The company belatedly conceded both that it had paid the cybercriminals extorting it and that patient data nonetheless ended up on the dark web.

More than two months after the start of a ransomware debacle whose impact ranks among the worst in the history of cybersecurity, the medical firm Change Healthcare finally confirmed what cybercriminals, security researchers, and Bitcoin's blockchain had already made all too clear: that it did indeed pay a ransom to the hackers who targeted the company in February. And yet, it still faces the risk of losing vast amounts of customers' sensitive medical data.

In a statement sent to WIRED and other news outlets on Monday evening, Change Healthcare wrote that it paid a ransom to a cybercriminal group extorting the company, a hacker gang known as AlphV or BlackCat. “A ransom was paid as part of the company’s commitment to do all it could to protect patient data from disclosure,” the statement reads. The company's belated admission of that payment accompanied a new post on its website where it warns that the hackers may have stolen health-related data that would “cover a substantial proportion of people in America.”

Cybersecurity and cryptocurrency researchers told WIRED last month that Change Healthcare appeared to have paid that ransom on March 1, pointing to a transaction of 350 bitcoins or roughly $22 million sent into a crypto wallet associated with the AlphV hackers. That transaction was first highlighted in a message on a Russian cybercriminal forum known as RAMP, where one of AlphV's allegedly jilted partners complained that they hadn't received their cut of Change Healthcare's payment. However, for weeks following that transaction, which was publicly visible on Bitcoin's blockchain and which both security firm Recorded Future and blockchain analysis firm TRM Labs told WIRED had been received by AlphV, Change Healthcare repeatedly declined to confirm that it had paid the ransom.

Change Healthcare's confirmation of that extortion payment puts new weight behind the cybersecurity industry's fears that the attack—and the profit AlphV extracted from it—will lead ransomware gangs to further target health care companies. “It 100 percent encourages other actors to target health care organizations,” Jon DiMaggio, a researcher with cybersecurity firm Analyst1 who focuses on ransomware, told WIRED at the time the transaction was first spotted in March. “And it’s one of the industries we _don’t_ want ransomware actors to target—especially when it affects hospitals.”

Compounding the situation, a conflict between hackers in the ransomware ecosystem has led to a _second_ ransomware group claiming to possess Change Healthcare's stolen data and threatening to sell it to the highest bidder on the dark web. Earlier this month that second group, known as RansomHub, sent WIRED alleged samples of the stolen data that appeared to come from Change Healthcare's network, including patient records and a contract with another health care company.

As of Monday, strangely, the listing for that data on RansomHub's dark-web site had been taken down. Change Healthcare's post to its website, however, warns that 22 screenshots of its data had been posted to the dark web by an unnamed hacker group, and that they included “protected health information (PHI) or personally identifiable information (PII),” though it said it hadn't seen any sign that medical records like doctor's charts or full medical histories for any patients were among the stolen data.

For Change Healthcare and the beleaguered medical practices, hospitals, and patients that depend on it, the confirmation of its extortion payment to the hackers adds a bitter coda to an already dystopian story. AlphV's digital paralysis of Change Healthcare, a subsidiary of UnitedHealth Group, snarled the insurance approval of prescriptions and medical procedures for hundreds of medical practices and hospitals across the country, making it by some measures the most widespread medical ransomware disruption ever. A survey of American Medical Association members conducted between March 26 and April 3 found that four out of five clinicians had lost revenue as a result of the crisis. Many said they were using their own personal finances to cover a practice’s expenses. Change Healthcare, meanwhile, says it has lost $872 million to the incident and projects that number to rise well over a billion in the longer term.

Change Healthcare's confirmation of its ransom payment now appears to show that much of that catastrophic fallout for the US health care system unfolded _after_ it had already paid the hackers an exorbitant sum—a payment in exchange for a decryption key for the systems the hackers had encrypted and a promise not to leak the company's stolen data. As is often the case in ransomware attacks, AlphV's disruption of its systems appears to have been so widespread that Change Healthcare's recovery process has extended long after it obtained the decryption key designed to unlock its systems.

As ransomware payments go, $22 million wouldn't be the most that a victim has forked over. But it's close, says Brett Callow, a ransomware-focused security researcher who spoke to WIRED about the suspected payment in March. Only a few rare payments, such as the $40 million paid to hackers by CNA Financial in 2021, top that number. “It’s not without precedent, but it’s certainly very unusual,” Callow said of the $22 million figure.

That $22 million injection of funds into the ransomware ecosystem further fuels a vicious cycle that has reached epidemic proportions. Cryptocurrency tracing firm Chainalysis found that in 2023, ransomware victims paid the hackers targeting them fully $1.1 billion, a new record. Change Healthcare's payment may represent only a small drop in that bucket, but it both rewards AlphV for its highly damaging attacks and may suggest to other ransomware groups that health care companies are particularly profitable targets, given those companies are especially sensitive to both the high cost of those cyberattacks financially and the risks they pose to patients' health.

Compounding Change Healthcare's mess is an apparent double-cross within the ransomware underground: AlphV, by all appearances, faked its own law enforcement takedown after receiving Change Healthcare's payment in an attempt to avoid sharing it with its so-called affiliates, the hackers who partner with the group to penetrate victims on its behalf. The second ransomware group threatening Change Healthcare, RansomHub, now claims to WIRED that they obtained the stolen data from those affiliates, who still want to be paid for their work.

That has created a situation where Change Healthcare's payment provides little assurance that its compromised data won't still be exploited by disgruntled hackers. “These affiliates work for multiple groups. They’re concerned with getting paid themselves, and there’s no trust among thieves,” Analyst1's DiMaggio told WIRED in March. “If someone screws someone else, you don’t know what they’re going to do with the data.”

All of that means Change Healthcare still has little assurance that it has avoided an even worse scenario than it has yet faced: paying what may be one of the biggest ransoms in history and still seeing its data spilled onto the dark web. “If it gets leaked after they paid $22 million, it’s pretty much like setting that money on fire,” DiMaggio warned in March. “They’d have burned that money for nothing.”

Change Healthcare Finally Admits It Paid Ransomware Hackers—and Still Faces a Patient Data Leak

Over the weekend, President Joe Biden signed legislation not only reauthorizing a major FISA spy program but expanding it in ways that could have major implications for privacy rights in the US.

The ability of the United States to intercept and store Americans’ text messages, calls, and emails in pursuit of foreign intelligence was not only extended but enhanced over the weekend in ways likely to remain enigmatic to the public for years to come.

On Saturday, US president Joe Biden signed a controversial bill extending the life of a warrantless US surveillance program for two years, bringing an end to a months-long fight in Congress over an authority that US intelligence agencies acknowledge has been widely abused in the past.

At the urging of the agencies and with the help of powerful bipartisan allies on Capitol Hill, the program has also been extended to cover a wide range of new businesses, including US data centers, according to recent analysis by legal experts and civil liberties organizations that were vocally opposed to its passage.

