In the very near future, victory will belong to the savvy blackhat hacker who uses AI to generate code at scale.

In the near future one hacker may be able to unleash 20 zero-day attacks on different systems across the world all at once. Polymorphic malware could rampage across a codebase, using a bespoke generative AI system to rewrite itself as it learns and adapts. Armies of script kiddies could use purpose-built LLMs to unleash a torrent of malicious code at the push of a button.

Case in point: as of this writing, an AI system is sitting at the top of several leaderboards on HackerOne—an enterprise bug bounty system. The AI is XBOW, a system aimed at whitehat pentesters that “autonomously finds and exploits vulnerabilities in 75 percent of web benchmarks,” according to the company’s website.

AI-assisted hackers are a major fear in the cybersecurity industry, even if their potential hasn’t quite been realized yet. “I compare it to being on an emergency landing on an aircraft where it’s like ‘brace, brace, brace’ but we still have yet to impact anything,” Hayden Smith, the cofounder of security company Hunted Labs, tells WIRED. “We’re still waiting to have that mass event.”

Generative AI has made it easier for anyone to code. The LLMs improve every day, new models spit out more efficient code, and companies like Microsoft say they’re using AI agents to help write their codebase. Anyone can spit out a Python script using ChatGPT now, and vibe coding—asking an AI to write code for you, even if you don’t have much of an idea how to do it yourself—is popular; but there’s also vibe hacking.

“We’re going to see vibe hacking. And people without previous knowledge or deep knowledge will be able to tell AI what it wants to create and be able to go ahead and get that problem solved,” Katie Moussouris, the founder and CEO of Luta Security, tells WIRED.

Vibe hacking frontends have existed since 2023. Back then, a purpose-built LLM for generating malicious code called WormGPT spread on Discord groups, Telegram servers, and darknet forums. When security professionals and the media discovered it, its creators pulled the plug.

WormGPT faded away, but other services that billed themselves as blackhat LLMs, like FraudGPT, replaced it. But WormGPT’s successors had problems. As security firm Abnormal AI notes, many of these apps may have just been jailbroken versions of ChatGPT with some extra code to make them appear as if they were a stand-alone product.

Better then, if you’re a bad actor, to just go to the source. ChatGPT, Gemini, and Claude are easily jailbroken. Most LLMs have guard rails that prevent them from generating malicious code, but there are whole communities online dedicated to bypassing those guardrails. Anthropic even offers a bug bounty to people who discover new ones in Claude.

“It’s very important to us that we develop our models safely,” an OpenAI spokesperson tells WIRED. “We take steps to reduce the risk of malicious use, and we’re continually improving safeguards to make our models more robust against exploits like jailbreaks. For example, you can read our research and approach to jailbreaks in the GPT-4.5 system card, or in the OpenAI o3 and o4-mini system card.”

Google did not respond to a request for comment.

In 2023, security researchers at Trend Micro got ChatGPT to generate malicious code by prompting it into the role of a security researcher and pentester. ChatGPT would then happily generate PowerShell scripts based on databases of malicious code.

“You can use it to create malware,” Moussouris says. “The easiest way to get around those safeguards put in place by the makers of the AI models is to say that you’re competing in a capture-the-flag exercise, and it will happily generate malicious code for you.”

Unsophisticated actors like script kiddies are an age-old problem in the world of cybersecurity, and AI may well amplify their profile. “It lowers the barrier to entry to cybercrime,” Hayley Benedict, a Cyber Intelligence Analyst at RANE, tells WIRED.

But, she says, the real threat may come from established hacking groups who will use AI to further enhance their already fearsome abilities.

“It’s the hackers that already have the capabilities and already have these operations,” she says. “It’s being able to drastically scale up these cybercriminal operations, and they can create the malicious code a lot faster.”

Moussouris agrees. “The acceleration is what is going to make it extremely difficult to control,” she says.

Hunted Labs’ Smith also says that the real threat of AI-generated code is in the hands of someone who already knows the code in and out who uses it to scale up an attack. “When you’re working with someone who has deep experience and you combine that with, ‘Hey, I can do things a lot faster that otherwise would have taken me a couple days or three days, and now it takes me 30 minutes.’ That's a really interesting and dynamic part of the situation,” he says.

According to Smith, an experienced hacker could design a system that defeats multiple security protections and learns as it goes. The malicious bit of code would rewrite its malicious payload as it learns on the fly. “That would be completely insane and difficult to triage,” he says.

Smith imagines a world where 20 zero-day events all happen at the same time. “That makes it a little bit more scary,” he says.

Moussouris says that the tools to make that kind of attack a reality exist now. “They are good enough in the hands of a good enough operator,” she says, but AI is not quite good enough yet for an inexperienced hacker to operate hands-off.

“We’re not quite there in terms of AI being able to fully take over the function of a human in offensive security,” she says.

The primal fear that chatbot code sparks is that anyone will be able to do it, but the reality is that a sophisticated actor with deep knowledge of existing code is much more frightening. XBOW may be the closest thing to an autonomous “AI hacker” that exists in the wild, and it’s the creation of a team of more than 20 skilled people whose previous work experience includes GitHub, Microsoft, and a half a dozen assorted security companies.

It also points to another truth. “The best defense against a bad guy with AI is a good guy with AI,” Benedict says.

For Moussouris, the use of AI by both blackhats and whitehats is just the next evolution of a cybersecurity arms race she’s watched unfold over 30 years. “It went from: ‘I’m going to perform this hack manually or create my own custom exploit,’ to, ‘I’m going to create a tool that anyone can run and perform some of these checks automatically,’” she says.

“AI is just another tool in the toolbox, and those who do know how to steer it appropriately now are going to be the ones that make those vibey frontends that anyone could use.”

The Rise of ‘Vibe Hacking’ Is the Next AI Nightmare

For years, a powerful farm industry group served up information on activists to the FBI. Records reveal a decade-long effort to see the animal rights movement labeled a “bioterrorism” threat.

How the Farm Industry Spied on Animal Rights Activists and Pushed the FBI to Treat Them as Bioterrorists

Plus: An Iranian man pleads guilty to a Baltimore ransomware attack, Russia’s nuclear blueprints get leaked, a Texas sheriff uses license plate readers to track a woman who got an abortion, and more.

For years, a mysterious figure who goes by the handle Stern led the Trickbot ransomware gang and evaded identification—even as other members of the group were outed in leaks and unmasked. This week German authorities revealed, without much fanfare, who they believe that enigmatic hacker kingpin to be: Vi­ta­ly Ni­ko­lae­vich Kovalev, a 36-year-old Russian man who remains at large in his home country.

Closer to home, WIRED revealed that Customs and Border Protection has mouth-swabbed 133,000 migrant children and teenagers to collect their DNA and uploaded their genetic data into a national criminal database used by local, state, and federal law enforcement. As the Trump administration’s migrant crackdown continues, often justified through invocations of crime and terrorism, WIRED also uncovered evidence that ties a Swedish far-right mixed-martial-arts tournament to an American neo-Nazi “fight club” based in California.

For those seeking to evade the US government surveillance, we offered tips about more private alternatives to US-based web browsing, email, and search tools. And we assembled a more general guide to protecting yourself from surveillance and hacking, based on questions our senior writer Matt Burgess received in a Reddit Ask Me Anything.

But that's not all. Each week, we round up the security and privacy news we didn't cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**A Hacker May Have Deepfaked Trump’s Chief of Staff in a Phishing Campaign**

The FBI is investigating who impersonated Susie Wiles, the Trump White House’s chief of staff and one of the president’s closest advisers, in a series of fraudulent messages and calls to high-profile Republican political figures and business executives, The Wall Street Journal reported. Government officials and authorities involved in the probe say the spear-phishing messages and calls appear to have targeted individuals on Wiles’ contact list, and Wiles has reportedly told colleagues that her personal phone was hacked to gain access to those contacts.

