A new report from Chainalysis finds that stablecoins like Tether, tied to the value of the US dollar, were used in the vast majority of crypto-based scam transactions and sanctions evasion in 2023.

Stablecoins, cryptocurrencies pegged to a stable value like the US dollar, were created with the promise of bringing the frictionless, border-crossing fluidity of Bitcoin to a form of digital money with far less volatility. That combination has proved to be wildly popular, rocketing the total value of stablecoin transactions since 2022 past even that of Bitcoin itself.

It turns out, however, that as stablecoins have become popular among legitimate users over the past two years, they were even more popular among a different kind of user: those exploiting them for billions of dollars of international sanctions evasion and scams.

As part of its annual crime report, cryptocurrency-tracing firm Chainalysis today released new numbers on the disproportionate use of stablecoins for both of those massive categories of illicit crypto transactions over the last year. By analyzing blockchains, Chainalysis determined that stablecoins were used in fully 70 percent of crypto scam transactions in 2023, 83 percent of crypto payments to sanctioned countries like Iran and Russia, and 84 percent of crypto payments to specifically sanctioned individuals and companies. Those numbers far outstrip stablecoins' growing overall use—including for legitimate purposes—which accounted for 59 percent of all cryptocurrency transaction volume in 2023.

In total, Chainalysis measured $40 billion in illicit stablecoin transactions in 2022 and 2023 combined. The largest single category of that stablecoin-enabled crime was sanctions evasion. In fact, across all cryptocurrencies, sanctions evasion accounted for more than half of the $24.2 billion in criminal transactions Chainalysis observed in 2023, with stablecoins representing the vast majority of those transactions.

The attraction of stablecoins for both sanctioned people and countries, argues Andrew Fierman, Chainalysis' head of sanctions strategy, is that it allows targets of sanctions to circumvent any attempt to deny them a stable currency like the US dollar. “Whether it's an individual located in Iran or a bad guy trying to launder money—either way, there's a benefit to the stability of the US dollar that people are looking to obtain,” Fierman says. “If you're in a jurisdiction where you don't have access to the US dollar due to sanctions, stablecoins become an interesting play.”

As examples, Fierman points to Nobitex, the largest cryptocurrency exchange operating in the sanctioned country of Iran, as well as Garantex, a notorious exchange based in Russia that has been specifically sanctioned for its widespread criminal use. Stablecoin usage on Nobitex outstrips bitcoin by a 9:1 ratio, and on Garantex by a 5:1 ratio, Chainalysis found. That's a stark difference from the roughly 1:1 ratio between stablecoins and bitcoins on a few nonsanctioned mainstream exchanges that Chainalysis checked for comparison.

Chainalysis's chart showing the growth in stablecoins as a fraction of the value of total illicit crypto transactions over time.

COURTESY OF CHAINALYSIS

Chainalysis concedes that the analysis in its report excludes some cryptocurrencies like Monero and Zcash that are designed to be harder or impossible to trace with blockchain analysis. It also says it based its numbers on the type of cryptocurrency sent directly to an illicit actor, which may leave out other currencies used in money laundering processes that repeatedly swap one type of cryptocurrency for another to make tracing more difficult.

Chainalysis's findings come on the heels of another report released earlier this week by United Nations researchers on the outsize role of stablecoins in illegal gambling and scam operations across East and Southeast Asia. While Chainalysis declined to break out the value of any particular stablecoin in its findings, the UN report singles out Tether, the most popular stablecoin. The report describes Tether sent through the TRON blockchain-based payment network as the “preferred choice for regional cyberfraud operations and money launderers alike due to its stability and the ease, anonymity, and low fees of its transactions.”

“Pig butchering” scams—cons in which scammers typically trick users into sending funds into fraudulent investments—consistently use Tether as the means of bilking victims, says Erin West, a deputy district attorney for California's Santa Clara County and a member of the REACT High Tech Task Force, who has long focused on crypto crime. “It’s always, always, always Tether. I’ve never heard of pig butchering that _isn’t_ Tether,” says West. “These scammers can’t risk the volatility of any of the other coins like bitcoin or ether. All they want is to move assets from the victims' hands to their own in the cheapest, easiest way possible.”

West says that the high proportion of stablecoin use in sanctions evasion also represents a disturbing trend, given that it undermines a system meant to hold specific countries, individuals, and companies accountable for criminal behavior and violations of international law. “It's so dangerous,” West says. “It enables them to have access to the very units of currency that we’re trying to prevent them from accessing. This is exactly what sanctions are meant to stop, and they’re able to bypass it.”

Chainalysis's chart showing how stablecoins dominated cryptocurrency-based sanctions evasion and scams in 2023.

COURTESY OF CHAINALYSIS

When WIRED reached out to Tether Holdings—the company that issues the stablecoin that shares its name—it responded in a statement following publication of this article that “Tether proactively collaborates with global law enforcement agencies to identify and prevent illicit use of” its cryptocurrency, adding that its “commitment to the highest standards of compliance is evident in our efforts to eliminate various forms of criminal activity.”

Tether argued further that it has contributed to freezing the assets of users involved in scams or found to be violating the US Treasury's sanctions lists, and noted that all of its transactions, like many cryptocurrencies, can be publicly observed on blockchains—in other words, the observability that made Chainalysis's report possible. “Between our active and direct engagement with law enforcement and leveraging the transparent nature of blockchain transactions, individuals attempting to conceal their illicit financial activities face significant risks, as every transaction can be easily traced,” the company's statement reads.

Tether Holdings has more flatly denied other reports of Tether's use in crime and sanctions evasion. It wrote that an October _Wall Street Journal_ article on the subject was based on “highly erroneous interpretations of data”—though in that case, the company pointed to Chainalysis findings as a more accurate accounting. “There is simply no evidence that Tether has violated Sanctions laws or the Bank Secrecy Act through inadequate customer due diligence or screening practices,” Tether Holdings wrote in an October 26 blog post addressing the _WSJ_ article.