Section 702 of the Foreign Intelligence Surveillance Act, or FISA, allows the US National Security Agency (NSA) and Federal Bureau of Investigation (FBI), among other agencies, to eavesdrop on calls, texts, and emails traveling through US networks, so long as one side of the communication is foreign.

Americans caught up in the program face diminished privacy rights.

While the government requires a foreign target to commence a wiretap, Americans are often party to those intercepted conversations. And although US attorney general Merrick Garland insisted in a statement on Saturday that the updates to the 702 program “ensure the protection of Americans' privacy and civil liberties,” and that the government never intentionally targets Americans, the government nevertheless reserves the right to store their communications and access them later without probable cause.

“Section 702 is supposed to be used only for spying on foreigners abroad,” says Dick Durbin, chair of the Senate Judiciary Committee. “Instead, sadly, it has enabled warrantless access to vast databases of Americans’ private phone calls, text messages, and emails.”

Under the law, the government can retain communications captured by the 702 program for half a decade or more—indefinitely, so long as the government makes no effort to decrypt them.

A trade organization representing some of the world’s largest tech companies came out against plans to expand Section 702 in the final hours of the debate, claiming that a new provision authored by House Intelligence Committee members would damage the competitiveness of US technologies, “arguably imperiling the continued global free flow of data between the US and its allies.”

US intelligence obtains its vast surveillance power through yearly certifications doled out by a secret court. The certifications permit the NSA in particular to force businesses in the US—categorized as “electronic communications service providers,” or ECSPs—to cooperate with the program, collecting data and installing wiretaps on the agency’s behalf.

Years ago, the government sought to unilaterally expand the definition of ECSP under the law, seeking to compel the cooperation of whole new categories of businesses. That effort was beaten back by the FISA court in 2022, in a ruling that stated only Congress has the “competence and constitutional authority” to rewrite the law.

On the spy community’s behalf, the House Intelligence Committee introduced an amendment last year to codify the sought-after expansion of the 702 program, broadening the definition of what it means to be an ECSP.

With the backing of party leaders, the House and Senate intel committees maintained an outsize influence over the bill’s trajectory through Congress, lobbying lawmakers hand-in-hand with the intelligence community to defeat a slate of popular reforms, including a House amendment that would have required the FBI to obtain search warrants before accessing the communications of Americans collected under Section 702.

The House and Senate judiciary committees, which oversee the work of the US Justice Department, have traditionally held jurisdiction over FISA. However, much of their authority was sapped after the House speaker, Mike Johnson, adopted the pro-surveillance views of the intel committee members, which align with those of the White House.

Legal experts—including a rare few attorneys who’ve argued cases before the FISA court in the past—say the new ECSP text ensnares owners of facilities housing equipment used to store and carry data, as well as commercial landlords and virtually anyone with access to communications equipment in those spaces. The text, they argue, may be interpreted by the government as granting it authority to compel the assistance of “delivery personnel, cleaning contractors, and utility providers,” among others.

Criticism of the 702 program largely stems from revelations of abuse in a declassified court filing from 2022, which describes rampant misuse of the 702 database by the FBI. Investigators at the bureau have been caught unlawfully scouring 702 data for information on American protesters, journalists, and political donors. On at least one occasion, an FBI analyst worked to access the communications of a sitting member of Congress.

The FBI instituted scores of new procedures in an attempt to clamp down on the abuse internally, practices that are now codified under the law. House and Senate intelligence members say codifying the policies will serve as a sufficient bulwark against further abuse. Civil libertarians who have pursued new warrant requirements under FISA—an amendment that was dropped after a tie vote in the House of Representatives last week—argue, conversely, that the FBI should not be trusted to oversee itself in the wake of recent scandal.

Liza Goitein, a FISA expert and senior director at the Brennan Center of Justice at New York University School of Law, says the bill signed by Biden on Saturday represents “a gift to any president who may wish to spy on political enemies.”

“Although some senators fought valiantly to protect Americans’ civil liberties, they could not overcome the barrage of false and misleading statements from the administration and surveillance hawks on the congressional intelligence committees,” says Goitein. “This is a truly shameful episode in the history of the US Congress, and sooner or later, the American people will pay the price.”

The Next US President Will Have Troubling New Surveillance Powers

Thousands of exposed files on a misconfigured North Korean server hint at one way the reclusive country may evade international sanctions.

For almost a decade, Nick Roy has been scanning North Korea’s tiny internet presence, spotting new websites coming online and providing a glimpse of the Hermit Kingdoms’ digital life. However, at the end of last year, the cybersecurity researcher and DPRK blogger stumbled across something new: signs North Koreans are working on major international TV shows.

In December, Roy discovered a misconfigured cloud server on a North Korean IP address containing thousands of animation files. Included in the cache were animation cells, videos, and notes discussing the work, plus changes that needed to be made to ongoing projects. Some images appeared to be from an Amazon Prime Video superhero show and an upcoming Max (aka HBO Max) children’s anime.

The findings and security lapse—detailed in a report by the Stimson Center think tank's North Korea–focused 38 North Project, which helped analyze the findings along with Google-owned security firm Mandiant—provide a glimpse at how North Korea can use skilled IT and tech workers to raise funds for its heavily sanctioned regime. It also comes as US officials increasingly warn about North Korean IT workers infiltrating companies and their outsourcing.

North Korea’s internet is a small—and fragile—space. The repressive nation only has 1,024 IP addresses and around 30 websites that connect to the global internet. While there is a limited internal intranet, only a few thousand of the country’s 26 million people can get on the internet. When they do, it’s highly controlled: These select few North Koreans can use the internet for an hour at a time and have a person sitting next to them approving their use every five minutes.

When Roy discovered the exposed cloud server, it was being updated on a daily basis. Martyn Williams, a senior fellow on the 38 North Project who helped analyze the contents of the server, says the server likely allowed work to be sent to and from North Korean animators. The server itself is still live, but it mysteriously stopped being used at the end of February. While there is a login page, its contents can be accessed without a username and password. “I found the login page after I found all the exposed files,” Roy says.

Inside, the files contained editing comments and instructions in Chinese which were translated to Korean, the researchers write in their report. “For a lot of the animation files, we would find things like spreadsheets with details of the workflow,” Williams says. A sample of the files shared with WIRED show detailed anime images and video clips, with notes for the authors and date stamps on various files. In one instance, the report says, an animator was “asked to improve the shape of the character’s head.”

Based on the documents and drawings, the researchers were able to identify some of the shows and projects the North Koreans were working on. Some of the projects included work from season 3 of the Amazon show _Invincible_, which is produced by California-based Skybound Entertainment. There were also documents linked to Max and Cartoon Network show _Iyanu: Child of Wonder_, produced by YouNeek Studios, as well as files from a Japanese anime series and an animation studio in Japan.

