Plus: Russia hacks surveillance cameras as new details emerge of its attack on a Ukrainian telecom, a Google contractor pays for videos of kids to train AI, and more.

It’s been nearly two years since Russia’s invasion of Ukraine, and as the grim milestone looms and winter drags on, the two nations are locked in a grueling standoff. In order to “break military parity” with Russia, Ukraine’s top general says that Kyiv needs an inspired military innovation that equals the magnitude of inventing gunpowder to decide the conflict in the process of advancing modern warfare.

If you made some New Year’s resolutions related to digital security (it’s not too late!), check out our rundown of the most significant software updates to install right now, including fixes from Google for nearly 100 Android bugs. It’s close to impossible to be completely anonymous online, but there are steps you can take to dramatically enhance your digital privacy. And if you’ve been considering turning on Apple’s extra-secure Lockdown Mode, it’s not as hard to enable or as onerous to use as you might think.

If you’re just not quite ready to say goodbye to 2023, take a look back at WIRED’s highlights (or lowlights) of the most dangerous people on the internet last year and the worst hacks that upended digital security.

But wait, there's more! Each week, we round up the security and privacy news we didn’t break or cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

23andMe said at the beginning of October that attackers had infiltrated some of its users' accounts and abused this access to scrape personal data from a larger subset of users through the company's opt-in social sharing service known as DNA Relatives. By December, the company disclosed that the number of compromised accounts was roughly 14,000 and admitted that personal data from 6.9 million DNA Relatives users had been impacted. Now, facing more than 30 lawsuits over the breach—even after tweaking its terms of service to make legal claims against the company more difficult—the company said in a letter to some individuals that “users negligently recycled and failed to update their passwords following … past security incidents, which are unrelated to 23andMe.” This references 23andMe’s long-standing assessment that attackers compromised the 14,000 user accounts through “credential stuffing,” the process of accessing accounts using usernames and passwords compromised in other data breaches from other services that people have reused on multiple digital accounts. “Therefore, the incident was not a result of 23andMe’s alleged failure to maintain reasonable security measures,” the company wrote in the letter.

“Rather than acknowledge its role in this data security disaster, 23andMe has apparently decided to leave its customers out to dry while downplaying the seriousness of these events,” Hassan Zavareei, one of the lawyers representing victims who received the letter, told TechCrunch. “23andMe knew or should have known that many consumers use recycled passwords and thus that 23andMe should have implemented some of the many safeguards available to protect against credential stuffing—especially considering that 23andMe stores personal identifying information, health information, and genetic information on its platform.”

Russia’s war—and cyberwar—in Ukraine has for years produced novel hybrids of hacking and physical attacks. Here’s another: Ukrainian officials this week said that they had blocked multiple Ukrainian civilians’ security cameras that had been hacked by the Russian military and used to target recent missile strikes on the capital of Kyiv. Ukraine’s SBU security service says the Russian hackers went so far as to redirect the cameras and stream their footage to YouTube. According to the SBU, that footage then likely aided Russia’s targeting in its bombardment on Tuesday of Kyiv, as well as the Eastern Ukrainian city of Kharkiv, with more than a hundred drones and missiles that killed five Ukrainians and injured well over a hundred. In total, since the start of Russia’s full-scale invasion of Ukraine in February 2022, the SBU says it’s blocked about 10,000 security cameras to prevent them from being hijacked by Russian forces.

Last month, a Russian cyberattack hit the telecom firm Kyivstar, crippling phone service for millions of people across Ukraine and silencing air raid warnings amid missile strikes in one of the most impactful hacking incidents since Russia’s full-scale invasion began. Now, Illia Vitiuk, the cyber chief of Ukraine’s SBU security service, tells Reuters that the hackers accessed Kyivstar’s network as early as March 2023 and laid in wait before they “completely destroyed the core” of the company in December, wiping thousands of its machines. Vitiuk added that the SBU believes the attack was carried out by Russia’s notorious Sandworm hacking group, responsible for most of the high-impact cyberattacks against Ukraine over the last decade, including the NotPetya worm that spread from Ukraine to the rest of the world to cause $10 billion in total damage. In fact, Vitiuk claims that Sandworm attempted to penetrate a Ukrainian telecom a year earlier but the attack was detected and foiled.

This week in creepy headlines: 404 Media’s Joseph Cox discovered that a Google contractor, Telus, has offered parents $50 to upload videos of their children’s faces, apparently for use as machine learning training data. According to a description of the project Telus posted online, the data collected from the videos would include eyelid shape and skin tone. In a statement to 404, Google said that the videos would be used in the company’s experiments in using video clips as age verification and that the videos would not be collected or stored by Telus but rather by Google—which doesn’t quite reduce the creep factor. “As part of our commitment to delivering age-appropriate experiences and to comply with laws and regulations around the world, we’re exploring ways to help our users verify their age,” Google told 404 in a statement. The experiment represents a slightly unnerving example of how companies like Google may not simply harvest data online to hone AI but may, in some cases, even directly pay users—or their parents—for it.

A decade ago, Wickr was on the short list of trusted software for secure communications. The app’s end-to-end encryption, simple interface, and self-destructive messages made it a go-to for hackers, journalists, drug dealers—and, unfortunately, traders in child sexual abuse materials—seeking surveillance-resistant conversations. But after Amazon acquired Wickr in 2021, it announced in early 2023 that it would be shutting down the service at the end of the year, and it appears to have held to that deadline. Luckily for privacy advocates, end-to-end encryption options have grown over the past decade, from iMessage and WhatsApp to Signal.

23andMe Blames Users for Recent Data Breach as It's Hit With Dozens of Lawsuits

Being fully anonymous is next to impossible—but you can significantly limit what the internet knows about you by sticking to a few basic rules.

Beyond the web, trackers embedded in your mobile applications can gather data on your activity. On Android, you should turn off personalized ads through Google’s My Ad Center, simply toggling the setting to off. Also, delete your device’s advertising ID by going to **Settings, Privacy**, **Ads** and clicking on the **Delete advertising ID** option. There are also Android apps that will block cross-app trackers, such as DuckDuckGo’s browser app or the University of Oxford–developed TrackerControl. If you use iOS, go to **Settings,** **Privacy & Security, Tracking,** and toggle off **Allow Apps to Request to Track** to stop apps from tracking you across apps and websites.

For some people, a VPN may be useful for stopping their internet service provider from viewing their web traffic. VPNs can, however, see your online activity—in some cases keeping logs of it—and many are problematic. Our is Mullvad’s VPN, which is open source and accepts payments via cash mailed to its offices in Sweden.

Pick the Most Private Option

Every app, website, and service you use is likely to collect some data about you, but some collect more than others. Picking services that purposefully don’t collect information about you or that use end-to-end encryption, which stops companies from seeing the contents of your communications or data transfers, can help limit your exposure to the web. Generally, you want to avoid Big Tech.

For messaging, Signal collects very little information about who uses it, and it’s encrypted by default, meaning it cannot see the contents of the messages you send. For searching, DuckDuckGo, Brave Search, Kagi, Startpage, and Mojeek are our picks of the most privacy friendly search engines. For email, Proton and Tuta (formerly Tutanota) provide free end-to-end encryption options. OnionShare uses the Tor network to allow you to anonymously share files. Proton Drive offers encrypted file storage online, and Apple’s advanced data protection settings allow iCloud storage to be end-to-end encrypted once it is enabled.