In contrast to most cryptocurrencies, Tether does have the capability to freeze user funds, and it said in the October blog post that since its launch in 2014, it had frozen $835 million in funds deemed to be tied to illicit activities. “Tether's ethos revolves around transparency, compliance, and proactive collaboration with relevant authorities worldwide,” the company wrote.

Chainalysis' Fierman says that Tether's efforts to freeze criminal funds are having an impact, and more enforcement could help end stablecoins' exploitation by criminals. “Just as we’ve seen with compliant exchanges dominating more and more of total transaction volumes, illicit activity gets pushed to the fringes,” Fierman says.

Despite Tether's ability to freeze funds, Chainalysis' data suggests that illicit use of stablecoins has so far dwarfed those seizures. West, the prosecutor, notes that most Tether associated with crime is cashed out for another currency long before anyone identifies it. That means Tether hasn't yet come close to solving the underlying problem.

“I applaud it. I'm all for it,” West says of Tether's efforts to freeze criminal assets. “But when we're talking about billions and billions of dollars in assets moving, I just think this is one piece of one piece of the puzzle. There are so many more pieces. And the bad actors are so far ahead of us.”

_Updated at 9:45 am ET, January 18, 2024, to correctly identify prosecutor Erin West's professional title and at 2:45 pm ET with a statement from Tether Holdings._

‘Stablecoins’ Enabled $40 Billion in Crypto Crime Since 2022

Once, drug dealers and money launderers saw cryptocurrency as perfectly untraceable. Then a grad student named Sarah Meiklejohn proved them all wrong—and set the stage for a decade-long crackdown.

How a 27-Year-Old Codebreaker Busted the Myth of Bitcoin’s Anonymity

Patching every device affected by the LeftoverLocals vulnerability—which includes some iPhones, iPads, and Macs—may prove difficult.

As more companies ramp up development of artificial intelligence systems, they are increasingly turning to graphics processing unit (GPU) chips for the computing power they need to run large language models (LLMs) and to crunch data quickly at massive scale. Between video game processing and AI, demand for GPUs has never been higher, and chipmakers are rushing to bolster supply. In new findings released today, though, researchers are highlighting a vulnerability in multiple brands and models of mainstream GPUs—including Apple, Qualcomm, and AMD chips—that could allow an attacker to steal large quantities of data from a GPU’s memory.

The silicon industry has spent years refining the security of central processing units, or CPUs, so they don’t leak data in memory even when they are built to optimize for speed. However, since GPUs were designed for raw graphics processing power, they haven’t been architected to the same degree with data privacy as a priority. As generative AI and other machine learning applications expand the uses of these chips, though, researchers from New York–based security firm Trail of Bits say that vulnerabilities in GPUs are an increasingly urgent concern.

“There is a broader security concern about these GPUs not being as secure as they should be and leaking a significant amount of data,” Heidy Khlaaf, Trail of Bits’ engineering director for AI and machine learning assurance, tells WIRED. “We’re looking at anywhere from 5 megabytes to 180 megabytes. In the CPU world, even a bit is too much to reveal.”

To exploit the vulnerability, which the researchers call LeftoverLocals, attackers would need to already have established some amount of operating system access on a target’s device. Modern computers and servers are specifically designed to silo data so multiple users can share the same processing resources without being able to access each others’ data. But a LeftoverLocals attack breaks down these walls. Exploiting the vulnerability would allow a hacker to exfiltrate data they shouldn’t be able to access from the local memory of vulnerable GPUs, exposing whatever data happens to be there for the taking, which could include queries and responses generated by LLMs as well as the weights driving the response.

In their proof of concept, as seen in the GIF below, the researchers demonstrate an attack where a target—shown on the left—asks the open source LLM Llama.cpp to provide details about WIRED magazine. Within seconds, the attacker’s device—shown on the right—collects the majority of the response provided by the LLM by carrying out a LeftoverLocals attack on vulnerable GPU memory. The attack program the researchers created uses less than 10 lines of code.

An attacker (right) exploits the LeftoverLocals vulnerability to listen to LLM conversationsVideo: Trail of Bits

Last summer, the researchers tested 11 chips from seven GPU makers and multiple corresponding programming frameworks. They found the LeftoverLocals vulnerability in GPUs from Apple, AMD, and Qualcomm, and launched a far-reaching coordinated disclosure of the vulnerability in September in collaboration with the US-CERT Coordination Center and the Khronos Group, a standards body focused on 3D graphics, machine learning, and virtual and augmented reality.

The researchers did not find evidence that Nvidia, Intel, or Arm GPUs contain the LeftoverLocals vulnerability, but Apple, Qualcomm, and AMD all confirmed to WIRED that they are impacted. This means that well-known chips like the AMD Radeon RX 7900 XT and devices like Apple’s iPhone 12 Pro and M2 MacBook Air are vulnerable. The researchers did not find the flaw in the Imagination GPUs they tested, but others may be vulnerable.

An Apple spokesperson acknowledged LeftoverLocals and noted that the company shipped fixes with its latest M3 and A17 processors, which it unveiled at the end of 2023. This means that the vulnerability is seemingly still present in millions of existing iPhones, iPads, and MacBooks that depend on previous generations of Apple silicon. On January 10, the Trail of Bits researchers retested the vulnerability on a number of Apple devices. They found that Apple’s M2 MacBook Air was still vulnerable, but the iPad Air 3rd generation A12 appeared to have been patched.

A Flaw in Millions of Apple, AMD, and Qualcomm GPUs Could Expose AI Data

The FTC forced a data broker to stop selling “sensitive location data.” But most companies can avoid such scrutiny by doing the bare minimum, exposing the lack of protections Americans truly have.