Some file names gave away clues about the series and episode numbers. There were also files and projects the researchers could not identify—including a “bunch of files” with videos of horses and a Russian book on horses, Williams says.

Sanctions placed upon the North Korean regime, for its ongoing human rights abuses and nuclear warfare programs, prohibit US companies from working with DPRK companies or individuals. However, the researchers say it is highly unlikely that any companies involved would have a clue about North Korean animators working on the shows, and there is nothing suggesting the companies violated any sanctions or other laws. “It is likely that the contracting arrangement was several steps downstream from the major producers,” the report says.

Spokespeople for Amazon and Max spokesperson declined to comment for this story. YouNeek Studios did not respond to a request for comment.

“We do not work with North Korean companies, or Chinese companies on _Invincible_, or any affiliated entities, and have no knowledge of any North Korean or Chinese companies working on _Invincible_,” a spokesperson for Skybound Entertainment says. “We take any claims very seriously and have commenced an investigation into this.” In a post on X, the company characterized the findings as “unconfirmed” and said it is working with authorities to investigate.

Williams says it is possible that a front company in China is used to help disguise the activity and involvement of North Koreans. The researchers were able to analyze connections to the exposed server and, despite most having their location masked by a VPN, spotted access from Spain and three Chinese cities. “All three cities are known to have many North Korean–operated businesses and are main centers for North Korea’s IT workers who live overseas,” the report says.

While Williams says the researchers did not find any identifiable names of North Korean organizations buried in the files, the country has a well-established animation company called April 26 Animation Studio, which is also known as SEK Studio. Originally set up in the 1950s, the studio has worked on hundreds of international TV shows and movies.

However, in recent years, the US Treasury Department has sanctioned SEK Studios, individuals linked to it, and various “front companies” that it says are used to “work for foreign customers.” Many of these have links to China, according to the sanctions. “SEK Studio has utilized an assortment of front companies to evade sanctions targeting the government of the DPRK and to deceive international financial institutions,” a statement issued as part of the sanctions in 2021 says.

The main aim of these efforts, says Michael Barnhart, a North Korea researcher at Mandiant, is to raise money for the North Korean regime. The country’s hackers and scammers have stolen and extorted billions of dollars to help fund its military ambitions in recent years, including from huge cryptocurrency heists. In early 2022, the FBI issued a 16-page alert warning companies that remote North Korean freelance IT workers were infiltrating businesses to earn money they could funnel back home.

“The volume is much higher than we were expecting,” Barnhart says of North Korea’s IT workers. They are constantly changing their tactics to avoid being caught, he says. “We had one not too long ago, where during the interview, the person’s mouth was just off-frame. You could tell that someone in the background was speaking on their behalf.” Technically, Barnhart says, companies should verify their remote workers’ devices and make sure that there is no remote software connecting to a company laptop or network. Businesses should also put extra efforts at the hiring stage by training HR staff to detect possible IT workers.

However, he says, increasingly there is a greater crossover between North Korean IT workers and individuals who are members of known hacking groups or classified as advanced persistent threats (APTs). “The more we focus on IT workers, the more we’re starting to see APT operators and efforts blending in with those,” he says. “This might be the most quick learning-on-your-feet, nimble nation-state that I've ever seen.”

North Koreans Secretly Animated Amazon and Max Shows, Researchers Say

Plus: New York’s legislature suffers a cyberattack, police disrupt a global phishing operation, and Apple removes encrypted messaging apps in China.

Looking for love? Be careful what you wish for.

A loose-knit community of con artists known as Yahoo Boys has begun using real-time face-swap technology to woo victims with romance scams. Using a variety of tools and techniques, the scammers use AI-powered apps to make themselves look like entirely different people on video calls. Just remember: If someone you’ve never met IRL is asking you for money, just say no.

Elsewhere in the world of harmful deepfakes, two major websites used for creating fake nude images of people are now blocked in the United Kingdom. The censorship, which appears to be self-imposed, comes just days after the UK proposed legislation that would ban nonconsensual, sexualized AI-generated images.

A Russian cybercriminal gang called Cyber Army of Russia Reborn appears to have been created with the help of Sandworm, the notorious Russian military hacking unit that has carried out devastating cyberattacks against Ukraine for years. The difference? Cyber Army of Russia Reborn is even more brazen, taking credit for attacks against critical infrastructure in Europe and the United States.

Change Healthcare’s ransomware saga entered a new chapter this week. A cybercriminal group called RansomHub claims to be selling highly sensitive patient information stolen from the company. The sale follows RansomHub’s claims that it possesses terabytes of data stolen in a February attack by another ransomware gang known as AlphV or Black Cat, which received a $22 million payment in March. Change Healthcare says it has spent $872 million response to the ransomware attack as of March 31.

The biggest global surveillance program carried out by the US may be about to get bigger. A two-year renewal of Section 702 of the Foreign Intelligence Surveillance Act, which technically expired on Friday, will soon go up for a vote by the US Senate after passing the House last week. Included in the legislation is a provision that would greatly expand the number of businesses that could be conscripted to spy on behalf of the US government, which critics have called the “Stasi provision.” One of the largest lobbying firms for Big Tech companies has opposed the provision over fears that tech industry workers could be forced to become informants.

That’s not all. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

There’s a kernel of truth in every good fiction, which is why the very real Defense Advanced Research Projects Agency, or Darpa, is a constant go-to for shows like the _X-Files_ and games like _Metal Gear Solid_. It tends to pop up whenever a shadowy government agency is needed to reverse engineer a stolen alien artifact or construct a giant killer robot. A Darpa announcement this Thursday, however, sounds almost too much like the opening sequence of a Hideo Kojima game: With the help of the US Air Force Test Pilot School, the agency says an experimental aircraft known as the X-62 was successfully flown by artificial intelligence during a simulated dogfight against a human pilot in an F-16. “The potential for autonomous air-to-air combat has been imaginable for decades,” US Air Force secretary Frank Kendall says, “but the reality has remained a distant dream up until now.”

**New York State Legislature Hit by Cyberattack**

Details are scant as to the impact, but for at least several hours this week, hackers felled computer systems supporting the work of New York’s state legislature. While an attack on something called the Legislative Bill Drafting Commission isn’t quite as jaw-dropping as one against a power plant or a naval base, the LBDC is one of a dozen required stops that legislation in New York must make en route to becoming law. Bills can’t be introduced, amended, or reviewed by committee without it, much less get a vote. Luckily, the agency reports it was able to get back on its feet within a few hours using a “backup system.” An investigation of the attack is ongoing.

**Police Disrupt Global Phishing Operation**

An armada of law enforcement agencies arrested 37 suspects around the world last weekend in an operation targeting LabHost, reportedly one of the world’s largest phishing-as-a-service platforms. The investigation was spearheaded by the London Metropolitan Police in cooperation with Europol. Investigators uncovered a whopping 40,000 phishing domains being operated by as many as 10,000 users worldwide, Europol says. LabHost charged a monthly fee of $249. That cybercriminals have discovered the psychological benefits of just-below pricing is yet another sign of the growing popularity and sophistication of these markets.

