notes that the ability to create indelible logs that can't be manipulated or deleted by a sophisticated attacker is invaluable in addressing targeted attacks.

“The main innovation here is you have an audit log mechanism to detect compromise that is actually resistant to device tampering,” he says. “It's bringing intrusion detection to the consumer. So if you as a consumer suspect a problem and you're not sure, you can pull the logs down from the cloud. You can share them with a security expert, you can share them with an NGO, and they can use tools for analysis.”

Another feature that is on by default and can't be turned off in Advanced Protection is Android's Memory Tagging Extension (MTE). The feature, which debuted for Google's Pixel line and is starting to be adopted in processors on other devices, is a hardware security protection related to how a system manages its memory. If an attacker attempts to exploit a memory vulnerability such as a so-called buffer overflow, MTE will cause the process to fail, stopping the attack in its tracks. Memory corruption bugs are a common tool used by hackers, so neutering the entire class of vulnerabilities makes it much more difficult to attack a device.

Most Advanced Protection features will launch next week with Android 16, but Google says that Intrusion Logging is coming later this year along with features like USB protections that will prevent untrusted peripherals from using your phone's charging port for data transfers. And Google is also offering an API for integrating Advanced Protection directly into third-party apps. When a user turns Advanced Protection on, Android will impose enhanced defenses broadly across the operating system, but third-party integration will enable deeper defenses within non-Google apps.

“You want to prevent as much as you can, and a lot of these features are locking down the phone in ways that will make some attacks just much, much harder for attackers, more expensive, or even impossible,” Kleidermacher says.

Courtesy of Google

Google’s Advanced Protection for Vulnerable Users Comes to Android

Android’s “Scam Detection” protection in Google Messages will now be able to flag even more types of digital fraud.

Digital scammers have never been so successful. Last year Americans lost $16.6 billion to online crimes, with almost 200,000 people reporting scams like phishing and spoofing to the FBI. More than $470 million was stolen in scams that started with a text message last year, according to the Federal Trade Commission. And as the biggest mobile operating system maker in the world, Google has been scrambling to do something, building out tools to warn consumers about potential scams.

Ahead of Google’s Android 16 launch next week, the company said on Tuesday that it is expanding its recently launched AI flagging feature for the Google Messages app, known as Scam Detection, to provide alerts on potentially nefarious messages like possible crypto scams, financial impersonation, gift card and prize scams, technical support scams, and more. Combined with other AI security features for Google Messages—all of which run locally on users’ devices and do not share data or message content with the company—Android is now detecting roughly 2 billion suspicious messages a month.

“The fraud is truly heartbreaking,” says Dave Kleidermacher, vice president of engineering at Android’s security and privacy division. “There’s really a very huge amount—almost epidemic and a scourge to humanity—of financial scams that are all across the world.”

Scammers operate all over the world, but Chinese scam groups particularly are behind millions of fraudulent messages, demanding things like “toll” payments or information for alleged postal service deliveries. When people click the links and enter their details, including payment information, scammers steal their data. In some cases, the scams are designed as a sort of smash-and-grab, where attackers quickly trick users into giving up some crumbs of information, like a pair of login credentials or a credit card number. These scams tend to be more formulaic and are potentially easier to detect. The more complex challenge is in detecting highly involved investment or romance scams—often called pig butchering scams—that build and evolve over months of messaging while scammers build a rapport with their targets before tricking them into handing over their life savings or even going into debt to send more money.

“It takes time for them to get to the scam—it’s not just click on the link,” Kleidermacher says. “By having the AI on-device, you can actually watch and observe these more sophisticated conversations and then detect their scams.”

Courtesy of Google

Courtesy of Google

In a screenshot of the Scam Detection feature provided by Google, an encrypted RSC chat shows a typical scam message saying an EZ Pass toll payment is outstanding. The message adds that the “legal ability” to drive may be revoked if the payment is not made. The message includes a link that directs someone toward a malicious payment website. The Scam Detection overlay at the bottom of the screen says that “suspicious activity” has been detected in the message and offers a way to report and block the sender, alongside an option that allows people to flag that it is not a scam.

Google is far from the only company using AI to try to combat scammers and stop them from reaching people’s inboxes. Some have turned to using AI to directly fight back against scammers. The British telecom company O2, for example, created an “AI Granny” that is set up to keep scammers on the phone and waste their time. And the online scam baiter Kitboga has created a series of bots to make simultaneous calls to call centers that run scams.

Meanwhile, in recent months, Meta, which owns WhatsApp, Messenger, and Instagram, has started to introduce pop-up warnings when people are asked to make payments in chat messages. Elsewhere, cybersecurity company F-Secure has created a beta tool to help people identify if a message and sender are likely scammers and block messages. Putting a layer of friction in place that nudges people away from messaging accounts they don’t know or replying to messages asking for details can reduce the chances that scammers are successful.