If you're using a work laptop or phone, it's also worth keeping in mind that your employer can likely see many, if not all, of the things you do on those devices. If you're searching for a new job or running personal tasks, you likely want to do them on personal devices.

Check What You Post

As much as anything, being more anonymous online is linked to your mentality. Simply put, the less you share about yourself online, the less identifiable you will be. That means being careful about what you post on social media—not sharing information that could identify you, your location, or others around you.

For instance, if you want to create a new social media account that’s not tied to your identity, keep any names or personal information out of the account name. You should also not sign up using your primary phone number, email address, physical address, or any similar information that could be linked back to you. This doesn’t apply just to a new account you’re creating; it should be the wider way you think about all of your online behavior.

How to Be More Anonymous Online

Ukraine’s top general says his country must innovate on the level of inventing gunpowder to “break military parity” with Russia. If it’s successful, it could change the future of war.

To Beat Russia, Ukraine Needs a Major Tech Breakthrough

If you're at high risk of being targeted by mercenary spyware, or just don't mind losing iOS features for extra security, the company's restricted mode is surprisingly usable.

With the releases of iOS 16 and macOS Ventura in 2022, Apple debuted its Lockdown Mode for people at particular risk of being targeted by mercenary spyware. The feature is essentially a set of configurations for iOS and macOS that limit or block niceties like link previews in Messages and shared albums in Photos. Lockdown Mode also restricts your device's ability to accept unsolicited communications like FaceTime calls from phone numbers and accounts you've never called before. And this year, in iOS 17, Apple added additional improvements, meaning more safety-focused limitations. The company has consistently emphasized that Lockdown Mode is not meant for mainstream use by most people—but in a week of testing, it's surprisingly tolerable.

Turning on Lockdown Mode simply involves confirming the setting change with your device PIN or a biometric authentication in “Privacy & Security” and then rebooting so the system can apply all the restrictions and limitations. Enabling Lockdown Mode is similar to changing the language of your device—the system needs to comprehensively adopt the new configuration and apply it everywhere. Once the reboot is complete, your device comes back on looking pretty much like normal.

When malware developers target Apple devices, they tailor their attacks to exploit weaknesses in the complex features of iOS and macOS that facilitate communication and data sharing and handle different file types and information formats. So Lockdown Mode aims to make it much harder for commercial spyware vendors or other motivated and well-resourced actors to develop exploit chains that combine vulnerabilities in multiple iOS or macOS features to take control of devices. In practice, this means that it's harder and less fun to casually share—and especially receive—links, GIFs, and integrated elements in tools like Messages. And services like HomeKit are curtailed as well.

For example, you can still use Apple Pay with Lockdown Mode, but its integrations with other apps are much less fluid. If someone sends you a payment through Apple Cash, you can receive it, but you'll only get a very general, unspecific message in Messages that something has occurred— you won't know that someone sent you money on Apple Cash. Links don't expand when you send and receive them, and if you send or receive a link to an image or other file, it will send as text-only—a gnarly, full URL with no preview and no hyperlink that would let you automatically open it in a browser.

As part of Apple's most recent updates for Lockdown Mode in June, the company added support for Apple Watch and began automatically removing geolocation data from photos when you share them. The improvements also include a move to block devices by default from joining unsecured Wi-Fi networks and 2G cellular networks—a change meant to protect against malicious Wi-Fi networks and the mobile data surveillance tool known as stingrays.

This set of updates enabled “safer wireless connectivity defaults, media handling, media sharing defaults, sandboxing, and network security optimizations,” Apple said in a statement at the time. “Turning on Lockdown Mode further hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface for those who need additional protections.”

Lockdown Mode also places some restrictions on web browsing in Apple's Safari and other browsers. When this impacts crucial features and performance on particular sites that users trust, they can add them individually to an “excluded websites” list. Users can also selectively turn off Lockdown Mode limitations for some third-party apps like Gmail.

Ultimately, though, the feature doesn't offer many power user configurations precisely because the whole point is to keep everything on lock. But by and large, you can continue to function normally while using Lockdown Mode. Sometimes you'll miss a call from someone you've never interacted with digitally before or need extra seconds to convey something you're trying to share to a friend, but the restrictions start to make sense and become more intuitive over time. As one Reddit user put it last year, “Usable for the most part. Don't really notice it until you run into the cons.”

This is the instantly recognizable experience of using Lockdown Mode. It's all good until it stops you from doing something you really, really want to do.

“It's a great additional layer of security for Apple to offer,” says longtime Mac security researcher and Objective-See Foundation founder Patrick Wardle. “But balancing security and usability is super tough, and it shows that usability is king for most people—myself included. I turned off Lockdown Mode because it blocked the feature where two-factor SMS codes show up as an autofill option in websites, forms, etc. I think Apple did a great job with it, yet as soon as it impacted a feature that I love and use a lot, I turned it off.”

For some, it's the loss of shared albums in Photos. For others, it's the limitations of enjoying a meme with friends. But if you really need Lockdown Mode for your digital safety and personal protection, it's a workable alternative to throwing your phone in the ocean.

What It’s Like to Use Apple’s Lockdown Mode

Plus: Apple shuts down a Flipper Zero Attack, Microsoft patches more than 30 vulnerabilities, and more critical updates for the last month of 2023.

December was a hectic month for updates as firms including Apple and Google rushed to get patches out to fix serious flaws in their products before the holiday break.

Enterprise software giants also issued their fair share of patches, with Atlassian and SAP squashing several critical bugs during December.

Here’s what you need to know about the important updates you might have missed during the month.

Apple iOS

In mid-December, Apple released iOS 17.2, a major point upgrade containing features such as the Journal app, as well as 12 security patches. Among the flaws fixed in iOS 17.2 is CVE-2023-42890, an issue in the WebKit browser engine that could allow an attacker to execute code.

Another flaw in the iPhone’s Kernel, tracked as CVE-2023-4291, could see an app break out of its secure sandbox, Apple wrote on its support page. Meanwhile, two vulnerabilities in ImageIO, CVE-2023-42898 and CVE-2023-42899, could lead to code execution.

The iOS 17.2 update also put a mechanism in place to prevent a Bluetooth attack using a penetration testing device called Flipper Zero, according to tests by ZDNET and 9to5Mac. The annoying denial of service cyber-assault could cause a flurry of pop ups to appear on an iPhone and eventually lock up the device.

Apple also released iOS 16.7.3, Safari 17.2, macOS Sonoma 14.2, macOS Ventura 13.6.3, macOS Monterey 12.7.2, tvOS 17.2 and watchOS 10.2.

Just one week after releasing iOS 17.2, Apple issued iOS 17.2.1 and iOS 16.7.4 for older devices, alongside macOS Sonoma 14.2.1. The surprise iPhone update contains unspecified bug and security fixes, while the macOS patch fixes a single flaw tracked as CVE-2023-42940.

Google Android

The Google Android December Security Bulletin was a hefty one, fixing nearly 100 security issues. The update includes patches for two critical issues in the Framework, the most severe of which could lead to remote escalation of privilege with no additional privileges needed. User interaction is not needed for exploitation, Google said.