**Apple Removes Encrypted Messaging Apps in China**

Encrypted messaging apps WhatsApp, Signal, and Telegram have gone the way of Winnie the Pooh. Citing “national security concerns,” China ordered Apple to delete “certain apps” from its Chinese App Store this week, the tech behemoth announced (while neglecting to specify which ones). Apple reportedly met with Chinese authorities to express concern over how banning the apps would impact its users but relented after being met with a stone wall. “We are obligated to follow the laws in the countries where we operate,” the company said, “even when we disagree.” Apple is heavily dependent on China’s workforce to manufacture its products, and sales in the region have topped $70 billion in recent years. That Apple has become beholden to the Chinese government because of this is no longer much of a secret.

AI-Controlled Fighter Jets Are Dogfighting With Human Pilots Now

The world's most-visited deepfake website and another large competing site are stopping people in the UK from accessing them, days after the UK government announced a crackdown.

Two of the biggest deepfake pornography websites have now started blocking people trying to access them from the United Kingdom. The move comes days after the UK government announced plans for a new law that will make creating nonconsensual deepfakes a criminal offense.

Nonconsensual deepfake pornography websites and apps that “strip” clothes off of photos have been growing at an alarming rate—causing untold harm to the thousands of women they are used to target.

Clare McGlynn, a professor of law at Durham University, says the move is a “hugely significant moment” in the fight against deepfake abuse. “This ends the easy access and the normalization of deepfake sexual abuse material,” McGlynn tells WIRED.

Since deepfake technology first emerged in December 2017, it has consistently been used to create nonconsensual sexual images of women—swapping their faces into pornographic videos or allowing new “nude” images to be generated. As the technology has improved and become easier to access, hundreds of websites and apps have been created. Most recently, schoolchildren have been caught creating nudes of classmates.

The blocks on the deepfake websites in the UK were first spotted today, with two of the most prominent services displaying notices on their landing pages that they are no longer accessible to people visiting from the country. WIRED is not naming the two websites due to their enabling of abuse.

One of the websites with the restriction in place is the biggest deepfake pornography website existing today. Its homepage, when visiting from the UK, displays a message saying access is denied. “Due to laws or (upcoming) legislation in your country or state, we are unfortunately obligated to deny you access to this website,” the message says. It also shows the visitor’s IP address and country.

The other website, which also has an app, displays a similar message. “Access to the service in your country is blocked,” it says, before hinting there may be ways to get around the geographic restriction. The websites do not appear to have any restrictions in place when visiting from the United States, although may also be restricted in other countries.

It is not immediately clear why the sites have introduced the location blocks or whether they have done so in response to any legal orders or notices. Nor is it clear whether the blocks are temporary. Messages sent to the websites through email addresses and contact forms went unanswered. The creators of the websites have not posted any public messages on the websites or their social media channels about the blocks.

Ofcom, the UK’s communications regulator, has the power to persue action against harmful websites under the UK’s controversial sweeping online safety laws that came into force last year. However, these powers are not yet fully operational, and Ofcom is still consulting on them.

It’s likely the restrictions may significantly limit the amount of people in the UK seeking out or trying to create deepfake sexual abuse content. Data from Similarweb, a digital intelligence company, shows the biggest of the two websites had 12 million global visitors last month, while the other website had 4 million visitors. In the UK, they had around 500,000 and 50,000 visitors, respectively.

This week, politicians in the UK announced plans for a law that criminalizes the creation of nonconsensual deepfakes. Under the law, which is yet to be passed, people could face an unlimited fine if they create deepfakes to “cause alarm, humiliation, or distress to the victim.” This builds on previous provisions that make it illegal for people in the UK to share sexualized deepfakes.

“While it’s unclear if these platforms have been ordered to block UK access or have done so proactively due to the recent criminalization, it shows legislation can make a meaningful difference in removing the legal ambiguity that many deepfake pornography platforms use as cover for the clear ethical harms they cause,” Henry Ajder, an AI and deepfake expert, tells WIRED. Ajder adds that search engines and hosting providers around the world should be doing more to limit the spread and creation of harmful deepfakes.

While the two websites can still be accessed in the UK using a VPN, the restrictions are a sign that constant pressure—from lawmakers, tech companies, and campaigners—can make deepfake porn harder to access and create. “Of course, people will be able to use VPN to access these websites and apps, but that introduces friction,” Durham University’s McGlynn says. “It introduces a message that there’s something wrong and harmful about this material such that you have to use a VPN to access it.”

“Hopefully,” McGlynn adds, “this can show other governments around the world that if we take steps, we could actually reduce the prevalence \[of\] and easy access to deepfake sexual abuse material.”

The Biggest Deepfake Porn Website Is Now Blocked in the UK

One juror in former US president Donald Trump’s criminal case in New York has been excused over fears she could be identified. It could get even messier.

You’ve been asked to serve on the jury in the first-ever criminal prosecution of a United States president. What could possibly go wrong? The answer, of course, is everything.

A juror in former president Donald Trump’s ongoing criminal trial in New York was excused on Thursday after voicing fears that she could be identified based on biographical details that she had given in court. The dismissal of Juror 2 highlights the potential dangers of participating in one of the most politicized trials in US history, especially in an age of social media frenzies, a highly partisan electorate, and a glut of readily available personal information online.

Unlike jurors in federal cases, whose identities can be kept completely anonymous, New York law allows—and can require—the personal information of jurors and potential jurors to be divulged in court. Juan Merchan, the judge overseeing Trump’s prosecution in Manhattan, last month ordered that jurors’ names and addresses would be withheld. But he could not prevent potential jurors from providing biographical details about themselves during the jury selection process, and many did. Those details were then widely reported in the press, potentially subjecting jurors and potential jurors to harassment, intimidation, and threats—possibly by Trump himself. Merchan has since blocked reporters from publishing potential jurors’ employment details.

The doxing dangers that potential jurors face became apparent on Monday, day one of the proceedings. An update in a _Washington Post_ liveblog about Trump’s trial revealed the Manhattan neighborhood where one potential juror lived, how long he’d lived there, how many children he has, and the name of his employer. Screenshots of the liveblog update quickly circulated on social media, as people warned that the man could be doxed, or have his identity revealed publicly against his will with the intent to cause harm, based solely on that information.

“It's quite alarming how much information someone skilled in OSINT could potentially gather based on just a few publicly available details about jurors or potential jurors,” says Bob Diachenko, cyber intelligence director at data-breach research organization Security Discovery and an expert in open source intelligence research.

Armed with basic personal details about jurors and certain tools and databases, “an OSINT researcher could potentially uncover a significant amount of personal information by cross-referencing all this together,” Diachenko says. “That's why it's crucial to consider the implications of publicly revealing jurors' personal information and take steps to protect their privacy during criminal trials.”