Despite Wiles’ reported claim of having her device hacked, it remains unconfirmed whether this was actually how attackers identified Wiles’ associates. It would also be possible to assemble such a target list from a combination of publicly available information and data sold by gray-market brokers.

“It's an embarrassing level of security awareness. You cannot convince me they actually did their security trainings,” says Jake Williams, a former NSA hacker and vice president of research and development at Hunter Strategy. “This is the type of garden-variety social engineering that everyone can end up dealing with these days, and certainly top government officials should be expecting it.”

In some cases, the targets received not just text messages but phone calls that impersonated Wiles’ voice, and some government officials believe the calls may have used artificial intelligence tools to fake Wiles’ voice. If so, that would make the incident one of the most significant cases yet of so-called deepfake software being used in a phishing attempt.

It’s not yet clear how Wiles’ phone might have been hacked, but the FBI has ruled out involvement by a foreign nation in the impersonation campaign, the bureau reportedly told White House officials. In fact, while some of the impersonation attempts appeared to have political goals—a member of Congress, for instance, was asked to assemble a list of people Trump might pardon—in at least one other case the impersonator tried to trick a target into setting up a cash transfer. That attempt at a money grab suggests that the spoofing campaign may be less of an espionage operation than a run-of-the-mill cybercriminal fraud scheme, albeit one with a very high-level target.

“There’s an argument here for using something like Signal—yes, the irony—or another messaging platform that offers an independent form of authentication if users want to validate who they’re talking to,” Hunter Strategy's Williams says. “The key thing as always is for government officials to be using vetted tools and following all federally mandated protocols rather than just winging it on their own devices.”

**Iranian Man Behind Baltimore Ransomware Attack Pleads Guilty**

The 2019 ransomware attack against the city government of Baltimore represents one of the worst municipal cybersecurity disasters on record, paralyzing city services for months and costing taxpayers tens of millions of dollars. Now the Department of Justice has unexpectedly revealed that it arrested one of the hackers behind that attack, 37-year-old Sina Gholinejad, in North Carolina last January, and that he has pleaded guilty in court. Gholinejad has admitted to being involved in the larger Robbinhood ransomware campaign that hit other targets, including the cities of Greenville, North Carolina, and Yonkers, New York. It’s still far from clear how Gholinejad was identified or why he traveled from Iran to the US, given that most ransomware criminals are careful to remain in countries that don’t have extradition agreements with the US government and are thus beyond US law enforcement’s reach. Indeed, the indictment against him names several unnamed co-conspirators who may be still at large in Iran.

**Russia’s Nuclear Blueprints Exposed in Huge Document Leak**

More than 2 million documents left exposed in a public database have revealed Russia’s nuclear weapons facilities in unprecedented levels of detail, according to reporting this week by Danish media outlet Danwatch and Germany’s Der Spiegel. Reporters examined the huge trove of documents relating to Russian military procurement—as Russian authorities slowly restricted access—and found blueprints for nuclear facilities across the country. Experts called the leak an unparalleled breach of Russia’s nuclear security, with the data potentially being incredibly useful for foreign governments and intelligence services.

The documents show how Russia’s nuclear facilities have been rebuilt in recent years, where new facilities have been created, detailed site plans including the locations of barracks and watchtowers, and the locations of underground tunnels connecting buildings. There are descriptions of IT systems and security systems, including information on surveillance cameras, electric fences being used, and the alarm systems in place. “It’s written explicitly where the control rooms are located, and which buildings are connected to each other via underground tunnels,” Danwatch reports.

**Cops Used License Plate Recognition Cameras in Search for Woman Who Got an Abortion**

License-plate-recognition cameras are creating huge databases of people’s movements across America—capturing where and when cars are traveling. For years there have been concerns that the cameras could be weaponized by law enforcement officials or private investigators and turned against those seeking abortions or providing abortion-related care. Officials from Johnson County Sheriff’s Office in Texas—where nearly all abortions are illegal—searched 83,000 Flock license-plate reader cameras at the start of this month while looking for a woman they claim had a self-administered abortion, 404 Media reported this week.

Sheriff Adam King said that the officials weren’t trying to “block her from leaving the state” and were searching for the woman as her family was concerned about her safety. However, experts say that conducting a search across the entire United States shows the sprawling dragnet of license-plate-reader cameras and highlights how those seeking abortions can be tracked. “The idea that the police are actively tracking the location of women they believe have had self-administered abortions under the guise of ‘safety’ does not make me feel any better about this kind of surveillance,” Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation told 404 Media.

**Investment Scam Company Linked to $200 Million in Losses Sanctioned by US Government**

Philippines-based company Funnull Technology and its boss, Liu Lizhi, have been sanctioned by the US Treasury’s Office of Foreign Assets Control for their links to investment and romance scams, which are often referred to as “pig-butchering” scams. “Funnull has directly facilitated several of these schemes, resulting in over $200 million in US victim-reported losses,” OFAC said in a statement announcing the sanctions. The company purchases IP addresses from major cloud service providers and then sells them to cybercriminals who could use them to host scam websites—OFAC says Funnull is “linked to the majority” of investment scam websites reported to the FBI. In January independent cybersecurity journalist Brian Krebs detailed how Funnull was abusing Amazon’s and Microsoft’s cloud services.

A Hacker May Have Deepfaked Trump’s Chief of Staff in a Phishing Campaign

The elusive boss of the Trickbot and Conti cybercriminal groups has been known only as “Stern.” Now, German law enforcement has published his alleged identity—and it’s a familiar face.

For years, members of the Russian cybercrime cartel Trickbot unleashed a relentless hacking spree on the world. The group attacked thousands of victims, including businesses, schools, and hospitals. “Fuck clinics in the usa this week,” one member wrote in internal Trickbot messages in 2020 about a list of 428 hospitals to target. Orchestrated by an enigmatic leader using the online moniker “Stern,” the group of around 100 cybercriminals stole hundreds of millions of dollars over the course of roughly six years.

Despite a wave of law enforcement disruptions and a damaging leak of more than 60,000 internal chat messages from Trickbot and the closely associated counterpart group Conti, the identity of Stern has remained a mystery. Last week, though, Germany’s federal police agency, the Bundeskriminalamt or BKA, and local prosecutors alleged that Stern’s real-world name is Vi­ta­ly Ni­ko­lae­vich Kovalev, a 36-year-old, 5’11” Russian man who cops believe is in his home country and thus shielded from potential extradition.

A recently issued Interpol red notice says that Kovalev is wanted by Germany for allegedly being the “ringleader” of a “criminal organisation.”

“Stern’s naming is a significant event that bridges gaps in our understanding of Trickbot—one of the most notorious transnational cybercriminal groups to ever exist,” says Alexander Leslie, a threat intelligence analyst at the security firm Recorded Future. “As Trickbot's ‘big boss’ and one of the most noteworthy figures in the Russian cybercriminal underground, Stern remained an elusive character, and his real name was taboo for years.”

Stern has notably seemed to be absent from multiple rounds of Western sanctions and indictments in recent years calling out alleged Trickbot and Conti members. Leslie and other researchers have long speculated to WIRED that global law enforcement may have strategically withheld Stern’s alleged identity as part of ongoing investigations. Kovalev is suspected of being the “founder” of Trickbot and allegedly used the Stern moniker, the BKA said in an online announcement.

“It has long been assumed, based on numerous indications, that ‘Stern’ is in fact Kovalev,” a BKA spokesperson says in written responses to questions from WIRED. They add that “the investigating authorities involved in Operation Endgame were only able to identify the actor Stern as Kovalev during their investigation this year,” referring to a multi-year international effort to identify and disrupt cybercriminal infrastructure, known as Operation Endgame.

The BKA spokesperson also notes in written statements to WIRED that information obtained through a 2023 investigation into the Qakbot malware as well as analysis of the leaked Trickbot and Conti chats from 2022 were “helpful” in making the attribution. They added, too, that the “assessment is also shared by international partners.”