Google’s Kleidermacher says that the company is seeing “really positive impact” from using its machine learning systems to detect potential scam messages in real time. As the protections continue to mature, he notes that the underlying system could eventually proliferate beyond just the Google Messages app into third-party communication platforms.

For now, some of that expansion is starting within Google’s own products. The company also said on Tuesday that it is in the early phases of testing ways to incorporate scam detection for phone calls, but the capability has not been widely deployed.

Google Is Using On-Device AI to Spot Scam Texts and Investment Fraud

Before a crackdown by Telegram, Xinbi Guarantee grew into one of the internet’s biggest markets for Chinese-speaking crypto scammers and money laundering. And all registered to a US address.

As the underground industry of crypto investment scams has grown into one of the world's most lucrative forms of cybercrime, the secondary market of money launderers for those scammers has grown to match it. Amid that black market, one such Chinese-language service on the messaging platform Telegram blossomed into an all-purpose underground bazaar: It has offered not only cash-out services to scammers but also money laundering for North Korean hackers, stolen data, targeted harassment-for-hire, and even what appears to be sex trafficking. And somehow, it's all overseen by a company legally registered in the United States.

According to new research released today by crypto-tracing firm Elliptic, a company called Xinbi Guarantee has since 2022 facilitated no less than $8.4 billion in transactions via its Telegram-based marketplace prior to Telegram’s actions in recent days to remove its accounts from the platform. Money stolen from scam victims likely represents the “vast majority” of that sum, according to Elliptic's cofounder Tom Robinson. Yet even as the market serves Chinese-speaking scammers, it also boasts on the top of its website—in Mandarin—that it's registered in Colorado.

“Xinbi Guarantee has served as a giant, purportedly US-incorporated illicit online marketplace for online scams that primarily offers money laundering services,” says Robinson. He adds, though, that Elliptic has also found a remarkable variety of other criminal offerings on the market: child-bearing surrogacy and egg donors, harassment services that offer to threaten or throw feces at any chosen victim, and even sex workers in their teens who are likely trafficking victims.

Xinbi Guarantee is the second such crime-friendly Chinese-language market that Robinson and his team of researchers have uncovered over the past year. Last July, they published a report on Huione Guarantee, a similar Cambodia-based service that Elliptic said in January had facilitated $24 billion in transactions—largely from crypto scammers—making it the biggest illicit online marketplace in history by Elliptic's accounting. That market's parent company, Huione Group, was added to a list of known money laundering operations by the US Treasury's Financial Crimes Enforcement Network earlier this month in an attempt to limit its access to US financial institutions.

After WIRED reached out to Telegram last week about the illicit activity taking place on Xinbi Guarantee’s and Huione Guarantee’s channels on its messaging platform, Telegram appears to have responded Monday by banning many of the central channels and administrator accounts used by both Xinbi Guarantee and Huione Guarantee. “Criminal activities like scamming or money laundering are forbidden by Telegram's terms of service and are always removed whenever discovered,” Telegram spokesperson Remi Vaughn wrote to WIRED in a statement. “Communities previously reported to us by WIRED or included in reports published by Elliptic have all been taken down.”

Telegram had banned several of Huione Guarantee’s channels in February following an earlier Elliptic report on the marketplace, but Huione Guarantee quickly re-created them, and it’s not clear whether the new removals will prevent the two companies from rebuilding their presence on Telegram again, perhaps with new accounts or even new branding. “These are very lucrative businesses, and they’ll attempt to rebuild in some way,” Robinson said of the two marketplaces following Telegram’s latest purge.

Elliptic’s accounting of the total lifetime revenue of the biggest online black markets.Courtesy of Elliptic

Xinbi Guarantee didn't respond to multiple requests for comment on Elliptic's findings that WIRED sent to the market's administrators on Telegram.

Like Huione Guarantee, Xinbi Guarantee has offered a similar “guarantee” model of enabling third-party vendors to offer services by requiring a deposit from them to prevent fraud. Yet it's flown under the radar, even as it grew into one of the biggest hubs for crypto crime on the internet. In terms of scale of transactions prior to Telegram’s crackdown, it was second only to Huione's market, according to Elliptic.

Both services “offer a window into the China-based underground banking network,” Robinson says. “It's another example of these huge Chinese-language ‘guaranteed’ marketplaces that have thrived for years.”