Even without special OSINT training, it can be trivial to uncover details about a juror’s life. To test the sensitivity of the information the _Post_ published, WIRED used a common reporting tool to look up the man’s employer. From there, we were able to identify his name, home address, phone number, email address, his children’s and spouse’s identities, voter registration information, and more. The entire process took roughly two minutes. The _Post_ added a clarification to its liveblog explaining that it now excludes the man’s personal details.

The ready availability of those details illustrates the challenges in informing the public about a highly newsworthy criminal case without interfering in the justice process, says Kathleen Bartzen Culver, the James E. Burgess Chair in Journalism Ethics and director of the School of Journalism & Mass Communication at the University of Wisconsin-Madison.

“Simply because a notable figure is on trial does not mean that a juror automatically surrenders any claim to privacy,” Bartzen Culver says. “People who have been drawn into a case that is exceptionally newsworthy are not aware that a simple statement that they make about where they work might identify them and open them up to scrutiny and possibly risk.”

The dangers to jurors or potential jurors has only increased since the first day of jury selection, which remains ongoing, in part due to the challenges of prosecuting a former US president and the presumptive Republican nominee in the 2024 US presidential election. Trump is charged with 34 counts of falsifying business records, a class E felony in New York state, for payments made ahead of the 2016 presidential election related to alleged affairs with two women, adult performer Stormy Daniels and Playboy model Karen McDougal. Trump has claimed his prosecution is a “communist show trial” and a “witch hunt” and has pleaded not guilty.

On Fox News, coverage of Trump’s trial has repeatedly focused on the potential political motivations of the jurors, bolstering the former president’s claims. Trump, in turn, has repeated the claims by the conservative news network’s hosts. In a post on Truth Social on Wednesday, Trump quoted Fox News commentator Jesse Watters claiming on air that potential jurors in Trump’s trial are “undercover liberal activists lying to the judge in order to get on the Trump jury.” This, despite a gag order that forbids Trump from “making or directing others to make public statements about any prospective juror or any juror in this criminal proceeding.”

Broader media coverage of the Trump trial jurors appears to often be the work of political reporters who are unfamiliar with the journalism ethics specific to covering a criminal trial, says UW-Madison’s Bartzen Culver. “It's like when political reporters covered Covid and science journalists lost their minds.” She adds that it’s important for any journalist covering a criminal case—Trump’s or otherwise—to “consider our role within the justice system.”

“Unethical behavior by journalists can delay trials. It can result in overturned convictions and the people having to go back and do a retrial,” Bartzen Culver says. “That all works against our system of justice.”

The New York case is one of four ongoing criminal proceedings against Trump. In Georgia, where he faces multiple felony charges for alleged attempts to interfere with the state’s electoral process in 2020, Trump supporters leaked the addresses of members of the grand jury, after their names were listed in the 98-page indictment against the former president, as required by state law. Georgia’s Fulton County Sheriff’s Office said last August that it was investigating threats against the jury members. The incident highlights the persistent dangers people can face from Trump’s supporters, both in the near term and for the rest of their lives, if they’re viewed as having acted against him.

The leaks were discovered by Advance Democracy Inc. (ADI), a nonpartisan, nonprofit research and investigations organization founded by Daniel J. Jones, a former investigator for the FBI and the US Senate Intelligence Committee. So far, Jones tells WIRED, ADI has not uncovered attempts to dox jurors in Trump’s New York trial. But it’s still early days.

“We have not yet found identifying information on the extremist forums we monitor,” Jones says. “Having said that, I share your concern that it is only a matter of time before this happens.”

The Trump Jury Has a Doxing Problem

Watch how smooth-talking scammers known as “Yahoo Boys” use widely available face-swapping tech to carry out elaborate romance scams.

The compliments start flowing as soon as she answers the video call. “Wow, you so pretty, honey,” says the man on the other side of the screen. His video feed shows he’s white, with short hair, likely a few years younger than her, and is sitting in front of his camera wearing a plaid shirt.

“You’re looking different with that beard and stuff gone,” the woman says in an American accent as the conversation gets going. The man doesn’t miss a beat. “I told you I was going to shave my beard so I will look good.”

Except, he isn’t who he claims to be. His videofeed is a lie. And—beard or not—the face the woman can see over the video call is not his: It’s a deepfake.

In reality, the man is a scammer using face-swapping technology to totally change his appearance in real time. In a video of the call—filmed by the scammer’s accomplice likely thousands of miles away from the woman—his real face can be seen on this laptop alongside the fake persona as he speaks to his victim.

This self-shot video is one of scores posted online by scammers known as Yahoo Boys, a loose collective of con artists, often based in Nigeria. The video reveals how they are using deepfakes and face-swapping to ensnare victims in romance scams, building trust with victims using fake identities, before tricking them into parting with thousands of dollars. More than $650 million was lost to romance fraud last year, the FBI says.

A Yahoo Boy scammer uses multiple phones and face-swapping software against a victim. It’s one of two techniques the group uses for real-time calls.

The Yahoo Boys have been experimenting with deepfake video clips for around two years and shifted to more real-time deepfake video calls over the last year, says David Maimon, a professor at Georgia State University and the head of fraud insights at identity verification firm SentiLink. Maimon has monitored the Yahoo Boys on Telegram for more than four years and shared dozens of videos with WIRED revealing how the scammers are using deepfakes.

A WIRED review of the videos and three associated Yahoo Boy Telegram channels shows how the con artists’ techniques have evolved as deepfake applications and artificial intelligence have improved. It is one of the first times the specific tactics and outlandish techniques of scammers using deepfake video calls has been documented in this detail.

The videos show Yahoo Boys using the technology on setups involving both laptops and phones. In multiple videos, the scammers often brazenly show their own faces, as well as those of the victims they are scamming. “I don't think they're doing this because they’re stupid,” Maimon says. “I think that they simply don’t care, and they’re not afraid of the repercussions.”

The Yahoo Boys are experienced scammers—and they openly brag about it. Photos and videos of their conning and recruitment can be found all across social media, from Facebook to TikTok. However, the cybercriminals, who have links back to Nigerian prince email scams, are arguably their most open on Telegram.

In groups containing thousands of members, Yahoo Boys organize and advertise their individual skills for a smorgasbord of scams. They’re skilled social manipulators, who can have long-lasting impacts on their victims. Business email compromise, crypto scams, and impersonation scams are all touted in hundreds of posts per day. Members claim to be selling photo and video editing skills and entire albums of explicit photographs that can be used to build a convincing persona. Fake IDs and legitimate-looking social media profiles are for sale. Scam “scripts” are free to download.