The German announcement is the first time that officials from any government have publicly alleged an identity for a suspect behind the Stern moniker. As part of Operation Endgame, BKA’s Stern attribution inherently comes in the context of a multinational law enforcement collaboration. But unlike in other Trickbot- and Conti-related attributions, other countries have not publicly concurred with BKA’s Stern identification thus far. Europol, the US Department of Justice, the US Treasury, and the UK’s Foreign, Commonwealth & Development Office did not immediately respond to WIRED’s requests for comment.

Several cybersecurity researchers who have tracked Trickbot extensively tell WIRED they were unaware of the announcement. An anonymous account on the social media platform X recently claimed that Kovalev used the Stern handle and published alleged details about him. WIRED messaged multiple accounts that supposedly belong to Kovalev, according to the X account and a database of hacked and leaked records compiled by District 4 Labs but received no response.

Meanwhile, Kovalev’s name and face may already be surprisingly familiar to those who have been following recent Trickbot revelations. This is because Kovalev was jointly sanctioned by the United States and United Kingdom in early 2023 for his alleged involvement as a senior member in Trickbot. He was also charged in the US at the time with hacking linked to bank fraud allegedly committed in 2010. The US added him to its most-wanted list. In all of this activity, though, the US and UK linked Kovalev to the online handles “ben” and “Bentley.” The 2023 sanctions did not mention a connection to the Stern handle. And, in fact, Kovalev’s 2023 indictment was mainly noteworthy because his use of “Bentley” as a handle was determined to be “historic” and distinct from that of another key Trickbot member who also went by “Bentley.”

The Trickbot ransomware group first emerged around 2016, after its members moved from the Dyre malware that was disrupted by Russian authorities. Over the course of its lifespan, the Trickbot group—which used its namesake malware, alongside other ransomware variants such as Ryuk, IcedID, and Diavol—increasingly overlapped in operations and personnel with the Conti gang. In early 2022, Conti published a statement backing Russia’s full-scale invasion of Ukraine, and a cybersecurity researcher who had infiltrated the groups leaked more than 60,000 messages from Trickbot and Conti members, revealing a huge trove of information about their day-to-day operations and structure.

Stern acted like a “CEO” of the Trickbot and Conti groups and ran them like a legitimate company, leaked chat messages analyzed by WIRED and security researchers show.

“Trickbot set the mold for the modern ‘as-a-service’ cybercriminal business model that was adopted by countless groups that followed,” Recorded Future’s Leslie says. “While there were certainly organized groups that preceded Trickbot, Stern oversaw a period of Russian cybercrime that was characterized by a high level of professionalization. This trend continues today, is reproduced worldwide, and is visible in most active groups on the dark web.”

Stern’s eminence within Russian cybercrime has been widely documented. The cryptocurrency-tracing firm Chainalysis does not publicly name cybercriminal actors and declined to comment on BKA’s identification, but the company emphasized that the Stern persona alone is one of the all-time most profitable ransomware actors it tracks.

“The investigation revealed that Stern generated significant revenues from illegal activities, in particular in connection with ransomware,” the BKA spokesperson tells WIRED.

Stern “surrounds himself with very technical people, many of which he claims to have sometimes decades of experience, and he’s willing to delegate substantial tasks to these experienced people whom he trusts,” says Keith Jarvis, a senior security researcher at cybersecurity firm Sophos’ Counter Threat Unit. “I think he’s always probably lived in that organizational role.”

Increasing evidence in recent years has indicated that Stern has at least some loose connections to Russia’s intelligence apparatus, including its main security agency, the Federal Security Service (FSB). The Stern handle mentioned setting up an office for “government topics” in July 2020, while researchers have seen other members of the Trickbot group say that Stern is likely the “the link between us and the ranks/head of department type at FSB.”

Stern’s consistent presence was a significant contributor to Trickbot and Conti’s effectiveness—as was the entity’s ability to maintain strong operational security and remain hidden.

As Sophos’ Jarvis put it, “I have no thoughts on the attribution, as I’ve never heard a compelling story about Stern’s identity from anyone prior to this announcement.”

Cops in Germany Claim They’ve ID’d the Mysterious Trickbot Ransomware Kingpin

A member of a California-based fight club seems to have attended an event hosted by groups with ties to an organization the US government labeled a terrorist group. Will the Trump administration care?

While the Trump administration carries out a mass deportation campaign against undocumented immigrants allegedly involved with “terrorist” organizations and targets foreign students with granular social media surveillance, at least one American member of a neo-Nazi fight club has connected with a group linked to a far-right Scandinavian organization listed by the United States Treasury Department as a terrorist group.

In September 2024, at least one American affiliated with the “Active Club” movement—a transnational alliance of far-right fight clubs that closely overlap with skinhead gangs and neo-fascist political movements—appears to have traveled to Borås, Sweden, to participate in a mixed-martial-arts tournament with members of other affiliated fight clubs from across Europe. Social media posts from Tvåsaxe and GYM XIV, the Swedish skinhead organizations that hosted Holmgang 2024, claim that at least one member from the Southern California Active Club was in attendance. Photographs of the tournament were also published online by Media 2 Rise, the American ACs’ media wing.

While the identity of the American (or Americans) who traveled to Sweden last fall are not publicly known, the groups they are part of are key components of the Active Club network. On October 2, Media 2 Rise posted a series of eight watermarked photographs from the Holmgang tournament, essentially putting the American Active Club’s signature of approval on the Swedish event.

Media 2 Rise was created by Active Club founder Robert Rundo in collaboration with an pseudonymous individual named "Lucca Corgiat," whom the Southern Poverty Law Center has identified as Montana neo-Nazi Allen Michael Goff. The organization specializes in propagandistic, high-energy video edits of similar far-right combat sport tournaments and the movement more broadly. Media 2 Rise did not respond to WIRED’s request for comment. When SPLC contacted Media 2 Rise on its publicly posted contact email address in an attempt to seek comment from Goff, it received no response.

Also on October 2, Tvåsaxe’s Telegram account posted a photo of nine people holding the group’s flag with the caption, “Borås at night! Aktivklubb Smaland, SoCal Active Club, Active Club Scotland…waiting for the storm! HOLMGANG 2024!” The SoCal Active Club, which is the first Active Club in the United States and is closely associated with Rundo, is also linked to the Hammerskin Nation, one of the largest neo-Nazi skinhead networks in the United States. Two individuals whose photos have frequently been posted to the group’s Telegram channel, Grady Mayfield and Robert Wheldon, testified last spring at Rundo’s bail hearing during a convoluted legal saga that ended in him pleading guilty to federal Anti-Riot Act charges first filed in 2018.

According to Swedish and American researchers, Tvåsaxe is aligned with the Nordic Resistance Movement (NRM), a pan-Scandinavian neo-Nazi group that was designated as a “Specially Designated Global Terrorist Group” by the American State Department in summer 2024.

Counterterrorism sanctions bar Americans from associating with or providing support to listed groups; ban members from banking, owning property, or conducting business with American financial institutions; and expose anyone found associating with or supporting the sanctioned entity to possible criminal charges.

Jason Blazakis, an extremism researcher at Middlebury College who ran the State Department component that makes FTO designations from 2008 through 2018, says that any level of tangible support to a listed terrorist group, be it sharing an event invitation or buying an item of clothing, could be the basis for a support-of-terrorism charge. “Folks could be looking at possibly 10 to 15 years if convicted, seizure of assets,” he says. “There are very real consequences for violating these sanctions.”

These types of terrorist group designations are determined by the State or Treasury departments, and along with Foreign Terrorist Organizations are included on a formal sanctions list published and maintained by the Treasury’s Office of Foreign Assets Control, which imposes financial sanctions and freezes assets. The Justice Department is responsible for prosecuting material support for terrorism violations for Americans or foreign nationals deemed to have violated the proscriptions.