CVE-2023-40088 is a critical flaw in the System that could lead to remote code execution, while CVE-2023-40078 is an elevation of privilege bug rated as having a high impact.

Google has also issued an update for its smart device WearOS platform, fixing CVE-2023-40094, an elevation of privilege flaw. The Pixel Security Bulletin has not been posted at the time of writing.

Google Chrome

Google ended a bumper December of updates in style with an emergency fix for its Chrome browser. The eighth zero-day vulnerability impacting Chrome in 2024, CVE-2023-7024 is a heap buffer overflow issue in the open source WebRTC component. Google is “aware that an exploit for CVE-2023-7024 exists in the wild,” the browser maker said in an advisory.

It wasn’t the first fix released by Google in December. The software giant also issued a Chrome patch mid-month to fix nine security issues. Of the flaws reported by external researchers, five are rated as having a high severity, including CVE-2023-6702, a type confusion flaw in V8, and four use-after-free bugs.

Earlier in the month Google released Chrome 120, fixing 10 security flaws, including two rated as having a high severity. CVE-2023-6508 is a use-after-free bug in Media Stream, while CVE-2023-6509 is a use-after-free issue in Side Panel Search.

Microsoft

Microsoft’s December Patch Tuesday fixes over 30 vulnerabilities including several remote code execution (RCE) flaws. Among the critical fixes is CVE-2023-36019, a spoofing vulnerability in Microsoft Power Platform Connector with a CVSS score of 9.6. The issue could see an attacker manipulate a malicious link, app, or file to trick the victim. However, you would have to click on a specially crafted URL to be compromised.

Meanwhile, CVE-2023-35628 is a Windows MSHTML Platform RCE bug rated as critical with a CVSS score of 8.1. “The attacker could exploit this vulnerability by sending a specially crafted email which triggers automatically when it is retrieved and processed by the Outlook client,” Microsoft said, adding that this could lead to exploitation before the email is viewed in the Preview Pane.

It was a fairly light Patch Tuesday, and none of the issues fixed in the month’s update cycle are known to have been exploited, but it still makes sense to apply the fixes as soon as you can.

Mozilla Firefox

Mozilla has fixed 18 security vulnerabilities in its Firefox browser, a third of which are rated as having a high severity. Of these, CVE-2023-6856 is a heap-buffer-overflow issue affecting WebGL DrawElementsInstanced method with Mesa VM driver that could allow an attacker to perform remote code execution and sandbox escape.

Meanwhile, Mozilla has also fixed memory safety bugs tracked as CVE-2023-6864 and CVE-2023-6873. “Some of these bugs showed evidence of memory corruption and we presume that with enough effort \[they\] could have been exploited to run arbitrary code,” Mozilla said.

Apache

The Apache Software Foundation has issued a patch for a flaw in its Struts 2 open source developer framework. Tracked as CVE-2023-50164, the issue is rated as critical with a CVSS score of 9.8.

Using the vulnerability, an attacker could manipulate file upload parameters to enable paths traversal. Under some circumstances, this could lead to uploading a malicious file and be used to perform RCE, according to a security advisory.

To fix the flaw, it’s important to upgrade to Struts 2.5.33 or Struts 6.3.0.2 as soon as possible.

Atlassian

Enterprise software giant Atlassian has issued a patch to fix critical RCE vulnerabilities in its Confluence Data Center and Server. Tracked as CVE-2023-22522, the template injection vulnerability allows an authenticated attacker to inject unsafe user input into a Confluence page. “Using this approach, an attacker is able to achieve RCE on an affected instance,” Atlassian said in an advisory.

Marked as critical with a CVSS score of 9, the bug affects all versions including and after 4.0.0 of Confluence Data Center and Server. Atlassian “recommends patching to the latest version or a fixed LTS version” to address the issue.

Other patches released by Atlassian during the month include a fix for an RCE vulnerability in the Atlassian macOS app, an RCE bug in Assets Discovery, and a SnakeYAML library RCE issue impacting multiple products.

SAP

Business software maker SAP has released its December Security Patch Day, fixing several serious security flaws. The most critical, with a CVSS score of 9.1, are four escalation-of-privilege bugs in SAP Business Technology Platform tracked as CVE-2023-49583, CVE-2023-50422, CVE-2023-50423, and CVE-2023-50424.

“It allows an unauthenticated attacker to obtain arbitrary permissions within the application leading to high impact on the application’s confidentiality and integrity,” security firm Onapsis said.

Meanwhile, CVE-2023-42481 is an improper access control vulnerability in SAP Commerce Cloud with a CVSS score of 8.1. “This allows a user who is actually blocked to regain access to the application, leading to considerable impact on confidentiality and integrity,” according to Onapsis.

Google Fixes Nearly 100 Android Security Issues

It was a year of devastating cyberattacks around the globe, from ransomware attacks on casinos to state-sponsored breaches of critical infrastructure.

With political polarization, unrest, and violence escalating in many regions of the world, 2023 was fraught with uncertainty and tragedy. In digital security, though, the year felt more like a Groundhog Day of incidents caused by classic types of attacks, like phishing and ransomware, rather than a roller coaster of offensive hacking innovation.

The cybersecurity slog will no doubt continue in 2024, but to cap off the past 12 months, here's WIRED's look back at the year's worst breaches, leaks, ransomware attacks, digital extortion cases, and state-sponsored hacking campaigns. Stay alert, and stay safe out there.

One of the most impactful hacks of 2023 wasn’t a single incident but a series of devastating breaches, beginning in May, caused by mass exploitation of a vulnerability in the popular file transfer software known as MOVEit. The bug allowed hackers to steal data from a laundry list of international government entities and businesses, including the Louisiana Office of Motor Vehicles, Shell, British Airways, and the United States Department of Energy. Progress Software, which develops MOVEit, patched the flaw at the end of May, and broad adoption of the fix eventually stopped the spree. But the “Cl0p” data extortion gang had already gone on a disastrous joy ride, exploiting the vulnerability against as many victims as possible. Organizations are still coming forward to disclose MOVEit-related incidents, and researchers told WIRED that this trickle of updates will almost certainly continue in 2024 and possibly beyond.

Based in Russia, Cl0p emerged in 2018 and functioned as a standard ransomware actor for a few years. But the gang is particularly known for finding and exploiting vulnerabilities in widely used software and equipment, with MOVEit being the latest example, to steal information from a large population of victims and conduct data extortion campaigns against them.

The identity management platform Okta disclosed a breach of its customer support system in October. The company said at the time that about 1 percent of its 18,400 customers were impacted. But the company had to revise its assessment in November to acknowledge that actually _all_ of its customer support users had had data stolen in the breach.

The original 1 percent estimate came from the company’s investigation into activity in which attackers used stolen login credentials to take over an Okta support account that had some customer system access for helping users troubleshoot. But that assessment had missed other malicious activity in which the attacker ran an automated query of a database that contained names and email addresses of “all Okta customer support system users” and some Okta employees. As with a number of other incidents this year, part of the significance of the Okta incident comes from the fact that the company plays a critical role in providing security services for other companies, yet it suffered a previous high-profile breach in 2021.