The US Federal Trade Commission (FTC) reached a settlement last week with an American data broker known to sell location data gathered from hundreds of phone apps to the US government, among others. According to the agency, the company ignored in some cases the requests of consumers not to do so, and more broadly failed to ensure that users were notified of how their harvested data would be used.

News that the settlement requires the company, formerly known as X-Mode, to stop selling people's “sensitive location data” was met with praise from politicians calling the outcome “historic” and reporters who deemed the settlement a “landmark” win for the American consumer. This “major privacy win,” as one outlet put it, will further require the company, rebranded as Outlogic after its activities were exposed, to delete all of the data it has illicitly gathered so far.

Outlogic, for its part, offered a drastically different take, denying any wrongdoing and vowing that the FTC order would “not require any significant changes” to its practices or products. While the company is potentially downplaying the cost to its business, it is certainly true that any ripples from the settlement will be imperceptible to consumers and Outlogic's industry at large—one which profits by selling Americans' secrets to spy agencies, police, and the US military, helping the government to dodge the supervision of the courts and all its pesky warrant requirements.

The FTC's crackdown on X-Mode's activities may indeed be historic, but from a consumer standpoint, it’s for all the wrong reasons. First, it's important to understand that the order concerns what the FTC is calling “sensitive location data,” a term of art impressively deluding and redundant at the same time. Any data that exhaustively chronicles a person’s physical presence—every moment of every day—is inherently sensitive.

There is no question that persistently tracking people’s whereabouts reveals political, religious, and even sexual associations. The act of collecting this data is a sweeping form of surveillance no matter the target. While it is easier, perhaps, to imagine how guests of “medical and reproductive health clinics, places of religious worship and domestic abuse shelters” are especially vulnerable to commercial forms of stalking, there are myriad ways in which people's whereabouts, once exposed, can endanger or ruin their lives.

Location data is inherently sensitive—so says society, an overwhelming consensus of privacy experts, and the highest court in the land.

One need only look to Congress to understand the level of fear that this precise form of surveillance inspires in those who’ve never been battered, stalked, or unhoused. Members of the House Intelligence Committee—most of whom lack an internal reproductive system—are vying at this very moment to shield federal lawmakers alone from this invasive and omnipresent tracking.

Given the current political climate, it’s not hard to imagine why politicians are afraid of surrendering their location data, leaving it accessible to virtually anyone on the cheap. But they are relatively few in number, and hardly any of them fall into the category of “most at-risk” for violence or discrimination. Unlike those who do, members of Congress have the unique power to change the law and protect themselves. Given the opportunity, that’s precisely what many have opted to do—just as they did a year earlier for federal judges.

Protection against persistent tracking is something we can definitively say is being sought after by a privileged few. But citing law enforcement needs and nebulous national security concerns, protecting anyone other than themselves is a matter that apparently demands more discussion, more caution, and more delay.

If America is creating a new protected class to shield federal lawmakers alone from surveillance, then it must accept that, unlike the vast majority of citizens who’ve never been accused of a crime, this class would be historically replete with criminals. US lawmakers have faced charges and convictions for bribery, perjury, and felony theft, not to mention obstruction of justice, withholding evidence of secret arms sales, and the possession of child sexual abuse material.

The FTC's victory in the Outlogic case is even more piddling in light of the commission today being led by one of the most vocal privacy protection advocates it has ever had, chairperson Lina Khan. That the company is still in business and touting how little the settlement matters underscores how truly underpowered and ill-equipped the FTC is for the job it's been asked to perform. It is not actually armed to protect Americans from being relentlessly surveilled, nor is that even technically its mission. Under the current regime, the agency is permitted at best to hold surveillants to a standard of “notice and choice,” one both illusory and enabling corporations (and the US government by proxy) to right now track Americans’ whereabouts at any time, all of the time, with no real legal concern.

The FTC’s principle regulatory weapon in privacy cases is known as Section Five, and it largely targets companies in privacy cases for lying. The case against Outlogic, for example, is based in part on its failure to disclose how people’s location data would ultimately be used. It did not, the FTC says, notify users that their data might be sold to government agencies for “national security purposes.” Here, the FTC's job is to ensure consumers receive “notice” of how their data is being used. But the job is a sham, and everyone who's ever clicked “I agree” on a privacy policy knows it.

Before the Outlogic case, only a small number of Americans even knew the company existed. An even smaller number had ever glanced at its terms of service, and even fewer—we’re now approaching zero—could be said to have actually read and understood what it said. Commissioners at the agency have long acknowledged as much.

“It is no wonder,” Commissioner Rebecca Slaughter said in 2019, that “98 percent” of people in one study clicked “I agree” to privacy policies that “disclosed sharing with the NSA and paying for the service by signing away your first-born child.”

The same study, out of York University, labeled the “notice” aspect of privacy regulation “the biggest lie on the internet,” detailing how research showed over 75 percent of users opted to skip reading privacy policies altogether. Those who didn’t, on average, spent roughly a minute skimming policies that would’ve taken an ordinary person 15-17 minutes to actually read, let alone comprehend.

Famously, a decade ago, researchers out of Carnegie Mellon determined that it would take an average person roughly 76 working days to consume all of the privacy policies they encounter in a year. The use of “gotcha clauses” has also been repeatedly used to demonstrate that people _do not read_ the terms of service. To wit, in July 2010, it was reported that more than 7,500 people had unknowingly sold their souls to a video game company.

These facts demonstrate unequivocally that the crime for which Outlogic is accused—failing to give consumers notice of how their data would be used—is not one of greed or opportunity, but sheer stupidity. The law is all but performative, so companies have nothing to lose by complying. Users can be counted on to agree to basically anything (up to and including being enslaved for all eternity).