The DOJ has used the statute in a broad range of cases over the years, from charging French industrial giant Lafarge and its subsidiary for cutting business deals with the Islamic State in Northern Syria over a decade ago to six Bosnian-Americans accused and later convicted of providing material support to ISIS fighters. The statute often comes under criticism for its overbroad provisions, exemplified by a 2010 series of FBI raids on activists in Chicago and Minneapolis seeking evidence of ties to designated FTOs in Palestine and Colombia.

NRM, which seeks to create a fascist ethnostate through violent revolution, dates back several decades and is considered one of the most violent neo-Nazi groups in Scandinavia. In 2017, three NRM-linked men were sentenced to prison for attempting to bomb one asylum center, and successfully bombing another as well as a left-wing bookstore. Two of the perpetrators received paramilitary training in Russia from the Russian Imperialist Movement, which was declared a global terror group during the first Trump administration.

While the Holmgang tournament’s host has a different name and history than the banned Swedish group, former State Department official Blazakis believes the difference is semantic, given Tvåsaxe’s participation in closed NRM conferences and the long-standing relationship between NRM and the Active Clubs.

“They’re trying to get around the listing and relevant consequences by changing their name and symbolism. Law enforcement sees right through that, and it also shows willingness and intent to evade these restrictions,” he says. A current State Department staffer, speaking on condition of anonymity to avoid reprisals, also believes American participation in the September tournament could represent a potential case of support for NRM.

Rundo, a self-professed longtime fan of NRM, seems to have modeled Active Clubs and the Rise Above Movement (RAM), which he also founded, on Europe’s extreme right-wing scene. Since 2021, Rundo has appeared at least twice on an NRM podcast, including an April 2023 episode devoted to Rundo’s labyrinthine federal case for Anti-Riot Act violations. NRM also conducted banner drops over freeways and held demonstrations protesting his detention outside the American and Romanian embassies the same month following Rundo’s arrest on an American warrant in Romania.

The 2024 Swedish tournament mirrors similar extreme right-wing martial arts tournaments hosted elsewhere in Europe for years. It also indicates the success of the Active Club model in spreading to the European continent. There are dozens of the fight clubs throughout Europe, including more than 50 in France and several in the United Kingdom, where they came under new scrutiny following a February 2025 ITV documentary connecting members to terrorism and violence. The European Active Clubs are also networking increasingly across national boundaries—Swedish Active Club members were present alongside their Dutch and French comrades at a May 10 fascist march in Paris, and engaged in an outdoor training in the Jardin du Luxembourg with Active Club members from Germany and French far-right extremists.

Though a number of the Swedish Active Club participants are older veterans of other extremist groups, they have had notable success in recruiting younger participants, some as young as 15. In the past year, Swedish authorities have started to connect Active Club members to assaults and hate crime incidents.

Jonathan Leman of Expo.se, a Swedish civil society group that tracks far-right radicalization and organizing, attributes the formation of Sweden’s Active Clubs to Oskar Engels, an Estonian former member of NRM who left the group in 2020. Per research from Expo.se, Engels set up a fight club in 2020 that closely imitated Sweden’s burgeoning soccer hooligan subculture, where violence and criminality occasionally crosses over with neo-Nazism, particularly in the support base of Stockholm’s main clubs of AIK, Djurgården, and Hammarby.

Recently, American Active Clubs have combined with other far-right extremists like Patriot Front and the Hammerskins to hold their own mixed-martial arts-tournaments in Southern California, Texas, and elsewhere.

The State Department’s listing of NRM, Blazakis says, was notable since it was the first large-scale neo-Nazi movement the American authorities were able to tie to criminal acts with a terrorist motivation. Previous efforts to sanction the UK’s National Action, which is banned by the British Home Office and, according to media reports, has more members convicted of terrorism offenses in the UK than the Islamic State, did not get traction.

“The Nordic Resistance Movement, relative to Active Clubs, are far more organized than your typical ACs and have a high level of criminality that is quite reminiscent of the Rise Above Movement,” Blazakis alleges.

“When you have people that are engaged in criminality move towards terrorism, that’s very dangerous,” Blazakis says. “They’re evolving in an ideological direction, and in most cases you tend to see groups move in the opposite direction.”

Expo.se’s Leman, who has tracked the evolution of Sweden’s Active Clubs and their interactions with the rest of the burgeoning Swedish far right, says the September 2024 tournament was hosted by Tvåsaxe, an organization that has been invited to closed NRM conferences in the past two years.

“Tvåsaxe are part of NRM’s network. They want to have a good relationship with all the groups in the environment,” Leman alleges. Prior to being listed as a terrorist organization by the Biden administration, Leman says, NRM had far cooler relations with rival far-right groups in Sweden. However, following a 2023 change in leadership and the terrorist entity listing, the group altered its stance and attracted a lot of sympathy and solidarity from other far-right organizations.

“Many groups felt that terror designation from the US was unjust, and that brought the Swedish scene together,” says Leman. “You’d think that the Swedish scene would be reluctant to have anything to do with NRM, but in a way, it’s them calling the Americans’ bluff.”

A security analyst close to the Swedish government, who asked not to be named to discuss law enforcement matters, noted that the country’s security services are closely tracking the evolution of the far-right fight clubs.

“Active Clubs have become very popular because they can recruit younger cadres to the movement,” they say. “I know that this is high on the radar for security services—\[they’re\] much more concerned with these types of activities than they are traditional skinhead groups.”

The participation of at least one American in the September 2024 tournament in Borås, the analyst says, reflects a long-standing North American fascination with NRM’s organizing model and Scandinavian mythos. “The Americans are definitely in bed with NRM when they’re going over to Sweden and participating in the tournament,” the security analyst alleges. “You’re already providing material support and making key connections.” (This was included in WIRED’s request for comment sent to Media 2 Rise, which did not respond.) “The question is, are there financial transactions taking place?”

The State Department refused to comment on the association of Americans with NRM in spite of the anti-terrrorism sanctions. It is currently unclear how the US authorities will handle cases involving far-right extremists who violate federal law, particularly in light of reports that the State Department is minimizing its use of terms related to far-right violence.

“The question is, will there be true enforcement of associations with a far-right \[terrorist group\]?” Blazakis says, pointing to the presence of Darren Beattie as the State Department’s acting under secretary for public diplomacy and public affairs. In 2018, Beattie was fired from his position as a Donald Trump speechwriter after it was reported that he attended a white nationalist conference; CNN has similarly reported on his social media presence, which often espouses white supremacist beliefs. Beattie’s office plays a major role in shaping the State Department’s messaging on counterterrrorism and violent extremism. (The White House did not respond to WIRED’s request for comment.)

“I think we’re going to see reluctance at best, outright reversals at worst,” says Blazakis.

A Swedish MMA Tournament Spotlights the Trump Administration's Handling of Far-Right Terrorism

Customs and Border Protection has swabbed the DNA of migrant children as young as 4, whose genetic data is uploaded to an FBI-run database that can track them if they commit crimes in the future.

The United States government has collected DNA samples from upwards of 133,000 migrant children and teenagers—including at least one 4-year-old—and uploaded their genetic data into a national criminal database used by local, state, and federal law enforcement, according to documents reviewed by WIRED.

The records, quietly released by the US Customs and Border Protection earlier this year, offer the most detailed look to date at the scale of CBP’s controversial DNA collection program. They reveal for the first time just how deeply the government’s biometric surveillance reaches into the lives of migrant children, some of whom may still be learning to read or tie their shoes—yet whose DNA is now stored in a system originally built for convicted sex offenders and violent criminals.

The Department of Justice has argued that extensive DNA collection activity at the border provides “an assessment of the danger” a migrant potentially “poses to the public” and will essentially help solve crimes that may be committed in the future. Experts say that the children’s raw genetic material will be stored indefinitely and worry that, without proper guardrails, the DNA dragnet could eventually be used for more extensive profiling.