The US National Security Agency and its allied intelligence services around the world have been warning since May that a Beijing-sponsored group known as Volt Typhoon has been targeting US critical infrastructure networks, including power grids, as part of its activity. Officials have continued to reinforce that network defenders need to be on the lookout for suspicious activity that could indicate a clandestine operation. Volt Typhoon's hacking, and that of other Beijing-backed hackers, is fueled in part by the Chinese government's stockpile of zero-day vulnerabilities, which can be weaponized and exploited. Beijing collects these bugs through research, and some may also come as the result of a law that requires vulnerability disclosure.

Meanwhile, in June, Microsoft said that a China-backed hacking group had stolen an immensely sensitive cryptographic key from the company's systems that allowed the attackers to access cloud-based Outlook email systems for 25 organizations, including multiple US government agencies. In a postmortem published in September, Microsoft explained that improper access to the key was incredibly improbable, but occurred in this case because of a unique comedy of errors. The incident was a reminder, though, that Chinese state-backed hackers conduct a massive quantity of espionage operations each year and are often lurking undetected in networks, waiting for the opportune moment to capitalize on any flaw or mistake.

MGM casinos in Las Vegas and other MGM properties around the world suffered massive and disruptive system outages in September after a cyberattack by an affiliate of the notorious Alphv ransomware group. The attack caused chaos for travelers and gamblers alike, and took the hospitality group days—in some cases, even weeks—to recover, as ATMs went down, hotel keycards stopped working, and slot machines went dark.

Meanwhile, Caesars Entertainment confirmed in a US regulatory filing in September that it had also suffered a data breach at the hands of Alphv, one in which many of its loyalty program members' Social Security numbers and driver's license numbers were stolen, along with other personal data. _The Wall Street Journal_ reported in September that Caesars paid roughly half of the $30 million the attackers demanded in exchange for a promise that they wouldn't release stolen customer data. MGM reportedly did not pay the ransom.

In December 2022, LastPass, maker of the popular password manager, said that an August 2022 breach it had disclosed at the end of November 2022 was worse than the company originally thought, and encrypted copies of some users’ password vaults had been compromised in addition to other personal information. It was a deeply concerning revelation given that LastPass has suffered other security incidents in the past, and users trust the company with the most sensitive pieces of their digital lives.

On top of this, though, the company disclosed a second incident in February 2023 that also began in August 2022. Attackers compromised the home computer of one of the company's senior engineers—who had special access to LastPass' most sensitive systems—and stole authentication credentials. These, in turn, allowed them to access an Amazon S3 cloud storage environment and ultimately “LastPass production backups, other cloud-based storage resources, and some related critical database backups,” the company wrote in March—a devastating breach for a password manager company.

23andMe disclosed at the beginning of October that attackers had successfully compromised some of its users' accounts and parlayed that access to scrape the personal data of a larger number of users through the company's “DNA Relatives” opt-in social-sharing service. In that initial disclosure, the company didn't say how many users were affected. In the meantime, hackers began hawking data that appeared to be taken from a million or more 23andMe users. Then, in a US Securities and Exchange Commission filing at the beginning of December, the company said that the attacker had accessed 0.1 percent of user accounts, or roughly 14,000 per a company estimate that it has about 14 million customers. The SEC filing didn't include a larger number of those impacted by the DNA Relatives scraping, but 23andMe ultimately confirmed to TechCrunch that the hackers collected data from 5.5 million people who had opted in to DNA Relatives, plus information from an additional 1.4 million DNA Relatives users who “had their Family Tree profile information accessed." Some of the stolen data included classifications like describing subsets of users as being “Ashkenazi Jews,” “broadly Arabian,” or of Chinese descent, potentially exposing them to specific targeting.

While troubling, the data theft didn't include raw genetic information and typically wouldn't qualify as a “worst hack” in and of itself. But the situation was an important reminder of the stakes when dealing with information related to genetics and ancestry, and the possible unintended consequences of adding social sharing mechanisms to sensitive services, even when user participation is voluntary.

The wireless carrier T-Mobile has suffered a ludicrous number of data breaches in recent years and now has the dubious distinction of being a two-time winner of an honorable mention in WIRED's annual Worst Hacks roundups. This year, the company disclosed two breaches. One began in November 2022 and ended in January, impacting 37 million current customers on both prepaid and postpay accounts. Attackers stole customers' names, email addresses, phone numbers, billing addresses, dates of birth, account numbers, and service plan details. The second breach, which occurred between February and March and was disclosed in April, was small, impacting less than 900 customers. It is significant, though, because the stolen data included full names, dates of birth, addresses, contact information, government ID information, Social Security numbers, and T-Mobile account pins—in other words, the crown jewels for hundreds of people.

The Worst Hacks of 2023

From Sam Altman and Elon Musk to ransomware gangs and state-backed hackers, these are the individuals and groups that spent this year disrupting the world we know it.

In 2023, the world has felt like it was balanced on a precipice. A United States presidential election looms, with a resurgent candidate that threatens to bring with him all the chaos of 2016 and 2020. Artificial intelligence developed so quickly that it seemed to have suddenly sprung into being, heralding vast societal promise and disruption just around the bend of its exponential curve. And the world's richest man continued to use his power to push for a more reckless tech world, from free-for-all social media and oversold assisted-driving features to AI with a “rebellious streak.”

In the midst of that uncertainty, a new war between Israel and Hamas added more atrocities alongside the slow-burning horrors of Russia's invasion of Ukraine. These wars have echoed across the internet in propaganda, hate speech, and cyberattacks that triggered widespread real-world effects. Chinese state-sponsored hackers, meanwhile, sowed the seeds for a future cyberwar, and ransomware gangs resurged. It was a banner year for chaos, present and impending, and all reflected in the digital mirror.

Each year, WIRED assembles a list of the most dangerous people, groups, and organizations on the internet—both those who intentionally endanger innocent people and those whose actions, regardless of their intent, destabilize the world as we know it in myriad ways. Here, in no particular order, are our picks for 2023.

Elon Musk

A year ago, it might have still been fair to regard Elon Musk as a brilliant technologist with occasional destructive, trollish tendencies. In 2023, those tendencies seemed to take over his public identity. Twitter, now renamed X thanks to Musk's branding whims, this year invited back conspiracy theorists like Alex Jones and even amplified one account's antisemitic statements. When advertisers complained, Musk managed in a single conversation to both apologize for that blunder and tell them, “Go fuck yourself.”

Before that, in July, Musk had said that his social media platform's ad revenue had fallen by half—all of which calls into question whether this once-central platform for online conversation will survive Musk's reign, and in what form.

In the midst of that meltdown, Musk's new startup xAI released Grok, an AI chatbot Musk celebrated for having fewer guardrails than OpenAI's ChatGPT. Musk faces calls for an SEC investigation for his comments about how monkeys died in experiments carried out by his brain implant startup Neuralink. And in mid-December, Tesla recalled nearly every model of its vehicles sold in the US to fix an Autopilot feature. The National Highway Traffic Safety Administration found that Tesla's safety measures for assuring that drivers paying attention—which many no doubt were not, perhaps thanks in part to Musk's own descriptions of the assisted-driving feature—were inadequate.

Five years ago, WIRED put Musk's face on the cover with a story that described his Dr. Jekyll and Mr. Hyde personality. These days, it's becoming clearer which side of that split personality dominates.