People cannot “consent” to something they do not understand, just as consent cannot really be called “consent” when it involves a metaphorical gun to the head.

The truth is that even if users were strapped to a chair and forced to spend the 600 hours a year it would take to devour all of the purposely dense legal terms they agree to, many of those agreements are patently coerced, as the Supreme Court has said. So ubiquitous now is the technology tracking our movements, in “no meaningful sense” are people voluntarily accepting the risks of allowing companies to access and share that information. It is a matter of participating in society or not; of being employed or not.

It is also the FTC’s job to protect consumers from harm. But the definition of “harm”—like “notify” and “consent”—is watered down to the point of creating a serious gap between what it means and how most people actually use it. Companies are effectively free to harm people anyway, so long as it’s deemed "reasonably" avoidable by the agency and beneficial to competition on the whole.

Should the FTC fail to act, consumers have little recourse but to sit and suffer. It is nearly impossible for an individual to obtain standing in federal court to sue a corporation after their privacy is violated, assuming they can even afford to try. Merely exposing personal information is not enough. A test created by two recent Supreme Court rulings requires victims to demonstrate “concrete harm” to bring a case, even if tying any one company to an act of identity theft, harassment, or financial loss is, in nearly every instance, a fantastical objective.

Congress's last big push to pass a comprehensive privacy bill—the American Data Privacy and Protection Act of 2022—ironically would have exempted Outlogic’s activities altogether. Fearful of fighting a war on two fronts, its authors choose to purposefully avoid going after companies contracting with intelligence and law enforcement agencies. But there is one bill floating in Congress right now aimed at ending the government’s ongoing practice of buying location data from Outlogic-like companies and circumventing the courts.

The Fourth Amendment Is Not For Sale Act was introduced and passed by the House Judiciary Committee last month as part of a bigger package aiming to reauthorize and reform the problematic US intelligence program known as Section 702. The bill is slated to be taken up again this year, likely in February, sparking one of the fiercest fights over US privacy law Americans have seen in years.

Outlawing a pervasive practice that helped transform domestic surveillance into a windfall industry is a move that would be actually historic—for all the right reasons.

The Sad Truth of the FTC's Location Data Privacy Settlement

Plus: Chinese officials tracked people using AirDrop, Stuxnet mole’s identity revealed, AI chatbot hacking, and more.

“EBay's actions against us had a damaging and permanent impact on us—emotionally, psychologically, physically, reputationally, and financially—and we strongly pushed federal prosecutors for further indictments to deter corporate executives and board members from creating a culture where stalking and harassment is tolerated or encouraged,” Ina and David Steiner say in a victim statement published online. The couple also highlighted that EcommerceBytes has filed a civil lawsuit against eBay and its former employees that is set to be heard in 2025.

China’s Judicial Bureau has claimed a privately run research institution, the Beijing Wangshendongjian Judicial Appraisal Institute, has created a way to identify people using Apple’s AirDrop tool, including determining phone numbers, email addresses, and device names. Police have been able to identify suspects using the technique, according to reports and a post from the Institute. Apple’s wireless AirDrop communication and file-sharing method has previously been used in China to protest the leadership of President Xi Jinping, and Apple introduced a 10-minute time limit sharing period in China, before later rolling it out globally.

In a blog post analyzing the incident, Johns Hopkins University cryptographer Matthew Green says the attack was initially discovered by researchers at Germany’s Technical University of Darmstadt in 2019. In short, Green says, Apple doesn’t use a secure private set intersection that can help mask people’s identity when communicating with other phones using AirDrop. It’s unclear if Apple plans to make any changes to stop AirDrop being abused in the future.

It’s been more than 15 years since the Stuxnet malware was smuggled into Iran’s Natanz uranium enrichment plant and destroyed hundreds of centrifuges. Despite the incident happening over a decade ago, there are still plenty of details that remain unknown about the attack, which is believed to have been coordinated by the US and Israel. That includes who may have delivered the Stuxnet virus to the nuclear facility—a USB thumb drive was used to install the worm into the nuclear plant’s air-gapped networks. In 2019, it was reported that Dutch intelligence services had recruited an insider to help with the attack. This week, the Dutch publication _Volkskrant_ claimed to identify the mole as Erik van Sabben. According to the report, van Sabben was recruited by Dutch intelligence service AIVD in 2005, and politicians in the Netherlands did not know about the operation. Van Sabben is said to have left Iran shortly after the sabotage began. However, he died two weeks later, on January 16, 2009, after being involved in a motorcycle accident in Dubai.

The rapid advances in generative AI systems, which use machine learning to create text and produce images, has seen companies scrambling to incorporate chatbots or similar technologies into their products. Despite the progress, traditional cybersecurity practices of locking down systems from unauthorized access and making sure apps can’t access too much data still apply. This week, 404 Media reported that Chattr, a company creating an “AI digital assistant” to help with hiring, exposed data through an incorrect Firebase configuration and also revealed how its systems work. This includes the AI appearing to have the ability to “accept or deny job applicants.” The pseudonymous security researcher behind the finding, MrBruh, shared a video with 404 Media showing the chatbot appearing to automatically make decisions about job applications. Chattr secured the exposed systems after being contacted by the researchers but did not comment on the incident.

A Bloody Pig Mask Is Just Part of a Wild New Criminal Charge Against eBay

The US Securities and Exchange Commission and security firm Mandiant both had their X accounts breached, possibly due to changes to X’s two-factor authentication settings. Here’s how to fix yours.

This week, the United States Securities and Exchange Commission (SEC) suffered an embarrassing—and market-moving—breach in which a hacker gained access to its X social media account and published fake information about a highly anticipated SEC announcement related to bitcoin. The agency regained control of its account and deleted the post in under an hour, but the situation is troubling, especially given that the prominent and well-respected security firm Mandiant, which is owned by Google, had its X account compromised in a similar incident last week.