Spanning from October 2020 through the end of 2024, the records show that CBP swabbed the cheeks of between 829,000 and 2.8 million people, with experts estimating that the true figure, excluding duplicates, is likely well over 1.5 million. That number includes as many as 133,539 children and teenagers. These figures mark a sweeping expansion of biometric surveillance—one that explicitly targets migrant populations, including children.

The DNA samples are registered in the Combined DNA Index System, or CODIS, a database administered by the FBI, which processes the DNA and stores the resulting genetic profiles. A network of criminal forensic databases, CODIS is used by local, state, and federal enforcement agencies to match DNA collected from crime scenes or convictions to identify suspects.

On May 10, 2024, for instance, records say that CBP agents from the El Paso, Texas, field office collected a DNA sample from the mouth of an individual in its custody whom CBP identified as Cuban and who was detained for allegedly being an “immigrant w/o docs.” Swabbing the individuals’ cheek, the agents obtained a DNA sample containing the individual's entire genetic code and then sent the sample to the FBI for processing.

According to CBP records, the individual was just 4 years old.

Of the tens of thousands of minors whose DNA was collected by Customs and Border Protection over the past four years, as many as 227 were 13 or younger, including the 4-year-old. Department of Homeland Security policy states that individuals under 14 are generally exempt from DNA collection, but field officers have the discretion to collect DNA in some circumstances. The data shows additional entries for kids aged 10, 11, 12, and 13. The numbers spike beginning at age 14; more than 30,000 entries were logged for each age group from 14 to 17.

Under current rules, DNA is generally collected from anyone who is also fingerprinted. According to DHS policy, 14 is the minimum age at which fingerprinting becomes routine.

As many as 122 minors were categorized as American citizens, 53 of whom were not detained for any criminal arrest, CBP records say. (People asking to enter the United States to apply for asylum are put in civil rather than criminal custody.)

Neither DHS nor CBP provided comment ahead of publication.

Multiple legal, privacy, and immigration experts described the findings as deeply troubling. “It’s horribly dystopian,” says Vera Eidelman, a senior staff attorney with the American Civil Liberties Union's Speech, Privacy, and Technology Project. “It’s impossible for me to think of a reason to collect a 4-year-old’s DNA and upload it to a database that’s explicitly supposed to be about criminal activity.”

As one of the world’s largest law enforcement agencies, CBP is responsible for intercepting and processing individuals who cross the US border without authorization. While Immigration and Customs Enforcement handles long-term detention and deportation, CBP controls the earliest, most vulnerable hours of a migrant’s legal journey in the US, often when they are first taken into custody, questioned, and in many cases fingerprinted and swabbed for DNA.

Both CBP and ICE operate under the Department of Homeland Security and, under current policy, are authorized to collect fingerprints and DNA from anyone in their custody as young as 14 years old. Exceptions for younger children can be made in certain cases involving “potentially criminal situations”; however, the CBP data analyzed by WIRED indicates this was the case in as few as 2.2 percent of the hundreds of kids subjected to DNA swabs.

Of the 227 people listed in the data as children under 14 and having their DNA submitted to the FBI, most of them are simply labeled “detainee.” Only five were listed as arrestees or linked to criminal charges.

CBP’s participation in the CODIS program isn’t new, though it expanded significantly after a 2020 Department of Justice rule amending a previous exemption that effectively allowed DHS to avoid collecting DNA from civil immigration detainees.

Sara Huston, an expert in genomics policy and the principal investigator at the Genetics and Justice Laboratory and a research assistant professor of pediatrics at Northwestern University’s Feinberg School of Medicine, tells WIRED that CODIS is a powerful tool for law enforcement when solving violent crimes, sexual assaults, and missing persons cases.

Huston explains that typically when DNA is collected from a crime scene—such as in a sexual assault case—it’s processed and uploaded to CODIS and compared with DNA from anyone in the database, which includes people who have been previously arrested for certain crimes or convicted. A match can help investigators connect unsolved cases, identify suspects, and share critical leads across jurisdictions.

But the inclusion of migrants, the vast majority of whom were not listed in CBP data as having been accused of any felonies, raises deeper questions about what kind of data belongs in a criminal database. CODIS was designed to track criminal offenders, not to permanently catalog the genetic information of undocumented children passing through immigration custody.

“It’s not that we can’t solve crimes by collecting these samples—that’s why CODIS exists, and it’s a wonderful tool,” Huston says. “But it’s not a fair system to keep DNA of people who have not committed crimes on the assumption that they likely will.”

Apprehensions of migrants who crossed the border unlawfully between ports of entry have since fallen to historic lows during the current Trump administration; it's unclear whether the pace of DNA collection has also slowed, as the most recent data ends on December 31, 2024.

The data, which CBP published to its website in February, shows that DNA collection accelerated under the Biden administration, with daily submissions to CODIS increasing sharply in 2024 alongside a reported rise in border apprehensions. On a single day in January 2024, for example, the Laredo, Texas, field office submitted as many as 3,930 DNA samples to the FBI—252 were listed as 17 or younger, CBP records show.

The DOJ has defended the mass collection of DNA at the border as necessary for solving crimes. In its official rationale, the agency argues that this sweeping effort is “essential” not only for identifying migrants who may have committed crimes in the past but also for potentially solving crimes they might commit in the future.

For Stevie Glaberson, the director of research and advocacy at the Center on Privacy & Technology at Georgetown Law, the implication is clear: The US government is treating every person who crosses the border, regardless of age, legal status, or whether they’re accused of any wrongdoing, as a possible suspect in crimes yet to occur.

If the government’s goal is to determine whether a detainee is connected to past crimes, Glaberson tells WIRED, there would be no need to add that person’s DNA to CODIS—they could simply check for a match against existing profiles. “It’s hard to imagine a situation where a 4-year-old was involved in criminal activity,” Glaberson says.

“Taking DNA from a 4-year old and adding it into CODIS flies in the face of any immigration purpose,” she says, adding, “That’s not immigration enforcement. That’s genetic surveillance.”

Multiple studies show no link between immigration and increased crime.

In 2024, Glaberson coauthored a report called “Raiding the Genome” that was the first to try to quantify DHS’s 2020 expansion of DNA collection. It found that if DHS continues to collect DNA at the rate the agency itself projects, one-third of the DNA profiles in CODIS by 2034 will have been taken by DHS, and seemingly without any real due process—the protections that are supposed to be in place before law enforcement compels a person to hand over their most sensitive information.

CBP collects DNA using buccal swab kits—long cotton-tipped sticks used to scrape the inside of a detainee’s cheek. While the DNA sample itself contains a person’s entire genetic code, Huston says that what’s uploaded to CODIS is better understood as a lower-resolution snapshot—a DNA profile made up of select genetic markers used solely to identify individuals—and is not intended to reveal traits, health conditions, or genetic predispositions. However, both she and Glaberson note that the raw DNA sample itself could be stored indefinitely.

The DOJ did not respond to multiple requests for comment, nor did it answer questions about how long raw DNA samples are stored. However, a current DOJ official, speaking to WIRED on the condition of anonymity due to fear of retribution, defended the collection and retention of migrant DNA. Storing raw samples, they say, is necessary for due process—to confirm that a match in CODIS can be traced back to the original raw material. “If you aren’t committing a crime, being in this database isn’t going to affect you,” they say, arguing that a larger pool of DNA increases the chances of finding a match.

Under federal law, CODIS data and the raw genetic samples can only be used for identification in criminal cases. DHS policy states that DNA samples may not be used to discriminate “in the provision of health benefits or other services” and that DNA samples are not used by the FBI to “reveal any physical traits, race, ethnicity, disease susceptibility, or other sensitive information about an individual.”