On Xinbi Guarantee, Elliptic found numerous posts from vendors offering to accept funds related to “quick kills,” “slow kills,” and “pig butchering” transactions, all different terms for crypto investment scams and other forms of fraud. In some cases, Robinson explains, these Xinbi Guarantee vendors offer bank accounts in the same country as the victim so that they can receive whatever payment they're tricked into making, then pay the scammer in the cryptocurrency Tether. In other cases, the Xinbi Guarantee merchants offer to receive cryptocurrency payments and cash them out in the scammer's local currency, such as Chinese renminbi.

Aside from Xinbi Guarantee's central use as a cash-out point for crypto scammers, Elliptic also found that the market's vendors offered other wares for scammers such as stolen data that could be used for finding victims, as well as services for registering SIM cards and Starlink internet subscriptions through proxies.

North Korean state-sponsored cybercriminals also appear to have used the platform for money laundering. Elliptic found through blockchain analysis, for instance, that about $220,000 stolen from the Indian cryptocurrency exchange WazirX—the victim of a $235 million theft in July 2024, widely attributed to North Korean hackers—had flowed into Xinbi Guarantee in a series of transactions in November.

Those money-laundering and scam-enabling services, however, are far from the only shady offerings found on Xinbi Guarantee's market. Elliptic also found listings for surrogate mothers and egg donors, with one post showing faceless pictures of the donor's body. Other accounts have offered services that will, for a payment in Tether, place a funeral wreath at a target's door, deface their home with graffiti, post damaging statements around their home, have someone verbally threaten them, throw feces at them, or even, most bizarrely, surround their home with AIDS patients. One posting suggested these AIDS patients would carry “case reports and needles for intimidation."

Other listings have offered sex workers as young as 18 years old, noting the specific sex acts that are allowed and forbidden. Elliptic says that one of its researchers was even offered a 14-year-old by a Xinbi Guarantee merchant. (The account holder noted, however, that no transaction for sex with someone below the age of 18 would be guaranteed by Xinbi. The legal age of consent in China is 14.)

Exactly why Xinbi Guarantee is legally registered in the US remains a mystery. Its incorporation record on the Colorado Secretary of State's website shows an address at an office park in the city of Aurora that has no external Xinbi branding. The company appears to have been registered there in August of 2022 by someone named “Mohd Shahrulnizam Bin Abd Manap.” (WIRED connected that name with several people in Malaysia but couldn't determine which one might be Xinbi Guarantee's registrant.) The listing is currently marked as “delinquent,” perhaps due to failure to file more recent paperwork to renew it.

For fledgling Chinese companies—legitimate and illegitimate—incorporating in the US is an increasingly common tactic for “projecting legitimacy,” says Jacob Sims, a visiting fellow at Harvard's Asia Center who focuses on transnational Chinese crime. “If you have a US presence, you can also open US bank accounts,” Sims says. “You could potentially hire staff in the US. You could in theory have more formalized connections to US entities.” But he notes that the registration's delinquent status may mean Xinbi Guarantee tried to make some sort of inroads in the US in the past but gave up.

While Telegram has served as the chief means of communication for the two markets, the stablecoin cryptocurrency Tether has served as their primary means of payment, Elliptic found. And despite Telegram’s new round of removals of their channels and accounts, Xinbi Guarantee and Huione Guarantee are far from the only companies to use Tether and Telegram to create essentially a new, largely Chinese-language darknet: Elliptic is tracking close to 30 similar marketplaces, Robinson says, though he declined to name others in the midst of the company's investigations.

Just as Telegram shows new signs of cracking down on that sprawling black market, Tether, too, has the ability to disrupt criminal use of its services. Unlike other more decentralized cryptocurrencies such as Bitcoin, Tether can freeze payments when it identifies bad actors. Yet it’s not clear to what degree Tether has taken measures to stop Chinese-language crypto scammers and others on Xinbi Guarantee and Huione Guarantee from using its currency.

When WIRED wrote to Tether to ask about its role in those black markets, the company responded in a statement that it encourages “firms like Elliptic and other blockchain intelligence providers to share critical data with law enforcement so we can act swiftly and in coordination.”

“We are not passive observers—we are active players in the global fight against financial crime,” the Tether statement continued. “If you’re considering using Tether for illicit purposes, think again: it is the most traceable asset in existence. We will identify you, and we will work to ensure you are brought to justice.”

Despite that promise—and Telegram’s new effort to remove Huione Guarantee and Xinbi Guarantee from its platform—both tools have already been used to facilitate tens of billions of dollars in theft and other black market deals, much of it occurring in plain sight. The two largely illegal and very public markets have been “remarkable for both the scale at which they're operating and also the brazenness,” says Harvard’s Jacob Sims.

Given that brazenness and the massive criminal fortunes at stake, expect both markets to attempt a revival in some form—and plenty of competitors to try to take their place atop the Chinese-language crypto crime economy.