Details are still emerging about exactly what happened in each case, but there are common threads that made the account takeovers possible—and there are ways to protect yourself.

Crucially, both accounts had the digital protection known as “two-factor authentication” disabled at the time of the takeovers. Also known as 2FA, the defense requires a rotating numeric code or physical dongle in addition to a person's login credentials, so everything isn't resting on just a username and password. The SEC has not yet said whether it had two-factor turned off accidentally as a result of X's February 2023 policy change, which made it so only accounts paying for a Blue subscription would have access to two-factor codes sent via text message. Mandiant implied on Wednesday that this change was the reason it did not have the protection turned on for its X account, saying, “Normally, 2FA would have mitigated this, but due to some team transitions and a change in X’s 2FA policy, we were not adequately protected.”

Mandiant said hackers were able to guess the password protecting its X account in “a brute force” attack. X itself said on Tuesday that the SEC account hack was the result of “an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party.”

The two incidents lay out a punch list of the most important steps you can take to lock down your X account. First, ensure that your account is protected by a strong, unique password. Second, turn on two-factor for your account or, if you think you already have it on, check to make sure. X’s move to make people pay for a basic form of two-factor is problematic. It also created confusion because the company prompted free users to switch away from SMS two-factor, but then seemingly simply turned off the protection altogether for those who didn’t. This likely left a group of users in a situation where they think they have two-factor authentication on, but actually don’t.

To confirm that you have two-factor on, or to enable it for the first time, log into your X account, go to **Settings and privacy**, then **Security and account access**, **Security**, and then **Two-factor authentication**. (You can also click here if you're already logged into X). On that screen, you can choose between using two-factor authentication with a code-generating app or a physical security key. You can also generate backup codes for your account to log in to X even if you lose access to your second factor.

Finally, check that there isn't a phone number linked to your X account that can be used for account recovery. Twitter uses phone numbers to “verify” high-profile accounts and also offers a feature called “Additional password protection,” through which “you must provide either the phone number or email address associated with your account in order to reset your password.” It seems, though, that by having a phone number associated with its X account, the SEC was putting itself at greater risk, because attackers could gain control of the account by first taking over the associated phone number using an attack known as a SIM swap.

“Remove your phone number from Twitter altogether to ensure you avoid the SIM-swap threat with Twitter's risky text-message-based password reset flow,” says Rachel Tobac, a longtime account compromise researcher and CEO of SocialProof Security. She adds that X users should “turn on 2FA—I recommend app-based at the very least—and ensure you have a strong password on the account."

Though X has made it more convoluted to enable strong account security, it’s worth learning from the SEC and Mandiant’s mistakes.

How to Stop Your X Account From Getting Hacked Like the SEC's

Crypto tracing firm Chainalysis found that sellers of child sexual abuse materials are successfully using “mixers” and “privacy coins” like Monero to launder their profits and evade law enforcement.

For those who trade in child sexual exploitation images and videos in the darkest recesses of the internet, cryptocurrency has been both a powerful tool and a treacherous one. Bitcoin, for instance, has allowed denizens of that criminal underground to buy and sell their wares with no involvement from a bank or payment processor that might reveal their activities to law enforcement. But the public and surprisingly traceable transactions recorded in Bitcoin's blockchain have sometimes led financial investigators directly to pedophiles’ doorsteps.

Now, after years of evolution in that grim cat-and-mouse game, new evidence suggests that online vendors of what was once commonly called “child porn” are learning to use cryptocurrency with significantly more skill and stealth—and that it's helping them survive longer in the internet's most abusive industry.

Today, as part of an annual crime report, cryptocurrency tracing firm Chainalysis revealed new research that analyzed blockchains to measure the changing scale and sophistication of the cryptocurrency-based sale of child sexual abuse materials, or CSAM, over the past four years. Total revenue from CSAM sold for cryptocurrency has actually gone down since 2021, Chainalysis found, along with the number of new CSAM sellers accepting crypto. But the sophistication of crypto-based CSAM sales has been increasing. More and more, Chainalysis discovered, sellers of CSAM are using privacy tools like “mixers” and “privacy coins” that obfuscate their money trails across blockchains.

Perhaps because of that increased savvy, the company found that CSAM vendors active in 2023 persisted online—and evaded law enforcement—for a longer time than in any previous year, and about 57 percent longer than even in 2022. “Growing sophistication makes identification harder. It makes tracing harder, it makes prosecution harder, and it makes rescuing victims harder,” says Eric Jardine, the researcher who led the Chainalysis study. “So that sophistication dimension is probably the worst one you could see increasing over time.”

Better Stealth, Longer Criminal Lifespans

Scouring blockchains, Chainalysis researchers analyzed around 400 cryptocurrency wallets of CSAM sellers and more than 10,000 buyers who sent funds to them over the past four years. Their most disturbing finding in that broad economic study was that crypto-based CSAM sellers seem to have a longer lifespan online than ever, suggesting a kind of relative impunity. On average, CSAM vendors who were active in 2023 remained online for 884 days, compared with 560 days for those active in 2022 and just 112 days in 2020.

To explain that new longevity for some of the most harmful actors on the internet, Chainalysis points to how CSAM vendors are increasingly laundering their proceeds with cryptocurrency mixers—services that blend users' funds to make tracing more difficult—such as ChipMixer and Sinbad. (US and German law enforcement shut down ChipMixer in March 2023, but Sinbad remains online despite facing US sanctions for money laundering.) In 2023, Chainalysis found that about 46 percent of CSAM vendors used mixers, up from around 22 percent in 2020.