Cl0p

In 2023, ransomware resurged. According to cryptocurrency firm Chainalysis, it appears to be on track to be the second-worst year on record in terms of total extortion payments collected by the ransomware industry's coercive gangs of hackers. But perhaps no group did more damage this year than the people behind the Cl0p malware.

In May, the Cl0p gang began exploiting a zero-day vulnerability in the MOVEit file transfer software and used it to carry out a shocking spree of intrusions across more than 2,000 organizations, according to ransomware-focused security firm Emsisoft. A single victim, medical firm Maximus, lost control of the data of at least 8 million people in the breach. The hackers stole data from the state government of Maine on another 1.3 million. In total, at least 62 million people were affected, and Cl0p's hackers remain at large.

Alphv

If Cl0p were the most ruthless ransomware hackers of the year, Alphv, also known as Black Cat, were certainly in close contention. The group, which has ties to the hackers who carried out the 2021 cyberattack on the Colonial Pipeline, gained a new level of notoriety in September when it targeted MGM Resorts International, shutting down computer systems across the hotel and casino chain and ultimately doing $100 million in damage, by MGM's estimate. More broadly, the FBI says that Alphv has compromised over a thousand organizations and extracted more than $300 million in ransoms.

In mid-December, the FBI announced that it had seized the dark-web site where Alphv publishes its victims’ stolen data. Hours later, the site reappeared, and Alphv defiantly announced it had “unseized” it and would no longer abide by a rule not to target critical infrastructure systems. The site was soon taken down again. But given that no members of the group have been arrested or even indicted in absentia, its chaos will likely continue.

Hamas

No event of 2023 has shaken geopolitics as suddenly and shockingly as Hamas' atrocities against civilians in Southern Israel on October 7. The attacks, in which Hamas militants killed 1,200 people and took hundreds of hostages, immediately triggered a war that threatens to destabilize the region. It has also shaken the tech world, where it has raised questions about the digital technologies that have enabled Hamas, from the millions of dollars the group raised via cryptocurrency to its channels on Telegram, where it distributes propaganda and videos of its violence. When ISIS came to prominence in 2014, it forced every technology platform in the world to question whether and how it enabled extremist violence. Now, a decade later, a new round of horrific bloodletting shows how that reckoning continues.

Sandworm

Despite sanctions, indictments, and even a $10 million bounty, Russia's team of hyper-aggressive military intelligence hackers known as Sandworm are still out there—and still active. As Russia's invasion of Ukraine grinds toward its third brutal year, in fact, they appear to have turned their focus to that conflict.

This year, Sandworm was revealed to have carried out a third blackout cyberattack against a Ukrainian electric utility, this time in the midst of a Russian air strike hitting the same city. It later penetrated Ukrainian military communications in a more traditional espionage-focused effort to gain an advantage during Ukraine's counteroffensive. And evidence points to Sandworm's responsibility for a cyberattack just this month that hit the telecom Kyivstar, taking out internet and mobile communications for millions amid another series of strikes. The group, in other words, continues to earn its reputation as the Kremlin's most dangerous hackers.

Volt Typhoon

For years, the cybersecurity community has asked itself who might be the “Sandworm of China.” This year provided perhaps the closest thing yet to an answer. The hacker group dubbed Volt Typhoon by Microsoft was revealed in May to have planted malware in power grid networks across the continental US and Guam, in some cases with an apparent eye toward controlling the flow of electricity to US military bases. More recently, _The Washington Post_ revealed that Volt Typhoon's targets have extended to other kinds of critical infrastructure too, from an oil and gas pipeline to a major West Coast port and a Hawaiian water utility.

While the intentions of the group and its overseers are still far from clear, cybersecurity and geopolitical analysts increasingly see it as laying the groundwork to disrupt key US systems in the event of a crisis—such as China invading Taiwan.

Donald Trump

Last year, for the first time since 2015, Donald Trump was not included on this list. Hope you enjoyed the break!

Less than 11 months out from the 2024 US presidential election, Trump leads Republican primary polls by a wide margin. He has used his rekindled relevance to launch disturbing attacks on his perceived enemies, largely from his own right-wing-dominated Truth Social platform.

The Most Dangerous People on the Internet in 2023

Apple updated its location-tracking system in an attempt to cut down on AirTag abuse while still preserving privacy. Researchers think they’ve found a better balance.

Apple's AirTags are meant to help you effortlessly find your keys or track your luggage. But the same features that make them easy to deploy and inconspicuous in your daily life have also allowed them to be abused as a sinister tracking tool that domestic abusers and criminals can use to stalk their targets.

Over the past year, Apple has taken protective steps to notify iPhone and Android users if an AirTag is in their vicinity for a significant amount of time without the presence of its owner's iPhone, which could indicate that an AirTag has been planted to secretly track their location. Apple hasn't said exactly how long this time interval is, but to create the much-needed alert system, Apple made some crucial changes to the location privacy design the company originally developed a few years ago for its “Find My” device tracking feature. Researchers from Johns Hopkins University and the University of California, San Diego, say, though, that they've developed a cryptographic scheme to bridge the gap—prioritizing detection of potentially malicious AirTags while also preserving maximum privacy for AirTag users.

The Find My system uses both public and private cryptographic keys to identify individual AirTags and manage their location tracking. But Apple developed a particularly thoughtful mechanism to regularly rotate the public device identifier—every 15 minutes, according to the researchers. This way, it would be much more difficult for someone to track your location over time using a Bluetooth scanner to follow the identifier around. This worked well for privately tracking the location of, say, your MacBook if it was lost or stolen, but the downside of constantly changing this identifier for AirTags was that it provided cover for the tiny devices to be deployed abusively.

In reaction to this conundrum, Apple revised the system so an AirTag's public identifier now only rotates once every 24 hours if the AirTag is away from an iPhone or other Apple device that “owns” it. The idea is that this way other devices can detect potential stalking, but won't be throwing up alerts all the time if you spend a weekend with a friend who has their iPhone and the AirTag on their keys in their pockets.

In practice, though, the researchers say that these changes have created a situation where AirTags are broadcasting their location to anyone who's checking within a 30- to 50-foot radius over the course of an entire day—enough time to track a person as they go about their life and get a sense of their movements.

“We had students walk through cities, walk through Times Square and Washington, DC, and lots and lots of people are broadcasting their locations,” says Johns Hopkins cryptographer Matt Green, who worked on the research with a group of colleagues, including Nadia Heninger and Abhishek Jain. “Hundreds of AirTags were not near the device they were registered to, and we're assuming that most of those were not stalker AirTags.”

Apple has been working with companies like Google, Samsung, and Tile on a cross-industry effort to address the threat of tracking from products similar to AirTags. And for now, at least, the researchers say that the consortium seems to have adopted Apple's approach of rotating the device public identifiers once every 24 hours. But the privacy trade-off inherent in this solution made the researchers curious about whether it would be possible to design a system that better balanced both privacy and safety.

“There’s this whole standards effort going on around how to do stalking resistance, which is really good. It means Apple and Google and the other companies are taking it seriously,” Green says. “The sad part is that Apple did the thing that everyone does when they're painted into a corner. They have a big knob—one direction is privacy, one direction is the other thing (in this case, anti-stalking)—and they turned that knob away from privacy.”