An $8.4 Billion Chinese Hub for Crypto Crime Is Incorporated in Colorado

As AI-driven fraud becomes increasingly common, more people feel the need to verify every interaction they have online.

These days, when Nicole Yelland receives a meeting request from someone she doesn’t already know, she conducts a multistep background check before deciding whether to accept. Yelland, who works in public relations for a Detroit-based nonprofit, says she’ll run the person’s information through Spokeo, a personal data aggregator that she pays a monthly subscription fee to use. If the contact claims to speak Spanish, Yelland says, she will casually test their ability to understand and translate trickier phrases. If something doesn’t quite seem right, she’ll ask the person to join a Microsoft Teams call—with their camera on.

If Yelland sounds paranoid, that’s because she is. In January, before she started her current nonprofit role, Yelland says, she got roped into an elaborate scam targeting job seekers. “Now, I do the whole verification rigamarole any time someone reaches out to me,” she tells WIRED.

Digital imposter scams aren’t new; messaging platforms, social media sites, and dating apps have long been rife with fakery. In a time when remote work and distributed teams have become commonplace, professional communications channels are no longer safe, either. The same artificial intelligence tools that tech companies promise will boost worker productivity are also making it easier for criminals and fraudsters to construct fake personas in seconds.

On LinkedIn, it can be hard to distinguish a slightly touched-up headshot of a real person from a too-polished, AI-generated facsimile. Deepfake videos are getting so good that longtime email scammers are pivoting to impersonating people on live video calls. According to the US Federal Trade Commission, reports of job and employment related scams nearly tripled from 2020 to 2024, and actual losses from those scams have increased from $90 million to $500 million.

Yelland says the scammers that approached her back in January were impersonating a real company, one with a legitimate product. The “hiring manager” she corresponded with over email also seemed legit, even sharing a slide deck outlining the responsibilities of the role they were advertising. But during the first video interview, Yelland says, the scammers refused to turn their cameras on during a Microsoft Teams meeting and made unusual requests for detailed personal information, including her driver’s license number. Realizing she’d been duped, Yelland slammed her laptop shut.

These kinds of schemes have become so widespread that AI startups have emerged promising to detect other AI-enabled deepfakes, including GetReal Labs and Reality Defender. OpenAI CEO Sam Altman also runs an identity-verification startup called Tools for Humanity, which makes eye-scanning devices that capture a person’s biometric data, create a unique identifier for their identity, and store that information on the blockchain. The whole idea behind it is proving “personhood,” or that someone is a real human. (Lots of people working on blockchain technology say that blockchain is the solution for identity verification.)

But some corporate professionals are turning instead to old-fashioned social engineering techniques to verify every fishy-seeming interaction they have. Welcome to the Age of Paranoia, when someone might ask you to send them an email while you’re mid-conversation on the phone, slide into your Instagram DMs to ensure the LinkedIn message you sent was really from you, or request you text a selfie with a time stamp, proving you are who you claim to be. Some colleagues say they even share code words with each other, so they have a way to ensure they’re not being misled if an encounter feels off.

“What’s funny is, the lo-fi approach works,” says Daniel Goldman, a blockchain software engineer and former startup founder. Goldman says he began changing his own behavior after he heard a prominent figure in the crypto world had been convincingly deepfaked on a video call. “It put the fear of god in me,” he says. Afterward, he warned his family and friends that even if they hear what they believe is his voice or see him on a video call asking for something concrete—like money or an internet password—they should hang up and email him first before doing anything.

Ken Schumacher, founder of the recruitment verification service Ropes, says he’s worked with hiring managers who ask job candidates rapid-fire questions about the city where they claim to live on their résumé, such as their favorite coffee shops and places to hang out. If the applicant is actually based in that geographic region, Schumacher says, they should be able to respond quickly with accurate details.

Another verification tactic some people use, Schumacher says, is what he calls the “phone camera trick.” If someone suspects the person they’re talking to over video chat is being deceitful, they can ask them to hold up their phone camera to show their laptop. The idea is to verify whether the individual may be running deepfake technology on their computer, obscuring their true identity or surroundings. But it’s safe to say this approach can also be off-putting: Honest job candidates may be hesitant to show off the inside of their homes or offices, or worry a hiring manager is trying to learn details about their personal lives.

“Everyone is on edge and wary of each other now,” Schumacher says.

While turning yourself into a human captcha may be a fairly effective approach to operational security, even the most paranoid admit these checks create an atmosphere of distrust before two parties have even had the chance to really connect. They can also be a huge time suck. “I feel like something’s gotta give,” Yelland says. “I’m wasting so much time at work just trying to figure out if people are real.”