Chainalysis also found that CSAM vendors are increasingly using “instant exchanger” services that often collect little or no identifying information on traders and allow them to swap bitcoin for cryptocurrencies like Monero and Zcash—"privacy coins" designed to obfuscate or encrypt their blockchains to make tracing their cash-outs of profits far more difficult. Chainalysis’ Jardine says that Monero in particular seems to be gaining popularity among CSAM purveyors. In the company's investigations, Chainalysis has seen it used repeatedly by CSAM sellers laundering funds through instant exchangers, and in multiple cases it has also seen CSAM forums post Monero addresses to solicit donations. While the instant exchangers did offer other cryptocurrencies, including the privacy coin Zcash, Chainalysis’ report states that “we believe Monero to be the currency of choice for laundering via instant exchangers.”

Chainalysis’s chart of how long CSAM vendors who were active in each year had persisted online, suggesting that their resilience to takedown has steadily increased over time.

Chainalysis

The CSAM adoption curve for those instant exchangers—and, Chainalysis suggests, the privacy coins they offer—is steep: Chainalysis found that 52 percent of CSAM vendors active in 2023 sent money to instant exchangers that let users trade bitcoins for Monero, up from around 17 percent in 2020. Two CSAM vendors that Chainalysis tracked, for example, each received about $100,000 worth of cryptocurrency payments since 2020 and over the past four years almost entirely shifted from cashing out those funds at traditional cryptocurrency exchanges to trading them on instant exchangers that offered Monero. (To avoid disrupting any ongoing law enforcement investigations, Chainalysis declined to name those vendors, other CSAM sellers, or any of the instant exchangers they've used.)

Chainalysis’ researchers went so far as to correlate CSAM vendors’ use of instant exchangers offering Monero to those sellers’ increased survival rates online: After a thousand days, about one out of five CSAM vendors who used the Monero-friendly instant exchangers were still active versus just one in 25 CSAM sellers who didn't. “The data suggests that Monero helps CSAM vendors stay in business longer,” Chainalysis’ report reads.

Fewer Agents of Exploitation—and Smarter Ones

Even as the resilience of CSAM sellers who used crypto grew in 2023, Chainalysis says the overall scale of the problem may be declining by some measures. While the company found that the number of CSAM-related cryptocurrency transactions was up 89 percent since 2019, it dropped by 22 percent from 2022 to 2023. Chainalysis also counted only 43 new vendors selling CSAM for cryptocurrency in 2023, compared to 112 the previous year.

The company's researchers speculate that the decline may be due in part to the CSAM underground's increased awareness that cryptocurrency can be traced. In the highly publicized case of the Welcome to Video dark web site, one of the biggest-ever online repositories of CSAM videos, Bitcoin tracing allowed law enforcement to identify and arrest 337 men around the world and to remove 23 children from exploitative situations. (As an example of the publicity around the case, WIRED detailed the investigation in a 2022 magazine cover story.) “It's possible that the Welcome to Video case was a wake-up call for a lot of people,” says Sasha Plotnikova, a cybercrime researcher at Chainalysis.

The Internet Watch Foundation, a UK-based anti-CSAM organization that Chainalysis consulted in its research, says it has seen a similar trend in its own analysis of cryptocurrency's use by CSAM sellers. Over the past half-decade, the IWF has seen a “steady increase” in online offers of CSAM in exchange for cryptocurrency, one of the foundation's analysts told WIRED. That trend peaked in 2022, however, with the IWF recording 1,025 instances of CSAM sellers offering to accept crypto that year, just 11 more than in 2021.

At the same time, the analyst for the IWF, who asked to remain unnamed due to the sensitivity of their work, echoed Chainalysis’ finding that Monero is now being used in the CSAM industry. “We've definitely seen cases of sites asking for payment in Monero,” the analyst told WIRED.

Apex Predators

Beyond Monero's common perception as being untraceable, to what degree Monero really _does_ protect CSAM vendors remains a subject of debate and secrecy. Chainalysis has long maintained public silence on whether it offers Monero-tracing capabilities to its customers. But a leaked slide from one of the company's presentations to Italian police in 2021 claimed that Chainalysis can provide a “usable lead” in 65 percent of cases in which it worked with law enforcement to trace Monero and could identify the likely sender, but not the recipient, in another 20 percent of cases.

On that same leaked slide, Chainalysis also referred to a case in which “customers of a CSAM website in Asia were identified from transactions with the administrator's seized Monero wallet.”

Chainalysis declined to answer WIRED's questions on Monero tracing. But its report hints that law enforcement might “consider investment in specialized blockchain analysis services that can make Monero tracing possible,” as well as calling for instant exchangers to build safeguards that prevent their abuse by CSAM sellers.

Taken together, the study suggests a form of complex and messy natural selection playing out in the internet's exploitation economy. The sellers of child abuse images and videos who once naively believed that simply using cryptocurrency would protect them from law enforcement are disappearing. They're being replaced by a new generation of surviving CSAM sellers who are far more careful in their cryptocurrency transactions. But in an ecosystem where cryptocurrency tracers like Chainalysis remain the real apex predators, even those more resilient members of the digital child abuse industry may not be as safe as they think.

_Updated at 11 am ET, January 11, 2024, with more complete historical data from the Internet Watch Foundation._

Child Abusers Are Getting Better at Using Crypto to Cover Their Tracks

More than 4 million school records, including safety procedures, student medical files, and court documents, were also publicly accessible online.

Fowler says all the exposed documents appear to have been uploaded by schools to Raptor Technologies’ systems, some at a regularly monthly cadence. Within some school reports, Fowler says, he saw specific details such as officials noting doors that don’t lock or that a security camera has not been working for months. “If a domestic terrorist had basically a working map of all the vulnerabilities of a government building or a school or anything, that presents a huge hypothetical risk,” Fowler says. “Some of the maps even have arrows of which way the kids are going to run if there's an active shooter, where they're going to hide. I've never seen anything like that.”