The solution Green and his fellow researchers came up with leans on two established areas of cryptography that the group worked to implement in a streamlined and efficient way so the system could reasonably run in the background on mobile devices without being disruptive. The first element is “secret sharing,” which allows the creation of systems that can't reveal anything about a “secret” unless enough separate puzzle pieces present themselves and come together. Then, if the conditions are right, the system can reconstruct the secret. In the case of AirTags, the “secret” is the true, static identity of the device underlying the public identifier that is frequently changing for privacy purposes.

Secret sharing was conceptually useful for the researchers to employ because they could develop a mechanism where a device like a smartphone would only be able to determine that it was being followed around by an AirTag with a constantly rotating public identifier if the system received enough of a certain type of ping over time. Then, suddenly, the suspicious AirTag's anonymity would fall away and the system would be able to determine that it had been in close proximity for a concerning amount of time.

Green notes, though, that a limitation of secret sharing algorithms is that they aren't very good at sorting and parsing inputs if they're being deluged by a lot of different puzzle pieces from all different puzzles—the exact scenario that would occur in the real world where AirTags and Find My devices are constantly encountering each other. With this in mind, the researchers employed a second concept known as “error correction coding,” which is specifically designed to sort signal from noise and preserve the durability of signals even if they acquire some errors or corruptions.

“Secret sharing and error correction coding have a lot of overlap," Green says. “The trick was to find a way to implement it all that would be fast, and where a phone would be able to reassemble all the puzzle pieces when needed while all of this is running quietly in the background.”

The researchers first published a paper about their findings in September and submitted it to Apple. More recently, they notified the industry consortium about the proposal. Apple did not return WIRED's request for comment about the research and whether it is considering implementing the scheme.

Green says he hopes the company will eventually do something with the work. And he adds that the project is an important reminder of the real-world impacts theoretical cryptography can have.

“What I love about this problem is it seems like there are two competing requirements that can't be reconciled,” he says. “But in cryptography, we can get full privacy and then, magically, the puzzle pieces click into place, or a ‘chemical reaction’ happens, and we phase-transition to a point where suddenly it’s obvious that this is a stalker, not just a benign AirTag. It's very powerful to be able to go between those two moments.”

This Clever New Idea Could Fix AirTag Stalking While Maximizing Privacy

Members of the US Congress touted improvements to children’s privacy protections as an urgent priority. So why didn’t they do anything about it?

It’s been 15 years since suicides overtook homicides as the second leading cause of death for children ages 10 to 14 years old. Two years since the first Meta whistleblower warned United States senators that America’s children are at risk from “disastrous” decisions being made in Silicon Valley. (And a little over a month since a second Meta whistleblower testified, “They knew and they were not acting on it.”) And it’s been roughly one year since a wave of new, younger lawmakers—many raising their own young children—were seated in the House of Representatives. “As a mom of two kids, you know, we want to make sure that their online experience is safe,” Representative Beth Van Duyne, a Texas Republican, tells WIRED.

All those changes—including an alarming doubling of the adolescent suicide rate—and yet, one constant remains: congressional inaction. Amid a flurry of blockbuster whistleblower hearings, soaring campaign promises, tear-soaked press conferences with the families of teens lost to cyberbullying, and dozens of competing bills that members have introduced aimed at protecting kids in cyberspace—nothing.

Congressional inaction has left the door open for the Biden administration to lead on the issue. On Wednesday, the Federal Trade Commission unveiled its proposal for a new set of guidelines to govern social media firms. The FTC wants to prohibit social media companies from identifying children—like targeting their cell numbers—when they’re online, while also limiting which data is collected on students, including having apps not target children under 13 with ads by default. With House Republicans now taking steps to impeach Joe Biden, why would they want to cede their oversight authority over American tech firms to the White House? Most don’t.

With so much interest—and increased pressure from agencies like the FTC—why hasn’t Congress protected kids yet? “I’ve never been able to figure that out either,” Representative Dan Crenshaw, a Texas Republican who sits on the Energy and Commerce Committee, which has jurisdiction on the issue, tells WIRED. Of course, there are theories floating around the marble halls of the US Capitol.

“M–O–N–E–Y”

Teams of tech lobbyists on Capitol Hill have dropped upward of $75 million (not including Q4 totals, which aren’t due until January 22) in 2023. Of the 637 “internet” lobbyists, as money and politics nonprofit Open Secrets dubs the sector, a whopping 73.31 percent are former government employees. Many of these lobbyists are from the same congressional offices and committees now tasked with regulating the internet. They’re not very subtle.

One social media firm or another seems to always be blanketing Washington with a feel-good, policy-focused ad campaign. At the start of the year, TikTok—which, at $3.7 million, spent more in Q3 lobbying this year than it did throughout all of 2019 and 2020 combined—plastered DC’s metro system, historic Union Station, and _The Washington Post_ with ads. When its CEO was dragged in to testify to an angry Congress this spring, it even paid for travel, room, and board for dozens of sympathetic “influencers.” For the past month or so, Meta ads have blanketed the Beltway: “Instagram supports federal legislation that puts parents in charge of teen app downloads,” the ad reads, without saying which measures it’s actively trying to kill on Capitol Hill.

Lawmakers say the ad blitz shows what they’re up against from technology firms. “M–O–N–E–Y,” Senator Josh Hawley, a Missouri Republican, spells out to WIRED. “They’re only in favor of stuff if they can write it.”

In the last Congress and again this summer, two key kid-focused digital measures both sailed through the Senate Commerce Committee. The Children and Teens’ Online Privacy Protection Act (COPPA 2.0) outlaws targeting children with advertising while also banning data collection on teenage social media users, to name a few of its provisions. The controversial Kids Online Safety Act (KOSA) mandates annual minor-focused risk assessments within social media giants while also giving parents and regulators new tools to protect children.

The two measures enjoy broad support, which is why they get out of committee with ease. But they’ve never been brought to the Senate floor for a vote by all 100 US senators. Critics say many members are supportive in the relatively obscure confines of their committees, but some of that support withers away under the intense lobbying scrutiny that comes once bills make the queue for Senate consideration. So far, members have been shielded, but those days seem to be over. “That’s because, in committee, they know they’re not going to have to vote on it on the floor. I know that for a fact,” Hawley, who’s up for reelection in 2024, says. “I can tell you, I’m going to get much more aggressive come the new year about forcing votes. I think it’s time to start putting people on record.”

The thing is, no one really knows what would happen if COPPA 2.0 or KOSA were voted on. “I don’t have any predictions or any insights,” Senator Roger Wicker, the Mississippi Republican who chaired the Commerce Committee until Democrats reclaimed senatorial power in 2021, tells WIRED. The resistance remains hard to nail down. Republicans blame Democrats. Democrats blame Republicans. Everyone blames the tech industry. “In the legislative process where you’re not bringing something to the floor for debate—which is where you could have a lot of input—then one person can hold something up,” Senator Maria Cantwell, a Democrat who chairs the Senate Commerce Committee, tells WIRED.

Because a broader data privacy bill remains gridlocked to death on Capitol Hill, Congress now has these offshoot measures aimed specifically at children, according to Cantwell. “We want to get a privacy bill, overall,” she says. “That’s what we focused on, because we think that framework gives the biggest protections, including for kids. But we’ve allowed these \[children-focused measures\] to see if they can make it through so that they wouldn’t have to be part of a larger discussion.”