Jessica Eise, an assistant professor studying climate change and social behavior at Indiana University Bloomington, says her research team has been forced to essentially become digital forensics experts due to the amount of fraudsters who respond to ads for paid virtual surveys. (Scammers aren’t as interested in the unpaid surveys, unsurprisingly.) For one of her research projects, which is federally funded, all of the online participants have to be over the age of 18 and living in the US.

“My team would check time stamps for when participants answered emails, and if the timing was suspicious, we could guess they might be in a different time zone,” Eise says. “Then we’d look for other clues we came to recognize, like certain formats of email address or incoherent demographic data.”

Eise says the amount of time her team spent screening people was “exorbitant” and that they’ve now shrunk the size of the cohort for each study and have turned to “snowball sampling,” or recruiting people they know personally to join their studies. The researchers are also handing out more physical flyers to solicit participants in person. “We care a lot about making sure that our data has integrity, that we’re studying who we say we’re trying to study,” she says. “I don’t think there’s an easy solution to this.”

Barring any widespread technical solution, a little common sense can go a long way in spotting bad actors. Yelland shared with me the slide deck that she received as part of the fake job pitch. At first glance, it seemed legit, but when she looked at it again, a few details stood out. The job promised to pay substantially more than the average salary for a similar role in her location and offered unlimited vacation time, generous paid parental leave, and fully covered health care benefits. In today’s job environment, that might have been the biggest tipoff of all that it was a scam.

_Update 5/12/2025, 6:34 PM ET: This article was updated to clarify the nature of a federally funded research project._

Deepfakes, Scams, and the Age of Paranoia

Plus: A DOGE operative’s laptop reportedly gets infected with malware, Grok AI is used to “undress” women on X, a school software company’s ransomware nightmare returns, and more.

A United States Customs and Border Protection request for information this week revealed the agency’s plans to find vendors that can supply face recognition technology for capturing data on everyone entering the US in a vehicle like a car or van, not just the people sitting in the front seat. And a CBP spokesperson later told WIRED that the agency also has plans to expand its real-time face recognition capabilities at the border to detect people exiting the US as well—a focus that may be tied to the Trump administration’s push to get undocumented people to “self-deport” and leave the US.

WIRED also shed light this week on a recent CBP memo that rescinded a number of internal policies designed to protect vulnerable people—including pregnant women, infants, the elderly, and people with serious medical conditions—while in the agency’s custody. Signed by acting commissioner Pete Flores, the order eliminates four Biden-era policies.

Meanwhile, as the ripple effects of “SignalGate” continue, the communication app TeleMessage suspended “all services” pending an investigation after former US national security adviser Mike Waltz inadvertently called attention to the app, which subsequently suffered data breaches in recent days. Analysis of TeleMessage Signal’s source code this week appeared to show that the app sends users’ message logs in plaintext, undermining the security and privacy guarantees the service promised. After data stolen in one of the TeleMessage hacks indicated that CBP agents might be users of the app, CBP confirmed its use to WIRED, saying that the agency has “disabled TeleMessage as a precautionary measure.”

A WIRED investigation found that US director of national intelligence Tulsi Gabbard reused a weak password for years on multiple accounts. And researchers warn that an open source tool known as “easyjson” could be an exposure for the US government and US companies, because it has ties to the Russian social network VK, whose CEO has been sanctioned.

And there's more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**ICE’s Deportation Airline Hack Reveals Man “Disappeared” to El Salvador**

Hackers this week revealed they had breached GlobalX, one of the airlines that has come to be known as “ICE Air” thanks to its use by the Trump administration to deport hundreds of migrants. The data they leaked from the airline includes detailed flight manifests for those deportation flights—including, in at least one case, the travel records of a man whose own family had considered him “disappeared” by immigration authorities and whose whereabouts the US government had refused to divulge.

On Monday, reporters at 404 Media said that hackers had provided them with a trove of data taken from GlobalX after breaching the company’s network and defacing its website. “Anonymous has decided to enforce the Judge's order since you and your sycophant staff ignore lawful orders that go against your fascist plans,” a message the hackers posted to the site read. That stolen data, it turns out, included detailed passenger lists for GlobalX’s deportation flights—including the flight to El Salvador of Ricardo Prada Vásquez, a Venezuelan man whose whereabouts had become a mystery to even his own family as they sought answers from the US government. US authorities had previously declined to tell his family or reporters where he had been sent—only that he had been deported—and his name was even excluded from a list of deportees leaked to CBS News. (The Department of Homeland Security later stated in a post to X that Prada was in El Salvador—but only after a New York Times story about his disappearance.)

The fact that his name was, in fact, included all along on a GlobalX flight manifest highlights just how opaque the Trump administration’s deportation process remains. According to immigrant advocates who spoke with 404 Media, it even raises questions about whether the government itself had deportation records as comprehensive as the airline whose planes it chartered. “There are so many levels at which this concerns me. One is they clearly did not take enough care in this to even make sure they had the right lists of who they were removing, and who they were not sending to a prison that is a black hole in El Salvador,” Michelle Brané, executive director of immigrant rights group Together and Free, told 404 Media. “They weren't even keeping accurate records of who they were sending there.”