“The Yahoo Boys have elements of organized crime and disorganized crime,” says Paul Raffile, an intelligence analyst at the Network Contagion Research Institute, who has investigated Yahoo Boys sextorting teenagers and driving them towards suicide. “They don't have a leader, they don’t have a governance structure.” Rather, Raffile says, they organize in clusters and share advice and tips online. Telegram did not respond to WIRED’s request for comment about Yahoo Boys’ channels, but the three channels no longer appear to be accessible.

The digital con artists started using deepfakes as part of their romance scams around May 2022, says Maimon. “What folks were doing was just posting videos of themselves, changing their appearance, and then sending them to the victim—trying to lure them to talk to them,” he says. Since then, they’ve moved on.

To create their videos, the Yahoo Boys are using a handful of different software and apps. WIRED is not naming the specific software, to limit people’s ability to copy the attacks. However, the tools they are using are often advertised for entertainment purposes, such as allowing people to swap their faces with celebrities or influencers.

The Yahoo Boys’ live deepfake calls run in two different ways. In the first, shown above, the scammers use a setup of two phones and a face-swapping app. The scammer holds the phone they are calling their victim with—they’re mostly seen using Zoom, Maimon says, but it can work on any platform—and uses its rear camera to record the screen of a second phone. This second phone has its camera pointing at the scammer’s face and is running a face-swapping app. They often place the two phones on stands to ensure they don’t move and use ring lights to improve conditions for a real-time face-swap, the videos show.

The second common tactic—shown below—uses a laptop instead of a phone. (WIRED has blurred real faces in both videos.) Here, the scammer uses a webcam to capture their face and software running on the laptop changes their appearance. Videos of the setup show scammers are able to see their own face alongside the altered deepfake, with just the manipulated image being displayed over the live video call.

Maimon says he and his teams have tracked down some of the victims, both in deepfake videos and photo albums being sold by Yahoo Boys, and have tried to contact them. WIRED was not able to determine the real identities of victims or scammers, and it is not clear how many times deepfakes have been used. Still, the videos appearing to feature victims reveal how the scammers build rapport with their targets.

Videos show scammers telling people they “love” them and frequently complimenting their appearance. In one video, a scammer says they want to travel to Canada to meet their target, and when they do, they will pay them “instantly,” suggesting the target has sent them money that the scammer has falsely promised to pay back. Other videos contain deeply personal information, showing the levels of trust that scammers can create with the people they target. “Some victims, they talk about their eating disorders, they talk about their depression,” Maimon says.

The videos are likely only a snapshot of the Yahoo Boys’ romance-scamming activity, and many of the videos they self-publish are partly intended to show off their capabilities to allow others to “buy” the approach. Raffile says that, as he investigated the groups for sextortion, he noticed most face-swapping was being used for romance scams. However, there were also instances where Yahoo Boys claimed to use deepfake “nude” generators on photographs.

The scammers can run face-swapping software on laptops. It mimics their facial expressions and mouth movements.

Artificial intelligence will supercharge scams. While deepfake videos have been around for more than half a decade—mostly used for nonconsensual pornography—they’re often glitchy and easy to spot. Lips don’t sync up as people talk, and errors are relatively trivial to detect. However, the technology is quickly improving and becoming easier for anyone to use.

Some of the Yahoo Boy videos are unbelievable, obvious fakes, while others appear plausible. When they’re viewed live, on a mobile phone, with unstable connections, any obvious flaws may be masked—especially if a scammer has spent months social-engineering their victim.

Rachel Tobac, the cofounder and CEO of SocialProof security, who along with company CTO Evan Tobac reviewed a selection of Yahoo Boy videos for WIRED, says she has generally seen some face swapping being used in romance scams over the past 12 months. “They were not super convincing last year, when I checked them out. This year, a lot has changed,” Rachel Tobac says. “Especially the ones where they’re able to change the pitch of their voice and the look of their face—sometimes changing skin tone, hair, eye color, everything’s matched. It’s pretty wild.”

The Yahoo Boys appear to often use existing personas and faces built into the apps. The scammers largely talk using their own voices, although in a couple of videos this may have also been altered. In many of the videos seen by WIRED, the onscreen characters can turn their heads but not move their entire bodies. Their lips and facial expressions move with those made by the face of the scammer. The capabilities of these tools will only improve over time.

Andrew Newell, the chief scientific officer at identity verification company iProov, says he has seen a “massive change” in the number of face-swapping systems being used in the last year, tracking more than 100 different tools. Only a fraction of these tools allow for real-time face-swapping, he says. “We have seen quite big advances in terms of how good these live tools are.”

While the Yahoo Boys may not develop their own software or be technically sophisticated, Maimon says, they are versatile. They’ll run multiple scams at once, speak with dozens of victims at a time, and different individuals will have the skills needed to complete an entire scam. “There's a constant evolution,” Maimon says.

Ronnie Tokazowski, the chief fraud fighter at Intelligence for Good, which works with cybercrime victims, says because the Yahoo Boys have used deepfakes for romance scams, they’ll pivot to using the technology for their other scams. “This is kind of an early warning where it's like: ‘OK, they’re really good at doing these things. Now, what’s the next thing they're going to do?’”

The Real-Time Deepfake Romance Scams Have Arrived

One of Silicon Valley’s most influential lobbying arms joins privacy reformers in a fight against the Biden administration–backed expansion of a major US surveillance program.

A trade organization representing some of the world’s largest information technology companies—Google, Amazon, IBM, and Microsoft among them—say its members are voicing strong opposition to ongoing efforts by the Biden administration to dramatically expand a key US government surveillance authority.

The US Senate is poised to vote Thursday on legislation that would extend a global wiretap program authorized under the Foreign Intelligence Surveillance Act (FISA). Passed by the House of Representatives last week, a provision contained in the bill—known as the Reforming Intelligence and Securing America Act (RISAA)—threatens to significantly expand the scope of the spy program, helping the government to compel the assistance of whole new categories of businesses.

Legal experts argue the provision could enable the government to conscript virtually anyone with access to facilities or equipment housing communications data, forcing “delivery personnel, cleaning contractors, and utilities providers,” among others, to assist US spies in acquiring access to Americans’ emails, phone calls, and text messages—so long as one side of the communication is foreign.

A global tech trade association, the Information Technology Industry Council (ITI), is now urging Congress not to pass RISAA without removing a key provision “dramatically expanding the scope of entities and individuals covered” by the program, known as Section 702. Changes to the 702 program included in the House bill, ITI says, would only serve to send customers in the US and abroad fleeing to foreign competitors, convincing many that technology in the US is far too exposed to government surveillance.

The group’s membership includes several major equipment manufacturers, such as Ericsson, Nokia, and Broadcom, as well as large cloud storage providers like Google, Microsoft, IBM, and Salesforce. “ITI’s position is that the provision should be removed,” the group’s communications director, Janae Washington, tells WIRED. “Our positions are based on member consensus.”

The individual ITI member companies WIRED contacted for their comment on the legislation did not immediately respond or declined to comment.