While Hawley’s convinced Big Money keeps derailing the effort, others disagree. These issues just take time, nuance, and compromise, congressional leaders in both chambers argue. “We keep trying. We need a bipartisan, bicameral consensus, and that’s what we’re trying to do,” Representative Frank Pallone, the top Democrat on the House Energy and Commerce Committee, tells WIRED. “I don’t think it’s any special interest. I think it’s just the fact that it’s hard to get the Senate and the House and the Democrats and Republicans to agree, but we’re trying. I think we’re making progress.”

KOSA Complications

In the last Congress, KOSA—the Kids Online Safety Act—was formally endorsed by 13 Senate cosponsors. That number has more than tripled to 46 cosponsors in this Congress. KOSA cosponsors—Senators Marsha Blackburn, a Republican from Tennessee, and Richard Blumenthal, a Connecticut Democrat—say their personal lobbying of their colleagues is paying off, even if the measure remains stalled. “We’re pushing forward,” Blumenthal tells WIRED. “I’m very hopeful we’ll see a vote early next year. I think we’re feeling it.” Still, while the measure is broadly bipartisan, there’s been a recent wave of opposition to it on the civil libertarian left.

In our post-_Roe_ reality, digital rights and reproductive freedom are now intertwined, and highly suspect. KOSA is now in the crosshairs of groups like the American Civil Liberties Union (ACLU) over free speech and expression concerns. This fall, upward of 100 parents of trans and gender-expansive children penned an open letter opposing KOSA, saying it would “make our kids less safe, not more safe.”

“It would grant extraordinary new power to right-wing state attorneys general to dictate what content younger users can see on social media, cutting our kids off from lifesaving online resources and community,” the letter, released by digital rights group Fight for The Future, reads. “These are the same attorneys general that are actively working to ban gender-affirming health care that saves kids’ lives, criminalize drag performances, and label families that accept our children as ‘groomers’ and ‘child abusers.’”

The outcry from the progressive end of the spectrum has given those groups new, powerful advocates in Congress. In the end of the year legislative-twister at the Capitol, some KOSA supporters were itching for the proposal to be “fast-tracked,” a unanimous consent agreement where all 100 senators surrender their right to filibuster. But opponents got word and put an end to those efforts. “Until the bill is amended to foreclose the ability of state attorneys general to wage war on important reproductive and LGBTQ content, I will object to any unanimous consent request in relation to this legislation,” Senator Ron Wyden, an Oregon Democrat, told his Senate colleagues in a speech on the Senate floor last month.

KOSA’s sponsors know they still haven’t secured the 60 votes needed for passage, so one alerted party leaders they would oppose their own measure if it were brought up before the New Year. Senate Majority Leader Chuck Schumer’s office didn’t respond to a request for comment on whether he had—or has—plans to bring it to the floor. But Schumer says that before Congress can effectively regulate generative AI—one of his top priorities—America needs a federal data privacy law. “There was pretty much consensus that we need some kind of privacy law,” Schumer told reporters last month. “There are lots of disagreements, but it’s important to try and get that done.”

One Thing After Another

Over in the House, most eyes are on whether freshman speaker Mike Johnson can avert a government shutdown in the New Year. With such a green leader at the helm, House committees are, seemingly, more powerful than before, as members report trying to be the first person to get Johnson’s ear on an array of issues. While there’s no companion measure to KOSA in the House, children’s data privacy remains a top priority for the GOP majority in that chamber. The issue came up as a top priority in the last weekly in-person meeting of the Republican majority on the powerful House Energy and Commerce Committee.

“It’s not dead. It’s a priority for us,” Representative Richard Hudson, a North Carolina Republican, tells WIRED. He’s the current chair of the National Republican Congressional Campaign Committee where he’s tasked with helping the GOP expand its House majority—or, at least, not lose its majority—in 2024. Hudson knows many of his newer members ran on protecting the nation’s children from online predators, legal and illegal ones alike. Now comes the hard work of threading the proverbial needle. “It’s a very difficult question,” Hudson says. “You’re trying to balance rights versus protecting kids, and that’s tough. But our chairwoman is very focused on getting it done.”

If these children’s data measures are ever debated and voted on, dozens of other more niche privacy protection measures will likely be offered by both party’s rank-and-file lawmakers. Some ideas focus on protecting reproductive and geolocation data from law enforcement, especially in states that have outlawed most abortions. Other measures would strip Section 230 liability protections from sites that, say, host child sexual abuse material or promote the sexual abuse of minors. Another proposal would incentivize, through drastically increased federal fines, tech firms to proactively report any child exploitation efforts they uncover.

There’s more. This year in the Senate, a new bipartisan measure was introduced to outright ban social media for children under 13, while also requiring parental consent until those minors turn 18. Its sponsors include some of the Senate’s most conservative lawmakers—Tom Cotton, an Arkansas Republican, and Katie Britt, an Alabama Republican—and some of the chamber’s most progressive members—Chris Murphy, a Connecticut Democrat, and Brian Schatz, a Hawaii Democrat. Just bringing a measure to protect minors to the floor without ensuring its passage isn’t good enough for Schatz.

“If we can enact it, that would be great, but there’s no sense bringing something to the floor just to make a point,” Schatz, a father of two, tells WIRED.

If party leaders don’t put one or all of these bills on the floor for votes, Hawley, the Republican senator, vows to use all the instruments in his senatorial toolkit to force the issue in 2024.

“I think it’s time to start putting people on record,” Hawley, who authored a measure prohibiting social media accounts for children under age 16, tells WIRED. “Clearly, the leadership’s not going to bring this to the floor. I think that’s pretty clear. So I think we’ve got to get much more aggressive about forcing votes. What I’d really love to do is start trying to attach this to bills where we have roll call votes, because members hate roll call votes. So expect me to get very aggressive about this.”

Hot Air

Congress knows how to grab headlines—making laws is another conversation. This 118th Congress, with a mere 22 bills signed into law, is currently the least productive session witnessed in decades.

While no data privacy votes are scheduled in the new year, a fireworks display is already on the books. Fresh into the start of 2024, senators on the judiciary committee are dragging in five tech CEOs for a made-for-campaign-fodder hearing on children’s privacy issues. Law enforcement was already called in. See, while TikTok CEO Shou Zi Chew and Meta’s Mark Zuckerberg agreed to testify, subpoenas—some hand-delivered by US marshals after Discord and X “refused to cooperate”—were issued for the other three tech titans: X CEO Linda Yaccarino, Snap’s Evan Spiegel, and Discord’s Jason Citron.

“We’ve known from the beginning that our efforts to protect children online would be met with hesitation from Big Tech. They finally are being forced to acknowledge their failures when it comes to protecting kids. Now that all five companies are cooperating, we look forward to hearing from their CEOs,” Senators Dick Durbin, the committee’s Democratic chair, and Lindsey Graham, the committee’s top Republican, released in a joint statement the Monday before Thanksgiving. “Parents and kids demand action.”

Parents and kids are still wondering whether they can count on this Congress for that action. As of now, Congress has shown they can’t.

Congress Sure Made a Lot of Noise About Kids’ Privacy in 2023—and Not Much Else

I tried to sell a futon on Facebook Marketplace and nearly all I got were scammers.