The security researcher viewed a sample of the accessible documents to determine their authenticity and who they belonged to—allowing the leak to be reported to Raptor Technologies. WIRED is not naming any schools for safety reasons.

David Rogers, chief marketing officer at Raptor Technologies, tells WIRED the company “immediately implemented remediation protocols” to secure the exposed data once it was contacted and started an investigation into the issue. “We have communicated with all Raptor customers,” Rogers says. “There is no indication at this time that any such data was accessed by third parties beyond the cybersecurity researcher and Raptor Technologies personnel,” he says, adding there is no reason to believe there has been any misuse of the information.

“We sincerely regret this issue and any concern or inconvenience it may have caused,” Rogers says. The company's investigation into the incident is ongoing, Rogers says, adding that the “safety and wellbeing of children, staff, and the community members of our customers is the top priority of Raptor Technologies.”

Multiple school districts contacted by WIRED about the breach did not respond to requests for comment or declined to comment.

Beyond the safety reports included in the exposed files were documents and logs that detail personal information about students. Some documents detail risks that individual students could pose, their recent behavior, and if it has been improving. One document details threats or concerns about individual students: It names a student who has been fighting and bullying other students “almost daily for past two weeks.”

Another, a meeting agenda discussing students, lists physical attacks made by students, an individual’s threats of self-harm, and incidents of theft. “\[Student name\] is aggressive, kicking, scratching, and fights while transitioning from the bus each morning,” one file says of a student. It adds that the student “locked himself in principal’s office and grabbed a pair of scissors.”

Also in the exposed files were health forms listing students’ names, their parents’ names and phone numbers, their dentists, and health conditions. One file detailed a student’s type 1 diabetes, whether they have glasses, their last tetanus shot, and more. Other files included court orders detailing a person charged with “Criminal Sexual Conduct With a Minor,” while yet another is a protective order for family abuse that names children and the person accused. Fowler also saw temporary restraining orders and trespass notices that exclude people from visting the schools.

Beyond posing potential physical security risks, the exposure of the files could also have been a target for cybercriminals such as ransomware gangs, Fowler says. “You have kids who have sensitive school records, you have so many different implications here,” he says. Schools, colleges, and education establishments have been hit by ransomware groups in recent years, with some of the criminal gangs also turning to extortion of people using data they have stolen.

According to security firm Emsisoft’s review of ransomware in the US, at least 108 K-12 districts and at least 72 postsecondary schools were impacted by ransomware in 2023. In some of these incidents, sensitive files about students have been stolen and dumped online directly from schools without people’s knowledge. “We've all done stupid stuff when we were kids, and then we grew up and grew out of that,” Fowler says. “The real privacy issue is something you did as a kid could haunt you forever based on a data breach.”

_Updated at 1 pm ET, January 11, 2024: A graphic meant for an unrelated article was inadvertently included in an earlier version of this story. We regret the error._

US School Shooter Emergency Plans Exposed in a Highly Sensitive Database Leak

The US Securities and Exchange Commission is under pressure to explain itself after its X account was compromised, leading to wild swings in the bitcoin market.

A raft of US senators have demanded answers from the Securities and Exchange Commission (SEC) after a security incident led to false and market-moving information being published by the financial regulator.

At 4:11 pm ET on January 9, a post was published to the SEC’s X account announcing the approval of spot bitcoin ETFs, a type of financial product that would allow people to invest in the crypto asset through a regular brokerage. By 4:26 pm, SEC chair Gary Gensler had issued a retraction and said the agency’s account had been “compromised,” and that an “unauthorized tweet was posted.” The damage had already been done.

There has been speculation by media outlets, including Fox Business, that the SEC might be tasked with investigating itself over market manipulation infractions, as a regulator responsible for protecting US investors from precisely that threat. More likely, says a former SEC attorney who asked not to be named, given that bitcoin is classified as a commodity in the US, such an investigation would fall to the US Commodities and Futures Trading Commission (CFTC).

But even then, the issue of jurisdiction aside, unanswered questions remain about the practicability of any potential investigation, says Charley Cooper, former chief operating officer at the CFTC. “The idea of the commodities regulator investigating the securities regulator is unprecedented,” he says. “There is no manual for this.”

In a statement, the CFTC said it has “enforcement authority” with respect to any alleged manipulation of bitcoin, but declined to confirm whether it would investigate in this instance.

In the minutes after the fake post was published, the price of bitcoin jumped around 2.5 percent, but has since fallen to below 2.5 percent of its original price. In all, the incident led to a $40 billion swing in the combined value of bitcoin in circulation.

X said an “unidentified individual” had used a phone number tied to the SEC’s account to seize control. The account “did not have two-factor authentication enabled” at the time of the hack, X said.

In a cosigned letter, Republican senators J. D. Vance and Thom Tillis demanded the SEC answer for the “widespread confusion” and damage to investors it had caused. The incident is “antithetical to the Commission’s tripart mission to protect investors, maintain a fair, orderly and efficient market, and facilitate capital formation,” the pair wrote. Senators Bill Hagerty and Cynthia Lummis, both Republicans, added their voices to the chorus with separate posts on X.

In their letter, Vance and Tillis set a deadline of January 23 for the SEC to elucidate its plans to investigate what happened, among other things.

In a statement, the SEC said it will “work with law enforcement and our partners across government to investigate the matter and determine appropriate next steps relating to both the unauthorized access and any related misconduct,” but provided no further specifics.

In practice, an “alphabet soup of investigations” is likely to ensue, according to John Stark, who served for 18 years as an attorney at the SEC. Those investigations will likely involve separate inquiries conducted by the SEC itself, the US Department of Justice—which will focus on identifying the hacker—and potentially other regulatory bodies. The DOJ did not respond to a request for comment.