**The Computer of a DOGE Staffer With Sensitive Access Reportedly Infected With Malware**

Elon Musk’s so-called Department of Governmental Efficiency has raised alarms not just due to its often reckless cuts to federal programs, but also the agency’s habit of giving young, inexperienced staffers with questionable vetting access to highly sensitive systems. Now security researcher Micah Lee has found that Kyle Schutt, a DOGE staffer who reportedly accessed the financial system of the Federal Emergency Management Agency, appears to have had infostealer malware on one of his computers. Lee discovered that four dumps of user data stolen by that kind of password-stealing malware included Schutt’s passwords and usernames. It’s far from clear when Schutt’s credentials were stolen, for what machine, or whether the malware would have posed any threat to any government agency’s systems, but the incident nonetheless highlights the potential risks posed by DOGE staffers’ unprecedented access.

**Grok AI Will “Undress” Women in Public on X**

Elon Musk has long marketed his AI tool Grok as a more freewheeling, less restricted alternative to other large language models and AI image generators. Now X users are testing the limits of Grok’s few safeguards by replying to images of women on the platform and asking Grok to “undress” them. While the tool doesn’t allow the generation of nude images, 404 Media and Bellingcat have found that it repeatedly responded to users’ “undress” prompts with pictures of women in lingerie or bikinis, posted publicly to the site. In one case, Grok apologized to a woman who complained about the practice, but the feature has yet to be disabled.

**A Hacked School Software Company Paid a Ransom—but Schools Are Still Being Extorted**

This week in don’t-trust-ransomware-gangs news: Schools in North Carolina and Canada warned that they’ve received extortion threats from hackers who had obtained students’ personal information. The likely source of that sensitive data? A ransomware breach last December of PowerSchool, one of the world’s biggest education software firms, according to NBC News. PowerSchool paid a ransom at the time, but the data stolen from the company nonetheless appears to be the same info now being used in the current extortion attempts. “We sincerely regret these developments—it pains us that our customers are being threatened and re-victimized by bad actors,” PowerSchool told NBC News in a statement. “As is always the case with these situations, there was a risk that the bad actors would not delete the data they stole, despite assurances and evidence that were provided to us.”

**A Notorious Deepfake Porn Site Shuts Down After Its Creator Is Outed**

Since its creation in 2018, MrDeepFakes.com grew into perhaps the world’s most infamous repository of nonconsensual pornography created with AI mimicry tools. Now it’s offline after the site’s creator was identified as a Canadian pharmacist in an investigation by CBC, Bellingcat, and the Danish news outlets Politiken and Tjekdet. The site’s pseudonymous administrator, who went by DPFKS on its forums and created at least 150 of its porn videos himself, left a trail of clues in email addresses and passwords found on breached sites that eventually led to the Yelp and Airbnb accounts of Ontario pharmacist David Do. After reporters approached Do with evidence that he was DPFKS, MrDeepFakes.com went offline. “A critical service provider has terminated service permanently. Data loss has made it impossible to continue operation,” reads a message on its homepage. “We will not be relaunching.”

ICE’s Deportation Airline Hack Reveals Man ‘Disappeared’ to El Salvador

A CBP spokesperson tells WIRED that the agency plans to expand its program for real-time face recognition at the border, potentially aiding Trump administration efforts to track people who self-deport.

United States Customs and Border Protection plans to log every person leaving the country by vehicle by taking photos at border crossings of every passenger and matching their faces to their passports, visas, or travel documents, WIRED has learned.

The escalated documentation of travelers could be used to track how many people are self-deporting, or leave the US voluntarily, which the Trump administration is fervently encouraging to people in the country illegally.

CBP exclusively tells WIRED, in response to an inquiry to the agency, that it plans to mirror the current program it’s developing—photographing every person entering the US and match their faces with their travel documents—to the outbound lanes going to Canada and Mexico. The agency currently does not have a system that monitors people leaving the country by vehicle.

“Although we are still working on how we would handle outbound vehicle lanes, we will ultimately expand to this area,” CBP spokesperson Jessica Turner tells WIRED.

Turner could not provide a timeline on when CBP would begin monitoring people leaving the country by vehicle.

She tells WIRED that CBP currently matches photos of people coming into the country with “all documented photos, i.e., passports, visas, green cards, etc,” and adds that all “alien/non-US citizens encounter photos taken at border crossing” are stored by CBP. “The encounter photos can be used for subsequent crossings to verify identity,” Turner says. She did not specify whether CBP may integrate additional photos or data sources in the future.