The provision under fire stems from a ruling handed down by the US government’s secret surveillance court—the FISA court—that oversees the 702 program. The program is designed to target the communications of foreigners, including calls and emails to and from US citizens. To this aim, the federal statute specifies that the government may compel the assistance of businesses that fall into the category of what it calls “electronic communications service providers,” or ECSPs.

Companies like Google and AT&T have typically fallen into this category as direct providers of the services being wiretapped; however, the US government has also moved in recent years to interpret the term more broadly as part of an effort to expand the roster of entities whose assistance it’s allowed to compel.

The FISA court, in a decision backed by its own review body, pushed back against the expanded definition, telling the government that what constitutes an ECSP remains “open to reconsideration by the branches of government whose competence and constitutional authority extend to statutory revision.”

More concisely: The court reminded the government that only Congress has the power to rewrite the law.

The US Intelligence Community (IC) thus began a campaign to ensure that this year’s legislation reauthorizing the 702 program redefines “ECSP” to address what it calls a “collection gap resulting from recent court opinions.”

Internal emails obtained by WIRED show that members of the House Intelligence Committee served as intermediaries for the IC in its campaign to convince Congress to support the provision. An email circulated to House members in February by Michael Calcagni, the intel committee’s deputy staff director, for instance, informed lawmakers that the “collection gap” was both “serious and dangerous” and that “contrary to unsubstantiated assertions, it would not authorize or enable the Government to conduct surveillance of any American who connects to public WiFi at a Starbucks or McDonalds.”

One of the nation’s leading FISA experts, Marc Zwillinger, a private attorney who has twice appeared before the FISA Court of Review, began raising the alarm in December over the provision, pointing to text that would allow the government to compel the assistance of “any service provider” with access to “equipment that is being or may be used to transmit or store” communications, so long as one of the recipients is a foreigner reasonably believed to be overseas.

While rejecting Zwillinger’s analysis publicly, House intel members nevertheless attempted to quietly “narrow” the provision to clamp down on any criticism, excluding a handful of business types such as senior centers, hotels, and coffee shops. In a follow-up last week, Zwillinger and other attorneys who’ve made rare appearances before the FISA court characterized the intel committee’s improvements as “marginal,” saying the need for the exclusions only served to demonstrate the government is overreaching.

The provision, Zwillinger says, continues to ensnare owners and operators of facilities housing equipment used to store and carry data, “such as data centers and buildings owned by commercial landlords, who merely have access to communications equipment in their physical space.” The text could be interpreted to extend to “delivery personnel, cleaning contractors, and utility providers.” And while the new provision excludes businesses like coffee shops, those businesses typically rely on cloud computer services whose equipment remains subject to the 702 program’s expanded scope.

“Although the effects of this provision may be unintentional, its impacts would be very real,” ITI’s senior vice president of policy, John Miller, says. “The language in the provision vastly expands the US government’s warrantless surveillance capabilities, damaging the competitiveness of US technology companies large and small, and arguably imperiling the continued global free flow of data between the US and its allies.”

Should it become apparent to the world that America’s top IT companies—data centers, cloud providers, and security services alike—have been turned into a watering hole for the US Intelligence Community, many customers will “likely look to foreign competitors,” Miller says, companies whose technologies are viewed as less exposed to clandestine government requests.

“There is no greater responsibility of the US government than to provide for the security of the country,” he says, adding it was incumbent upon to craft legislation to address national security concerns “in a focused way.”

_Updated 4/17/2024, 6:30 pm ET: Added additional details clarifying ITI's position on RISAA._

Big Tech Says Spy Bill Turns Its Workers Into Informants

Cyber Army of Russia Reborn, a group with ties to the Kremlin’s Sandworm unit, is crossing lines even that notorious cyberwarfare unit wouldn’t dare to.

Russia's military intelligence unit known as Sandworm has, for the past decade, served as the Kremlin’s most aggressive cyberattack force, triggering blackouts in Ukraine and releasing self-spreading, destructive code in incidents that remain some of the most disruptive hacking events in history. In recent months, however, one group of hackers linked to Sandworm has attempted a kind of digital mayhem that, in some respects, goes beyond even its predecessor: They've claimed responsibility for directly targeting the digital systems of a hydroelectric dam in France and water utilities in the United States and Poland, flipping switches and changing software settings in an apparent effort to sabotage those countries’ critical infrastructure.

Since the beginning of this year, a hacktivist group known as the Cyber Army of Russia, or sometimes Cyber Army of Russia Reborn, has taken credit on at least three occasions for hacking operations that targeted US and European water and hydroelectric utilities. In each case, the hackers have posted videos to the social media platform Telegram that show screen recordings of their chaotic manipulation of so-called human-machine interfaces, software that controls physical equipment inside those target networks. The apparent victims of that hacking include multiple US water utilities in Texas, one Polish wastewater treatment plant, and a French hydroelectric plant—though it’s not clear exactly how much disruption or damage the hackers may have managed against any of those facilities.

A new report published today by cybersecurity firm Mandiant draws a link between that hacker group and Sandworm, which has been identified for years as Unit 74455 of Russia’s GRU military intelligence agency. Mandiant found evidence that Sandworm helped create Cyber Army of Russia Reborn and tracked multiple instances when data stolen from networks that Sandworm had attacked was later leaked by the Cyber Army of Russia Reborn group. Mandiant couldn't determine, however, whether Cyber Army of Russia Reborn is merely one of the many cover personas that Sandworm has adopted to disguise its activities over the last decade or instead a distinct group that Sandworm helped to create and collaborated with but which is now operating independently.

Either way, Cyber Army of Russia Reborn’s hacking has now, in some respects, become even more brazen than Sandworm itself, says John Hultquist, who leads Mandiant’s threat-intelligence efforts and has tracked Sandworm’s hackers for nearly a decade. He points out that Sandworm has never directly targeted a US network with a disruptive cyberattack—only planted malware on US networks in preparation for one or, in the case of its 2017 NotPetya ransomware attack, infected US victims indirectly with self-spreading code. Cyber Army of Russia Reborn, by contrast, hasn’t hesitated to cross that line.

“Even though this group is operating under this persona that’s tied to Sandworm, they do seem more reckless than any Russian operator we’ve ever seen targeting the United States,” Hultquist says. “They’re actively manipulating operational technology systems in a way that’s highly aggressive, probably disruptive, and dangerous.”

**An Overflowed Tank and a French Rooster**

Mandiant didn't have access to the targeted water utility and hydroelectric plant networks, so wasn't able to determine how Cyber Army of Russian Reborn got access to those networks. One of the group’s videos posted in mid-January, however, shows what appears to be a screen recording that captures the hackers’ manipulation of software interfaces for the control systems of water utilities in the Texas towns of Abernathy and Muleshoe. “We are starting our next raid across the USA,” reads a message introducing the video on Telegram. “In this video there are a couple of critical infrastructure objects, namely water supply systems😋”

A screen recording shows Cyber Army of Russian Reborn clicking buttons on the interface of a water utility in Texas.