But privacy advocates worry that those rules aren’t enough, since policies can change and new uses can emerge alongside new technology. For instance, privacy and civil liberties experts have warned that the government could one day use DNA to link immigrants to family members, who could also be targeted by law enforcement. Another concern is that genetic data might be reanalyzed to predict health-related markers or inherited conditions—potentially influencing decisions about admissibility or whether someone is likely to require government support.

As Glaberson warns, “The warehousing of genetic samples containing the entirety of people's genetic code presents a risk in the future.”

The US Is Storing Migrant Children’s DNA in a Criminal Database

Thanks to drastic policy changes in the US and Big Tech’s embrace of the second Trump administration, many people are moving their digital lives abroad. Here are a few options to get you started.

From your email to your web browsing, it’s highly likely that your daily online life is dominated by a small number of tech giants—namely Google, Microsoft, and Apple. But since Big Tech has been cozying up to the second Trump administration, which has taken an aggressive stance on foreign policy, and Elon Musk’s so-called Department of Government Efficiency (DOGE) has ravaged through the government, some attitudes towards using US-based digital services have been changing.

While movements to shift from US digital services aren’t new, they’ve intensified in recent months. Companies in Europe have started moving away from some US cloud giants in favor of services that handle data locally, and there have been efforts from officials in Europe to shift to homegrown tech that has fewer perceived risks. For example, the French and German governments have created their own Docs word processor to rival Google Docs.

Meanwhile, one consumer poll released in March had 62 percent of people from nine European countries saying that large US tech companies were a threat to the continent’s sovereignty. At the same time, lists of non-US tech alternatives and European-based tech options have seen a surge in visitors in recent months.

For three of the most widely used tech services—email, web browsers, and search engines—we’ve been through some of the alternatives that are privacy-focused and picked some options you may want to consider. Other options are available, but these organizations and companies aim to minimize data they collect and often put privacy first.

There are caveats, though. While many of the services on this list are based outside of the US, there’s still the potential that some of them rely upon Big Tech services themselves—for instance, some search engines can use results or indexes provided by Big Tech, while companies may use software or services, such as cloud hosting, that are created by US tech firms. So trying to distance yourself entirely may not be as straightforward as it first looks.

**Web Browsers**

Mullvad

Based in Sweden, Mullvad is perhaps best known for its VPN, but in 2023 the organization teamed up with digital anonymity service Tor to create the Mullvad Browser. The open source browser, which is available only on desktop, says it collects no user data and is focused on privacy. The browser has been designed to stop people from tracking you via browser fingerprinting as you move around the web, plus it has a “private mode” that isolates tracking cookies enabled by default. “The underlying policy of Mullvad is that we never store any activity logs of any kind,” its privacy policy says. The browser is designed to work with Mullvad’s VPN but is also compatible with any VPN that you might use.

Vivaldi

WIRED’s Scott Gilbertson swears by Vivaldi and has called it the web’s best browser. Available on desktop and mobile, the Norwegian-headquartered browser says it doesn’t profile your behavior. “The sites you visit, what you type in the browser, your downloads, we have no access to that data,” the company says. “It either stays on your local machine or gets encrypted.” It also blocks trackers and hosts data in Iceland, which has strong data protection laws. Its privacy policy says it anonymizes IP addresses and doesn’t share browsing data.

**Search Engines**

Qwant French search engine Qwant has built its own search index, crawling more than 20 billion pages to create its own records of the web. Creating a search index is a hugely costly, laborious process, and as a result, many alternative search engines will not create an extensive index and instead use search results from Google or Microsoft’s Bing—enhancing them with their own data and algorithms. Qwant says it uses Bing to “supplement” search results that it hasn’t indexed. Beyond this, Qwant says it does not use targeted advertising, or store people’s search history. “Your data remains confidential, and the processing of your data remains the same,” the company says in its privacy policy.

Mojeek

Mojeek, based out of the United Kingdom, has built its own web crawler and index, saying that its search results are “100% independent.” The search engine does not track you, it says in its privacy policy, and only keeps some specific logs of information. “Mojeek removes any possibility of tracking or identifying any particular user,” its privacy policy says. It uses its own algorithms to rank search results, not using click or personalization data to create ranks, and says that this can mean two people searching for the same thing while in different countries can receive the same search results.

Startpage

Based in the Netherlands, Startpage says that when you make a search request, the first thing that happens is it removes your IP address and personal data—it doesn’t use any tracking cookies, it says. The company uses Google and Bing to provide its search results but says it acts as an “intermediary” between you and the providers. “Startpage submits your query to Google and Bing anonymously on your behalf, then returns the results to you, privately,” it says on its website. “Google and Microsoft do not know who made the search request—instead, they only see Startpage.”

Ecosia

Nonprofit search engine Ecosia uses the money it makes to help plant trees. The company also offers various privacy promises when you search with it, too. Based in Germany, the company says it doesn’t collect excessive data and doesn’t use search data to personalize ads. Like other search alternatives, Ecosia uses Google’s and Bing’s search results (you can pick which one in the settings). “We only collect and process data that is necessary to provide you with the best search results (which includes your IP address, search terms and session behavioral data),” the company says on its website. The information it collects is gathered to provide search results from its Big Tech partners and detect fraud, it says. (At the end of 2024, Ecosia partnered with Qwant to build more search engine infrastructure in Europe).

**Email Providers**

ProtonMail

Based in Switzerland, Proton started with a privacy-focused email service and has built out a series of apps, including cloud storage, docs, and a VPN to rival Google. The company says it cannot read any messages in people’s inboxes, and it offers end-to-end encryption for emails sent to other Proton Mail addresses, as well as a way to send password protected emails to non Proton accounts. It blocks trackers in emails and has multiple account options, including both free and paid choices. Its privacy policy describes what information the company has access to, which includes sender and recipient email addresses, plus IP addresses where messages arrive from, message subject lines, and when emails are sent. (Despite Switzerland’s strong privacy laws, the government has recently announced it may require encrypted services to keep user’s data, something that Proton has pushed back on).

Tuta

Tuta, which used to be called Tutanota and is based in Germany, says it encrypts email content, subject lines, calendars, address books, and other data in your inbox. “The only unencrypted data are mail addresses of users as well as senders and recipients of emails,” it says on its website, adding that users' encryption keys cannot be accessed by developers. Like Proton, emails sent between Tuta accounts are end-to-end encrypted, and you can send password protected emails when messaging an account from another email provider. The company also has an end-to-end encrypted calendar and offers both free and paid plans.

The Privacy-Friendly Tech to Replace Your US-Based Email, Browser, and Search

Hackers. AI data scrapes. Government surveillance. Thinking about where to start when it comes to protecting your online privacy can be overwhelming. Here’s a simple guide for you—and anyone who claims they have nothing to hide.

With President Donald Trump’s return to the White House and the US government’s digital surveillance machine more powerful than ever, digital privacy should be top of mind. But the digital security world can be confusing—and there’s the larger question of why. You may think, if I’m just a regular person, why is my digital privacy important?

Then there are the practical questions. What’s the best password manager? How can you keep your digital life under wraps at the border? And what kind of VPN should you be using? Is AI scraping my data?

WIRED senior writer and security expert Matt Burgess spoke with readers in a Reddit AMA this month about the basics of keeping your digital footprint locked down. Here’s what to know and why it’s important.

**What is your advice for a quick win in terms of improving digital security for the everyday person? Or for someone who isn’t tech-savvy?**

I think the one big thing people can do to improve their security is make sure that multifactor authentication is turned on for as many online accounts as possible. That way if anyone gets access to your password or login details, they’ll also need to have another way to authenticate the login attempt (such as the codes generated by an authentication app), and it's highly unlikely that hackers will have access to that.

Other quick and relatively straightforward changes you can make are to use privacy-friendly browsers and search engines and to use a password manager (the one on your phone or browser is better than nothing at all) and create unique passwords for each service you use.