When asked, Turner says it’s not currently evident that a purpose of the outbound face-matching system would be tracking self-deporations. “Not to say it won't happen in the future, though, with the way self-deportation is going,” Turner says. She later adds that the goal of an outbound system would be to “biometrically confirm departure from the US.” This differs from the purpose of tracking people coming into the US, she says, which also considers the “purpose and intent” of entering the country.

WIRED reported this week that CBP recently asked tech companies to send pitches on how they would ensure every single person entering the country by vehicle, including people two or three rows back, would be instantly photographed and matched with their travel documents. CBP has struggled to do this on its own. The results of a 152-day test of this system, which took place at the Anzalduas border crossing between Mexico and Texas, showed that the cameras captured photos of everyone in the car that met “validation requirements” for face-matching just 61 percent of the time.

Currently, neither CBP nor Immigration and Customs Enforcement have any publicly known tools for tracking self-deportations, aside from an ICE app that allows people to tell the agency when they leave the country.

Last month, ICE announced that it is paying the software company Palantir $30 million to build a tool called ImmigrationOS that would give the agency “near real-time visibility” on people self-deporting from the US, with the goal of having accurate numbers on how many people are doing so, according to a contract justification published a few days later.

When asked, CBP would not confirm or deny whether its monitoring of outbound vehicles would or could be integrated with ImmigrationOS. “CBP does not use Palantir Technologies,” Turner says. (CBP has paid for Palantir services three times, with the last payment in 2013.)

ICE has not specified where Palantir would get the data to power the ImmigrationOS. However, the agency notes that Palantir could create ImmigrationOS by configuring the case management system that the company has provided to ICE since 2014.

This case management system integrates all of the information ICE may have about a person from investigative records or government databases, according to a government privacy assessment published in 2016. At the time of the assessment, it stored information about people’s physical attributes—like hair and eye color, height and weight, and any scars or tattoos—as well as any "location-related data” from “covert tracking devices” and any data from license plate readers, which can provide a detailed travel history.

DHS noted in a 2024 report that CBP has struggled to get biometric data from people leaving the country over land—meaning, people traveling via "cars, trains, buses, bicycles, trucks, and on foot.” The report says that CBP wants to create a “biometric-based departure program” to monitor when people considered aliens leave the country, which DHS notes is required under US law.

The Trump administration is strongly encouraging self-deportation. In March, the Department of Homeland Security revoked the legal status of more than half a million people from Cuba, Haiti, Nicaragua, and Venezuela who were given temporary parole to stay in the US due to instability in their home countries. A judge temporarily blocked the move, but the government is challenging this in court.

In April, the Social Security Administration listed more than 6,000 of these people who had temporary parole as dead, as a way of effectively ending their financial lives in the US. DHS also sent emails to an unknown number of people claiming that their legal parole had been revoked and demanding them to self-deport. Then, this week, the Trump administration offered to pay people in the country illegally $1,000 for a plane ticket to self-deport.

_Updated 2:25 pm ET, May 9, 2025: Added additional details provided by CBP._

US Customs and Border Protection Plans to Photograph Everyone Exiting the US by Car

CBP’s acting commissioner has rescinded four Biden-era policies that aimed to protect vulnerable people in the agency’s custody, including mothers, infants, and the elderly.

US Customs and Border Protection (CBP) has quietly rescinded several internal policies that were designed to protect some of the most vulnerable people in its custody—including pregnant women, infants, the elderly, and people with serious medical conditions.

The decision, outlined in a memo dated May 5 and signed by acting commissioner Pete Flores, eliminates four Biden-era policies enacted over the last three years. These policies were intended to address CBP’s long-standing failures to provide adequate care for detainees who are most at risk—failures that have, in some cases, proved fatal.

The May 5 memo was distributed internally to top agency leadership but was not announced publicly.

CBP justified the rollback by stating in the memo–titled Rescission of Legacy Policies Related to Care and Custody–that the policies were “obsolete” and “misaligned” with the agency’s current enforcement priorities.

Together, the now rescinded policies laid out standards for detainees with heightened medical needs—requiring, for instance, access to water and food for pregnant people, ensuring privacy for breastfeeding mothers, and mandating diapers and unexpired formula be stocked in holding facilities. They also instructed agents to process at-risk individuals as quickly as possible to limit time in custody.

“It's appalling and it's just an extension of the culture of cruelty that the administration is trying to perpetrate,” says Sarah Mehta, deputy director of government affairs for the ACLU’s Equality Division. Rescinding the policies, she says, “is a damning statement about the way that this administration thinks and cares about people with young children.”

CBP did not immediately respond to WIRED’s request for comment.