Cyber Army of Russia Reborn via Telegram

The video then shows the hackers frenetically clicking around the target interface, changing values and settings for both utilities’ control systems. Though it’s not clear what effects that manipulation may have had, the Texas newspaper _The Plainview Herald_ reported in early February that local officials had acknowledged the cyberattacks and confirmed some level of disruption. The city manager for Muleshoe, Ramon Sanchez, reportedly said in a public meeting that the attack on the town’s utility had resulted in one water tank overflowing. Officials for the nearby towns of Abernathy and Hale Center—a target not mentioned in the hackers’ video—also said they’d been hit. All three towns’ utilities, as well as another, in Lockney, reportedly disabled their software to prevent its exploitation, but officials said that service to the water utilities’ customers was never interrupted. (WIRED reached out to officials from Muleshoe and Abernathy but didn't immediately hear back.)

Another screen recording shows Cyber Army of Russian Reborn tampering with the control systems of a Polish wastewater treatment plant, seemingly changing settings at radom.

Cyber Army of Russia Reborn via Telegram

Another video the Cyber Army of Russia Reborn hackers posted in January shows what appears to be a screen recording of a similar attempted sabotage of a wastewater utility in Wydminy, a village in Poland, a country whose government has been a staunch supporter of Ukraine in the midst of Russia’s invasion. “Hi everybody, today we will play with the Polish wastewater treatment plants. Enjoy watching!” says an automated Russian voice at the beginning of the video. The video then shows the hackers flipping switches and changing values in the software, set to a Super Mario Bros. soundtrack.

A third screen recording shows Cyber Army of Russia Reborn's access to a French water utility.

Cyber Army of Russia Reborn via Telegram

In a third video, published in March, the hackers similarly record themselves tampering with the control system for what they describe as the Courlon Sur Yonne hydroelectric dam in France. That video was posted just after French president Emmanuel Macron had made public statements suggesting he would send French military personnel to Ukraine to aid in its war against Russia. The video starts by showing Macron in the form of a rooster holding a French flag. “We recently heard a French rooster crowing,” the video says. “Today we’ll take a look at the Courlon dam and have a little fun. Enjoy watching, friends. Glory to Russia!”

In their Telegram post, the hackers claim to have lowered the French dam’s water level and stopped the flow of electricity it produced, though WIRED couldn’t confirm those claims. Neither the Wydminy facility nor the owner of the Courlon dam, Energies France, responded to WIRED’s request for comment.

In the videos, the hackers do display some knowledge of how a water utility works, as well as some ignorance and random switch-flipping, says Gus Serino, the founder of cybersecurity firm I&C Secure and a former staffer at a water utility and at the infrastructure cybersecurity firm Dragos. Serino notes that the hackers did, for instance, change the “stop level” for water tanks in the Texas utilities, which could have triggered the overflow that officials mentioned. But he notes that they also made other seemingly arbitrary changes, particularly for the Wydminy wastewater plant, that would have had no effect.

Hackers Linked to Russia’s Military Claim Credit for Sabotaging US Water Utilities

A cybercriminal gang called RansomHub claims to be selling highly sensitive patient information stolen from Change Healthcare following a ransomware attack by another group in February.

Change Healthcare is facing a new cybersecurity nightmare after a ransomware group began selling what it claims is Americans’ sensitive medical and financial records stolen from the health care giant.

“For most US individuals out there doubting us, we probably have your personal data,” the RansomHub gang said in an announcement seen by WIRED.

The stolen data allegedly includes medical and dental records, payment claims, insurance details, and personal information like Social Security numbers and email addresses, according to screenshots. RansomHub claimed it had health care data on active-duty US military personnel.

The sprawling theft and sale of sensitive health care data represents a dramatic new form of fallout from the February cyberattack on Change Healthcare that crippled the company’s claims-payment operations and sent the US health care system into crisis as hospitals struggled to stay open without regular funding.

Change Healthcare, a subsidiary of UnitedHealth Group, previously acknowledged that a ransomware gang known as BlackCat or AlphV breached its systems, and told WIRED last week that it is investigating RansomHub’s claims about possessing the company’s stolen data. Change Healthcare did not immediately respond to a request for comment about the group’s alleged sale of its data.

The wide variety of patient data that RansomHub claims to be selling is a testament to Change Healthcare’s role as a critical intermediary between insurers and health care providers, facilitating payments between both parties and collecting reams of sensitive information about patients and their medical procedures in the process.

Among the sample records that RansomHub posted are a list of open claims handled by the company’s EquiClaim subsidiary that includes patient and provider names; a hospital record for a 74-year-old woman in Tampa, Florida; and part of a database record related to US military service members’ health care.

RansomHub said it would allow individual insurance companies that worked with Change Healthcare and had their data compromised to pay ransoms to prevent the sale of their records. It specified that it was selling data belonging to MetLife, CVS Caremark, Davis Vision, Health Net, and Teachers Health Trust.

Change Healthcare’s “processing of sensitive data for all of these companies is just something unbelievable,” RansomHub said in its announcement.

Most firms whose data RansomHub claims to possess did not immediately respond to WIRED's request for comment.

Mike DeAngelis, the executive director of corporate communications for CVS Health says the company is “aware of unsubstantiated claims from threat actors that confidential data, including personal information of patients and members belonging to multiple organizations, was accessed as part of Change Healthcare’s cyber security incident.”

“We are closely monitoring Change Healthcare’s response to this issue and will provide updates with more information as appropriate,” DeAngelis adds, noting that Change Healthcare has not yet confirmed that patient data “was impacted by this incident.”

Brett Callow, a threat analyst at the security firm Emsisoft who closely tracks ransomware gangs, says the new sale of stolen data was probably “less about actually selling the data” and more about putting Change Healthcare—and the partner companies whose records it failed to protect—“under additional pressure to pay.”

Change Healthcare appears to have paid a $22 million ransom to AlphV to stop it from leaking terabytes of stolen data.

Two months into the crisis spawned by the ransomware attack, Change Healthcare has faced mounting losses. The company recently reported spending $872 million responding to the incident as of March 31.

At the same time, Change is under increasing pressure from lawmakers and regulators to explain its cybersecurity lapse and the steps it’s taking to prevent another hack.

A subcommittee of the House Energy and Commerce Committee held a hearing on the health sector’s cyber posture on Tuesday, with key lawmakers saying they were disappointed that UnitedHealth Group declined to make an executive available to testify. And the Department of Health and Human Services is investigating whether Change Healthcare’s failure to prevent hackers from accessing and stealing its data violated federal data-security rules.

_Updated 4/16/2024, 5:38 pm ET: Added additional details about the firms whose data RansomHub claims to possess._

Source

Wired