**There are so many privacy tips out there, and it all feels important, but trying to do everything at once can be overwhelming. What are the things people should prioritize when making changes to their online habits?**

Improving privacy is something that’s ongoing, and if you try to do everything at once then it’s too off-putting. Take it one small step at a time.

If I was starting now, I’d go with:

1.  Switching to a more privacy-focused browser. I alternate between Brave, Firefox and Safari.
2.  Then using a privacy-focused search engine too (such as DuckDuckGo).
3.  Trying to use services that minimize data collection (for instance, messaging app Signal doesn’t collect user data and is the gold standard of end-to-end encryption).

**What’s a good non-US-based VPN?**

Our favorite VPN at WIRED is currently Proton VPN, which is based in Switzerland. Proton VPN also offers the best free VPN. Unlike most services, ProtonVPN's free version gives full access to all the regular plan's features. It is limited to a single device, and there are only three server locations (Japan, Netherlands, and the US), but everything else is the same. If your needs are limited and you want to keep costs down, this is a good option. See our full guide to VPNs here.

**How do I deal with having to have a new account for every service and website? Should I be using new email addresses?**

A new email address for every account is a big undertaking! I’d recommend having an email address for the accounts that are most important to you and then having one that you use to sign up for things that are less important. There are also services that will let you create “burner” emails that you can use to sign-up with services, and if you use an Apple device there’s a “Hide My Email” setting.

**What tips would you offer to those looking to keep their digital privacy while crossing the US border (or otherwise entering or exiting the States)?**

It really depends on what levels of risk you as an individual could face. Some people traveling across the border are likely to face higher scrutiny than others—for instance nationality, citizenship, and profession could all make a difference. Even what you’ve said on social media or in messaging apps could potentially be used against you.

Personally, the first thing I would do is think about what is on my phone: the kind of messages I have sent (and received), what I have posted publicly, and log out (or remove) what I consider to be the most sensitive apps from my phone (such as email). A burner phone might seem like a good idea, although this isn’t the right idea for everyone and it could bring more suspicion on you. It’s better to have a travel phone—one that you only use for travel that has nothing sensitive on it or connected to it.

My colleague Andy Greenberg and I have put together a guide that covers a lot more than this: such as pre-travel steps you can take, locking down your devices, how to think about passwords, and minimizing the data you are carrying. It’s here. Also, senior writer Lily Hay Newman and I have produced a (long) guide specifically about phone searches at the US border.

**Would you recommend against having a device like Alexa in your home? Or are there particular products or steps you can take to make a smart device more secure?**

Something that’s always listening in your home—what could go wrong? It’s definitely not great for overall surveillance culture.

Recently Amazon also reduced some of the privacy options for Alexa devices. So if you’re going to use a smart speaker, then I’d look into what each device’s privacy settings are and then go from there.

**How do you see people's willingness to hand over information about their lives to AI playing into surveillance?**

The amount of data that AI companies have—and continue to—hoover up really bothers me. There’s no doubt that AI tools can be useful in some settings and to some people (personally, I seldom use generative AI). But I would generally say people don’t have enough awareness about how much they’re sharing with chatbots and the companies that own them. Tech companies have scraped vast swathes of the web to gather the data they claim is needed to create generative AI—often with little regard for content creators, copyright laws, or privacy. On top of this, increasingly, firms with reams of people’s posts are looking to get in on the AI gold rush by selling or licensing that information.

For the everyday person, I’d warn them not to enter personal details or sensitive business information! We also have a more thorough guide here.

**Are personal data removal services worthwhile, or are they just another vector for data thieves?**

Whether data removal services are worthwhile or not probably depends on where you are based in the world: I’m in Europe where there’s GDPR and stricter privacy laws, and when I have used a data removal service, it hasn’t turned up too much. But in the US, there’s no comprehensive federal privacy law—that really should change—and they may be more useful.

Much of what can be done by data removal services, you can also do yourself. Consumer Reports recently did a good evaluation of data removal services.

**What is your preferred response for people who claim they have nothing to hide?**

I think in a lot of cases when people claim they have nothing to hide, they often jump to thinking about illegal or malicious things. When in fact, privacy, for me, isn’t about “hiding” things at all. You should be able to have the space—both in the physical and digital world—to not be surveilled or have your actions tracked. People should be able to act without intrusion from others—that doesn’t mean you’re hiding anything, but you just don’t want to share everything you do with everyone (or anyone). And really that’s why privacy is considered a fundamental human right.

I actually like a lot of the answers that people sent in to Amnesty International about how they respond to the point of “not having anything to hide.”

_With files from Scott Gilbertson._

A Starter Guide to Protecting Your Data From Hackers and Corporations

Plus: A mysterious hacking group’s secret client is exposed, Signal takes a swipe at Microsoft Recall, Russian hackers target security cameras to spy on aid to Ukraine, and more.

This week, WIRED launched our Rogues issue—which included going a bit rough ourselves. WIRED senior correspondent Andy Greenberg flew to Louisiana to see how easy it would be to recreate the 3D-printed gun authorities say they found on Luigi Mangione when they arrested him for the murder of UnitedHealthcare's CEO. The result? It was both easy and legal.

On Wednesday, US, European, and Japanese authorities announced the disruption of one of the world's most widely used infostealer malware. Known as Lumma, the malware was used to steal sensitive information from victims around the world, including passwords, banking information, and cryptocurrency wallets details, according to authorities. Microsoft's Digital Crime Unit aided in the operation, taking down some 2,300 URLs that served as the Lumma infrastructure.

A mysterious database containing more than 184 million records was taken down this week following its discovery by security researcher Jeremiah Fowler. The database contained 47 GB of data, which included information related to Amazon, Apple, Discord, Facebook, Google, Instagram, Microsoft, Netflix, Nintendo, PayPal, Snapchat, Spotify, Twitter, WordPress, Yahoo, and more.

In other news, the US charged 16 Russian nationals for allegedly operating the DanaBot malware, which authorities say was used in a wide variety of attacks, from ransomware to espionage. And a recent webinar revealed how a major venture capitalist helped get Starlink satellite internet activated for Israel following the October 7, 2023 attack by Hamas.

But that's not all. Each week, we round up the security and privacy news we didn't cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

The US intelligence community is looking to create a marketplace where private information gathered by data brokers under the guise of marketing can be purchased by American spies, The Intercept reports. Contracting data shows the US spy agencies intend to create a “Intelligence Community Data Consortium” that uses AI tools to sift through people’s personal data; information that the Office of the Director of National Intelligence has previously acknowledged “could facilitate blackmail, stalking, harassment, and public shaming.” In addition to providing insight into Americans’ behaviors and religious and political beliefs, commercial data frequently includes precise location information, offering the US government the ability to surveil people’s movements without acquiring a warrant—exploiting a widely recognized loophole in US privacy law.

Federal lawmakers attempted to ban the US government from buying what it calls “commercially accessible information” last year, with the Republican-controlled House passing a version of a law known as the “Fourth Amendment Is Not For Sale Act.” However, the US Senate, then controlled by the Democratic Party, rejected the legislation.

Reporting by WIRED has repeatedly demonstrated how such data can offer US adversaries the ability to monitor the movements of US military and intelligence personnel, including in and around sensitive facilities that house nuclear arms.

**A Mysterious Hacking Group Is Revealed to Work for the Spanish Government**

Back in 2014, Russian security firm Kaspersky announced it had discovered a sophisticated hacking group it called Careto, Spanish for “Ugly Face” or “Mask,” that had targeted victims across Europe and Cuba. Now, more than a decade later, former employees of the company have finally confirmed what Kaspersky wouldn’t spell out at the time: That they believe Careto was a rare sighting of hackers working on behalf of the Spanish government. Careto’s targets included energy companies, research institutions, and activists, but it particularly focused on Cuba, likely due to the island nation’s giving refuge to members of a Spanish separatist group designated as terrorists by several European countries. Kaspersky’s researchers found a Spanish phrase in the hackers’ malware code that translates to “I shit in the sea,” an expletive phrase typically used by Spaniards but not other Spanish speakers. Given the sophistication of Careto’s hacking, the public confirmation of Kaspersky’s attribution to Spain adds another known player to the game of high-level state-sponsored hacking.