One of the world’s largest law enforcement agencies, CBP is primarily responsible for apprehending and detaining individuals who cross the US border without authorization. While Immigration and Customs Enforcement (ICE) oversees longer-term detention and deportation proceedings, CBP handles the earliest stages of custody, when migrants are held and processed in short-term facilities that have repeatedly drawn criticism for poor medical care and overcrowding

In January the Senate Judiciary Committee issued a damning report revealing dysfunction in CBP's medical operations. The investigation revealed chronic understaffing, improper use of medical record systems, and vague or nonexistent guidance for treating children, pregnant individuals, and others with complex medical needs.

The report was prompted by the death of 8-year-old Anadith Danay Reyes Álvarez, who died in May 2023 at a CBP facility in Harlingen, Texas. The Panamanian girl, who had a known history of heart problems and sickle cell anemia, reportedly pleaded for help along with her mother. Both were ignored. She died in custody, her final hours spent in a facility whose staff were unequipped—and seemingly unwilling—to provide critical care.

“Just last week in letters to the Trump administration, I raised serious concerns about transparency, accountability, and the humane treatment of detained individuals, particularly in light of repeated reports of detainee mistreatment and inadequate medical care,” US senator Dick Durbin, chairman of the Senate Judiciary Committee, tells WIRED. “Instead of taking actions to course-correct, the Trump administration rescinded several internal policies aimed at protecting some of the most vulnerable individuals in CBP custody—including pregnant women, children, the elderly, and those with serious medical conditions. This is unacceptable. We are a nation of values, and these values should be represented in the care of vulnerable people in our government’s custody.”

Policy reversals have come to define the Trump administration's immigration tactics, from attempts to revoke the status of 500,000 immigrants from Cuba, Haiti, Nicaragua, and Venezuela living legally in the US to purging student visas. In January, a day after President Donald Trump's inauguration, the Department of Homeland security reversed a Biden-era policy that forbade ICE and CBP officers from arresting people in "protected areas," including schools, places of worship, and hospitals.

As the number of people held in ICE detention has climbed–reaching roughly 47,928 in April, according to the Transactional Records Access Clearinghouse–apprehensions at the southern US border have fallen sharply, dropping to levels not seen in decades.

CBP says that its personnel will continue to follow broader standards under the National Standards on Transport, Escort, Detention, and Search (TEDS), and remain bound by the Flores agreement, which requires that children be given safe and sanitary quarters. The Trump administration has previously argued that the original settlement does not require that children be allowed to sleep or wash themselves with soap.

US Customs and Border Protection Quietly Revokes Protections for Pregnant Women and Infants

CBP says it has “disabled” its use of TeleMessage following reports that the app, which has not cleared the US government’s risk assessment program, was hacked.

The United States Customs and Border Protection agency confirmed on Wednesday that it uses at least one communication app made by the service TeleMessage, which creates clones of popular apps like Signal and WhatsApp with the addition of an archiving mechanism for compliance with records-retention rules.

“Following the detection of a cyber incident, CBP immediately disabled TeleMessage as a precautionary measure,” CBP spokesperson Rhonda Lawson tells WIRED. “The investigation into the scope of the breach is ongoing.”

President Donald Trump's now former national security adviser Mike Waltz was photographed last week using TeleMessage Signal during a cabinet meeting, and the photo seemed to show that he was communicating with other high-ranking officials, including Vice President JD Vance, US director of national intelligence Tulsi Gabbard, and what appears to be US secretary of state Marco Rubio.

In the days since the photo was published, TeleMessage has reportedly suffered a series of breaches that illustrate concerning security flaws. Analysis of the app's Android source code also appears to indicate fundamental flaws in the service's security scheme. As these findings emerged, TeleMessage—an Israeli company that completed an acquisition last year by the US-based company Smarsh—imposed a service pause on its products pending investigation.

“TeleMessage is investigating a potential security incident. Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation,” a Smarsh spokesperson told WIRED in a statement on Monday. “Out of an abundance of caution, all TeleMessage services have been temporarily suspended. All other Smarsh products and services remain fully operational.”

WIRED contacted CBP about its potential use of the software after some data stolen from TeleMessage in one of the recent breaches indicated that CBP was potentially a customer.

US senator Ron Wyden called for the Department of Justice to investigate TeleMessage in a letter on Tuesday, alleging that the service is “a serious threat to US national security.” TeleMessage is a federal contractor, but the consumer apps it offers are not approved for use under the US government's Federal Risk and Authorization Management Program, or FedRAMP. In his letter, Wyden referenced that “several federal agencies” use TeleMessage, asserting that the company “sold dangerously insecure communications software to the White House and other federal agencies.”

There is still no complete public accounting of US government officials and agencies that have used the software.

Source

Wired