The SEC’s internal investigation, says Stark, will likely be conducted by the Office of the Inspector General, independent to the rest of the agency, and will focus instead on any “staff misconduct” that might have enabled the security breach. The findings of what is likely to be a “robust investigation” will be provided to Congress, he says, but not for a number of months.

In July, the SEC imposed new rules on companies that register with the agency, requiring them to disclose material cybersecurity incidents and their “nature, scope, and timing” within four business days. The SEC did not respond when asked whether it will make a preliminary disclosure of this kind.

In the aftermath of the security breach, Gensler—something of a cartoon villain in crypto circles due to his agency’s aggression toward the industry—has faced mockery and calls for his resignation among crypto personalities on X.

It is unlikely, though, says industry analyst Noelle Acheson, formerly of crypto brokerage Genesis, that Gensler will be forced to resign. “I can’t see him letting go of the job,” she says, “unless it’s pried from his grasp.”

“The Twitterverse has been calling for Gensler’s resignation forever. But this isn’t the kind of thing you resign for,” says Stark. “At worst, SEC staff will be found to be guilty of the same thing as a lot of companies: sloppiness with respect to cybersecurity.”

Though an organization like the SEC should be expected to uphold tight security stands, says Stark, who currently works as a cybersecurity consultant, it is impossible to prevent all breaches. “You can do everything you can to stop them,” he says. “But sooner or later, some person screws up.”

Lawmakers Are Out for Blood After a Hack of the SEC’s X Account Causes Bitcoin Chaos

The US financial regulator says its official @SECGov account was “compromised,” resulting in an “unauthorized” post about the status of Bitcoin ETFs.

The official X account of the United States Securities and Exchange Commission was “compromised” this afternoon, resulting in the publication of an “unauthorized” post, according to SEC chair Gary Gensler. The account, @SECGov, also said the account had been compromised.

“The SEC has determined that there was unauthorized access to and activity on the @SECGov x.com account by an unknown party for a brief period of time shortly after 4 pm ET,” an SEC spokesperson said in a statement to WIRED. “That unauthorized access has been terminated. The SEC will work with law enforcement and our partners across government to investigate the matter and determine appropriate next steps relating to both the unauthorized access and any related misconduct.”

While X did not respond to WIRED's request for comment, the company confirmed the breach of the @SECGov account in a post on X. “We can confirm that the account @SECGov was compromised and we have completed a preliminary investigation. Based on our investigation, the compromise was not due to any breach of X’s systems, but rather due to an unidentified individual obtaining control over a phone number associated with the @SECGov account through a third party,” the company wrote. “We can also confirm that the account did not have two-factor authentication enabled at the time the account was compromised.”

The @SECGov account published a post this afternoon regarding the regulatory status of Bitcoin ETFs, a financial product that would allow people to invest in bitcoin like standard stocks. The post, which also included an image with an apparently fake quote from Gensler, has since been deleted.

The fake post appeared to lead to a brief spike in Bitcoin’s value of around 2.5 percent, to nearly $47,870, before crashing around 3.2 percent from its original price.

Following news of the SEC's compromised account, US senator Bill Hagerty said in a post on X that Congress should investigate the incident.

“Just like the SEC would demand accountability from a public company if they made such a colossal market-moving mistake, Congress needs answers on what just happened,” Hagerty, a Tennessee Republican, wrote. “This is unacceptable.”

This is at least the second high-profile compromise of an X account in recent days. Mandiant, a leading cybersecurity firm now owned by Google, had its X account hacked on January 3. A scammer used their access to post a malicious link in an attempt to steal cryptocurrency from victims.

X owner Elon Musk’s aggressive slashing of the company's staff has, over the past year, raised fears that the cuts would leave X (formerly Twitter) unable to secure a platform depended on by users that include high-profile figures and government agencies worldwide. One former Twitter information security official sued Musk and others for alleged wrongful termination after he was fired for, he claims in the lawsuit, arguing that the staff cuts would interfere with X’s ability to comply with a 2011 consent decree with the US Federal Trade Commission to protect users’ personal information.

Even before Musk’s acquisition of the company, former Twitter chief security officer Peiter Zatko filed an extensive whistleblower report to US government agencies about the company’s alleged security issues, including the claim that it gave its own staff too much unmonitored access to the platform.

“People put a lot of trust into an entity that has stopped being a serious company,” says Allison Nixon, the chief research officer for cybersecurity firm Unit 221B, which frequently deals with hackers’ account takeovers. “If a government wants to be able to make statements that people can rely on, they can’t do that on a platform that has a targeted-account-takeover problem.”

The SEC account’s compromise is arguably the most consequential hijacking of a public figure’s Twitter account since 2020, when a group of young hackers tricked Twitter employees into giving them access to a powerful internal tool that allowed them to take control of users’ profiles.

They used it to post a scam messages to the accounts of users that included Joe Biden, Barack Obama, Jeff Bezos, Elon Musk, and Kim Kardashian, offering to donate twice the amount of any payment users sent to the hackers’ Bitcoin addresses back to the sender. The scam netted nearly $120,000 within minutes before the messages could be deleted. In that case, the hackers were identified—in part thanks to cryptocurrency-tracing evidence left on Bitcoin’s blockchain—and were arrested within two weeks.

Soon after news of the @SECGov’s compromise broke, Musk responded to a post joking about the account’s security. “What’s the SEC’s password? Wrong answers only,” @dogeofficialceo wrote. Musk, who was sued in July 2023 for allegedly inflating the price of the cryptocurrency Dogecoin, responded: “LFGDogeToTheMoon!!”

_Additional reporting by William Turton and Makena Kelly._

_Updated at 7:20 pm ET, January 9, 2024, to include a statement from the SEC regarding the compromise of its X account._

_Updated at 10:15 am ET, January 10, 2024, to include a statement from X regarding the breach of the @SECGov account._

Source

Wired