This year, I decided to get rid of my Amazon starter couch and buy a real one. So I listed the generic, velvet-green futon on Facebook Marketplace, thinking some college students or recent New York transplants would happily scoop it up at a discounted price.

Since September, I have received many inquiries about this couch—nearly all from people who are likely scammers. They respond to the listing and offer me full price in Facebook Messenger from the jump (maybe my first clue, a real Facebook Marketplace veteran knows to haggle). Then, they ask some basic questions that are already in the item’s description: “Where are you located?” “What’s the condition?” Once I’ve repeated myself and given the cross streets closest to my home, there comes another refrain: The buyer either says they must pay now, so that I would take the item off the listing, or so that their husband/brother/son/mover, you name it, can come pick up the futon later that day.

Because it seems no real person would offer to send payment over Zelle _before_ ever seeing that the futon is real, I didn’t accept any of these offers. If I did, it’s likely these people would have sent a phishing link—either as a text to my phone number or in an email—disguised as communication from Zelle, looking to drain me of more money than the couch is worth. For now, I’m stuck with this futon, folded up in the corner of my tiny apartment. So far I’ve been unable to use Facebook Marketplace for its intended purpose: buying and selling useful things among my neighbors.

What happened to me is just one example of the many ways experts say people are getting scammed on Facebook Marketplace. Some scams come from what looks like a seller listing big-ticket items that don’t exist, like a car, and asking for prepaid debit cards purporting to be for eBay and Amazon payments as down payments before vanishing. Peer-to-peer online shopping has always been a buyer-beware endeavor, but sellers themselves are being scammed too. A freelance writer from Australia recounted her own embarrassing story in _The Guardian_ just last month, when she lost $1,000 while trying to sell a pair of boots after plugging sensitive information into a phishing link sent by a scammer.

Facebook is far from the only place scams happen—they’re common across many online selling platforms. But as its Marketplace has soared in popularity since its debut in 2016, scammers have sought to exploit the tool, experts say. Marketplace’s design supplied a layer of transparency and trust for person-to-person transactions; rather than interacting anonymously through a Craigslist ad, people were using profiles that typically included full names and photos. And with an existing Facebook profile, users could upload photos, write descriptions, and seamlessly post a listing with just a few clicks. By 2021, Facebook Marketplace had 1 billion monthly users, growing as ecommerce flourished during the height of the Covid-19 pandemic.

Now, bad actors are relying on that built-in trust to manipulate people out of far more money than their second-hand items may be worth. The scams have become a common feature of the app, and Meta, the $800 billion parent company of Facebook, hasn’t been able to shut them down.

“What happens offline often makes its way into online environments, and that unfortunately includes scams," Ryan Daniels, a Meta spokesperson, tells me. Daniels says the company works “aggressively to quickly identify, disable, and ban scams and accounts associated with them.” The company is also working on a new notification system to “help people better identify potential scams around payment apps" that should begin rolling out over the next few months. Daniels did not share more information about how those notifications will work.

Many scams and attempted scams go unreported, so it’s impossible to understand the scale of the problem. In a 2022 survey of 1,000 people in England, one in six said they were scammed on the marketplace. Another 2022 survey of 1,000 people in the US found that 62 percent had encountered a scam on Facebook. From January 2022 to November 2023, the Better Business Bureau’s scam tracker logged more than 1,200 reports that mentioned Facebook Marketplace in the US and Canada.

The scammers targeting me followed the same script: two messages from different accounts even included the same odd spacing format and just changed a word or two from each other, asking: “Alright I hope this is a legit post because I will be paying the $100 now so you can mark the item as sold my sister will come pick it up but I’ll send the money?” As more of these messages flowed into my DMs, I insisted on being paid in person, and the potential buyers vanished after one or two more wild excuses as to why that wouldn’t be possible. When I wrote “bye, scammer” to one, they replied with “lmao” just before I reported the profile to Facebook.

The scams follow similar patterns, because fraudsters conduct business like multilevel marketers, says Adrianus Warmenhoven, a member of the security advisory board for network security company NordVPN. Someone may develop a scam, then sell it as a toolkit with scripts and phishing links. People also can buy orphaned and hacked Facebook accounts, giving them access to profiles that look like real people with long account histories. Many of the messages I received came from accounts that were created a decade ago or more, showing that these aren’t new accounts created for the sole purpose of scamming people on Marketplace. “A lot of criminal stuff is not being executed by computer-savvy or even criminal-savvy people,” Warmenhoven says. Some of these tools, experts say, are sold on the dark web. But there are also chats on Telegram advertising hundreds of bundled bunches of Facebook accounts from specific countries for sale in bulk. Telegram did not respond to a request for comment.

Some scams encourage people to upgrade their Zelle accounts to a business tier to receive money from a buyer, according to the Better Business Bureau, and come from emails mimicking Zelle, but with different domains. That upgrade appears to cost $300, and the buyer promises to send it if the seller will then refund it. The catch: the $300 was never sent and appeared only in faked screenshots or emails. So, when the seller sends $300, they're really just losing the money.

Zelle’s website notes that it will send emails only from domains ending in @zelle.com and @zellepay.com, and any others could be scams. The company did not answer more specific questions about Facebook Marketplace scams, citing an effort to keep intel from fraudsters.

Other scammers use Google Voice, asking people for their verification code—all under the guise of verifying that the person isn’t a scammer. But with that code, a scammer can then create a Google Voice number using the victim’s phone number, which helps them to conceal their identity for future scams. Additionally, it can help them impersonate someone and get access to their accounts, according to the US Federal Trade Commission. When asked for comment on Facebook Marketplace scams, Google pointed to guidance it posts for people to not share their verification codes, and the company has ways for people to reclaim stolen Google Voice numbers.

Experts say the constant evolving nature of scams makes them tricky for companies to defeat. “It’s a giant game of whack-a-mole,” says Zulfikar Ramzan, chief scientist with digital security company Aura. “They change something about the way they’ve done a scam. It’s really difficult for any organization to keep up with that volume at scale.”

Meta has continued to grow Facebook Marketplace even as scams linger. A 2022 ProPublica investigation found that Facebook Marketplace scams had run rampant and that the company was potentially understaffed to a degree that impeded its ability to stop scammers. In addition to in-house workers, Meta had contracted 400 Accenture workers around the world and gave each person more than 600 complaints or requests for help to process each day. Even worse, ProPublica found a number of alleged armed robberies and murders had occurred in relation to Facebook Marketplace meetups. Meta, Facebook’s parent company, did not answer questions about how it monitors scams now and the information in the ProPublica investigation.

Facebook Marketplace has evolved to more than just selling in the neighborhood. There are options to ship products after a sale, and some small shops have used the platform to grow their business. All of these different types of transactions bring different concerns about scams. Marketplace offers purchase protection, but it doesn’t cover payments made through third-party sites like Zelle, items picked up locally, or transactions conducted through Facebook Messenger.

I lost track of the number of people who seemed eager to scam me—I reported lots of scammers and then left chats, which disappeared. A few people may have been legitimately interested but dropped off early in the conversation. In the end, the frustration wasn’t worth the cash. I’m stuck with this couch, and there’s only one solution left. I’m heading over to another side of Facebook entirely: Buy Nothing.

Source

Wired