**Signal Introduces New Feature to Block Screenshots by Microsoft Recall**

Microsoft’s Recall feature, which constantly takes and archives screenshots of Windows users’ activity, still represents a serious privacy problem—even after Microsoft significantly walked back its rollout in response to criticism. So the encrypted messaging app Signal has gone so far as to exploit a digital rights management feature of Windows typically used to protect copyrighted materials to block Recall from taking screenshots of the app by default on Windows machines. After all, the Recall feature—which will likely be required for some corporate or government users—will essentially remove any privacy promise from Signal’s disappearing messages feature for both Recall users and anyone communicating with them. The screenshot-prevention feature can be turned off in Signal’s settings, but it will be turned on by default in Windows. “Microsoft has simply given us no other option,” Signal wrote in a blog post.

**Russia’s Fancy Bear Hackers Targeted Security Cameras to Spy on Ukraine Aid**

The hacker group within Russia’s GRU military intelligence agency known as APT28 or Fancy Bear first rose to infamy for its targeting of the 2016 US election, but it’s no surprise that the group has more recently focused on Ukraine. According to a new assessment from no fewer than 11 countries’ intelligence agencies, the hacker group has been targeting a broad array of technology and logistics firms involved in providing aid to Ukraine. “Dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail” have been targeted in the campaign, the advisory reads. Perhaps most notable about the agencies’ accusations is that the hackers targeted 10,000 security cameras in countries bordering Ukraine, including at border crossings, military facilities, and train stations. According to the agencies, the GRU hackers also carried out reconnaissance of the network of at least one producer of industrial control system components for railway systems—suggesting a possible intention to attempt sabotage—but didn’t actually succeed in breaching the company.

**US Indicts Russian National Over Qakbot Malware**

The US Department of Justice on Thursday indicted a Russian national, Rustam Gallyamov, on allegations that he designed software that was widely used by ransomware gangs and is known to have infected hundreds of thousands of computers, netting the gangs roughly $8.6 million in profit, according to DOJ figures. Prosecutors say more than $24 million was seized from Gallyamov, 48, over the course of its investigation. Federal charges unsealed this week allege that Gallyamov himself gained access to victims’ computers and provided it to an array of cybercriminal organizations, including Dopplepaymer, REvil, Black Basta, and Cactus, among others.

The investigation into the now disrupted malware, known as Qakbot, was announced in August 2023 under former US attorney general Merrick Garland, who credited a multinational operation that included Europol and prosecutors and law enforcement agencies in France, Germany, the Netherlands, Romania, Latvia, and the United Kingdom. Agencies of Canada and Denmark have also been credited in the investigation that targeted Gallyamov.

The US Is Building a One-Stop Shop for Buying Your Data

A new US indictment against a group of Russian nationals offers a clear example of how, authorities say, a single malware operation can enable both criminal and state-sponsored hacking.

The hacker ecosystem in Russia, more than perhaps anywhere else in the world, has long blurred the lines between cybercrime, state-sponsored cyberwarfare, and espionage. Now an indictment of a group of Russian nationals and the takedown of their sprawling botnet offers the clearest example in years of how a single malware operation allegedly enabled hacking operations as varied as ransomware, wartime cyberattacks in Ukraine, and spying against foreign governments.

The US Department of Justice today announced criminal charges today against 16 individuals law enforcement authorities have linked to a malware operation known as DanaBot, which according to a complaint infected at least 300,000 machines around the world. The DOJ’s announcement of the charges describes the group as “Russia-based,” and names two of the suspects, Aleksandr Stepanov and Artem Aleksandrovich Kalinkin, as living in Novosibirsk, Russia. Five other suspects are named in the indictment, while another nine are identified only by their pseudonyms. In addition to those charges, the Justice Department says the Defense Criminal Investigative Service (DCIS)—a criminal investigation arm of the Department of Defense—carried out seizures of DanaBot infrastructure around the world, including in the US.

Aside from alleging how DanaBot was used in for-profit criminal hacking, the indictment also makes a rarer claim—it describes how a second variant of the malware it says was used in espionage against military, government, and NGO targets. “Pervasive malware like DanaBot harms hundreds of thousands of victims around the world, including sensitive military, diplomatic, and government entities, and causes many millions of dollars in losses,” US attorney Bill Essayli wrote in a statement.

Since 2018, DanaBot—described in the criminal complaint as “incredibly invasive malware”—has infected millions of computers around the world, initially as a banking trojan designed to steal directly from those PCs' owners with modular features designed for credit card and cryptocurrency theft. Because its creators allegedly sold it in an “affiliate” model that made it available to other hacker groups for $3,000 to $4,000 a month, however, it was soon used as a tool to install different forms of malware in a broad array of operations, including ransomware. Its targets, too, quickly spread from initial victims in Ukraine, Poland, Italy, Germany, Austria, and Australia to US and Canadian financial institutions, according to an analysis of the operation by cybersecurity firm Crowdstrike.

At one point in 2021, according to Crowdstrike, Danabot was used in a software supply-chain attack that hid the malware in a javascript coding tool called NPM with millions of weekly downloads. Crowdstrike found victims of that compromised tool across the financial service, transportation, technology, and media industries.

That scale and the wide variety of its criminal uses made DanaBot “a juggernaut of the e-crime landscape,” according to Selena Larson, a staff threat researcher at cybersecurity firm Proofpoint.

More uniquely, though, DanaBot has also been used at times for hacking campaigns that appear to be state-sponsored or linked to Russian government agency interests. In 2019 and 2020, it was used to target a handful of Western government officials in apparent espionage operations, according to the DOJ's indictment. According to Proofpoint, the malware in those instances was delivered in phishing messages that impersonated the Organization for Security and Cooperation in Europe and a Kazakhstan government entity.

Then, in the early weeks of Russia's full-scale invasion of Ukraine, which began in February 2022, DanaBot was used to install a distributed denial-of-service (DDoS) tool onto infected machines and launch attacks against the webmail server of the Ukrainian Ministry of Defense and National Security and Defense Council of Ukraine.

All of that makes DanaBot a particularly clear example of how cybercriminal malware has allegedly been adopted by Russian state hackers, Proofpoint's Larson says. “There have been a lot of suggestions historically of cybercriminal operators palling around with Russian government entities, but there hasn't been a lot of public reporting on these increasingly blurred lines,” says Larson. The case of DanaBot, she says, “is pretty notable, because it's public evidence of this overlap where we see e-crime tooling used for espionage purposes.”

In the criminal complaint, DCIS investigator Elliott Peterson—a former FBI agent known for his work on the investigation into the creators of the Mirai botnet—alleges that some members of the DanaBot operation were identified after they infected their own computers with the malware. Those infections may have been for the purposes of testing the trojan, or may have been accidental, according to Peterson. Either way, they resulted in identifying information about the alleged hackers ending up on DanaBot infrastructure that DCIS later seized. “The inadvertent infections often resulted in sensitive and compromising data being stolen from the actor's computer by the malware and stored on DanaBot servers, including data that helped identify members of the DanaBot organization,” Peterson writes.

The operators of DanaBot remain at large, but the takedown of a large-scale tool in so many forms of Russian-origin hacking—both state-sponsored and criminal—represents a significant milestone, says Adam Meyers, who leads threat intelligence research at Crowdstrike.

“Every time you disrupt a multiyear operation, you're impacting their ability to monetize it. It also creates a bit of a vacuum, and somebody else is going to step up and take that place,” Meyers says. “But the more we can disrupt them, the more we keep them on their back heels. We should rinse and repeat and go find the next target.”

Source

Wired