After an 18-month rampage, global law enforcement finally moved against the notorious Alphv/BlackCat ransomware group. Within hours, the operation faced obstacles.

The United States Department of Justice said Tuesday that it worked with an international group of law enforcement agencies to conduct a takedown of infrastructure related to the notorious ransomware gang Alphv, also known as BlackCat.

In recent days researchers began noticing that the group's dark-web communication and leak site was having outages, but the attackers claimed that they had simply been dealing with hardware malfunctions. Then, Tuesday morning, a message splashed across the site read, “The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Alphv Blackcat Ransomware.”

In a twist Tuesday afternoon, the gang's dark-web site roared back to life with an image of a cartoon black cat in silhouette and a banner proclaiming, “THIS WEBSITE HAS BEEN UNSEIZED.” The message remained for roughly two hours before law enforcement seemed to get control of the situation and the takedown message returned.

Alphv has become increasingly audacious in recent months. The gang memorably filed a US Securities and Exchange Commission complaint in November, for example, alleging that the digital lender MeridianLink hadn't made the proper disclosures about a data breach that Alphv itself takes credit for perpetrating.

In retaliation against the law enforcement action, Alphv said on its briefly reanimated site that it was removing its targeting rules for criminal customers who want to use the group's ransomware to attack critical infrastructure.

The group and its affiliates have already been very aggressive in their operations. The Justice Department said that the gang has targeted more than 1,000 victims around the world—including some in US critical infrastructure—and that over the past 18 months Alphv has been “the second most prolific ransomware-as-a-service variant in the world,” raking in hundreds of millions of dollars from victims. Alphv's rampage has been extremely visible, causing disruptions to popular companies including MGM Resorts, and extorting massive payments from victims, like roughly $15 million from Caesars Entertainment. The targeting has also extended to health care and emergency services, defense companies, schools, manufacturing, and government entities.

While Tuesday morning's law enforcement action was meant to deal a critical blow to the gang, it did not come with sanctions or indictments, and ultimately seemed to simply cap more than a year of pervasive and deeply consequential attacks. The fact that the gang briefly seemed to “unseize” the site on Tuesday afternoon only added to a sense of complexity about dealing with such cybercriminal actors, especially those who, like those behind Alphv, appear to be based in the relative safe haven of Russia.

“Law enforcement is moving a lot faster, but it is still not fast enough," says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. “It takes a while to build a case, and in the meantime these groups wreak havoc.”

Part of the reason for law enforcement's delay in attempting to take down Alphv's infrastructure may have been an ongoing investigation into the actors behind the group. Alphv/BlackCat seems to have evolved from a gang known as BlackMatter, which, in turn, seemed to emerge as a recombination of the notorious Darkside ransomware group that targeted Colonial Pipeline in the US.

“This isn't their first shit show. Unfortunately, it probably won't be their last either,” says Brett Callow, a threat analyst at antivirus company Emsisoft. “But Alphv's partners in crime will be wondering, what information law enforcement was able to collect? And who does it implicate?”

The takedown effort involved collaboration and parallel investigations from multiple law enforcement agencies, including those in the United Kingdom, Australia, Germany, Spain, and Denmark. The US Justice Department said Tuesday that a decryptor tool for the Alphv ransomware that was developed by the FBI has already helped more than 500 victims recover from attacks and avoid paying roughly $68 million in ransoms.

As ransomware groups rely more on a hybrid model, in which much of their leverage for extortion comes from the threat that they will leak data stolen from victims, decryptors are only one of many tools needed to help victims avoid paying ransoms. But Alphv's attempt on Tuesday afternoon to let its customers use its ransomware for attacks on vital services like hospitals and nuclear plants made the existence of the decryptor more significant, given how dangerous and disruptive that activity might be.

“The statement about targeting critical infrastructure is pretty concerning. This will be an ongoing battle, for sure. Law enforcement will have to aggressively roll out the decryption keys and tools for victims,” says Alex Leslie, a threat intelligence analyst at Recorded Future. “And data extortion is still on the table. Generally speaking, data extortion wouldn’t be as disruptive in terms of a national security crisis in the short term, but who knows.”

A search warrant released by the FBI says that law enforcement got login credentials for the ransomware gang's platforms from a “confidential human source” with access to the group. Though it was not immediately clear how Alphv had “unseized” its site following the law enforcement action, researchers began to coalesce around some theories on Tuesday afternoon. Since both the cybercriminals and law enforcement had access to the login keys, it's possible that multiple sites were registered to the same Tor address or that Alphv was able to add another registration and then point the site to servers that law enforcement did not control. In the same way, though, law enforcement's presumably deep access to the gang's infrastructure is likely what allowed it to retake the site.

The US Justice Department noted Tuesday morning that people with information about Alphv/Blackcat and its affiliates should come forward and may still be may be eligible for a reward through the US State Department.

_Updated 12/19/23, 2:55 pm ET to reflect that law enforcement reestablished its control of Alphv's dark-web leak site._

A Major Ransomware Takedown Suffers a Strange Setback

On Telegram, scammers are impersonating doctors to sell fake Covid-19 vaccination certificates and other products, showing how criminals are taking advantage of conspiracy theories.

Kristina Collins didn’t know her photo was being used on Telegram. Over the past few months, an Instagram picture of Collins, a Texas-based doctor and dermatologist, has been used by scammers on the chat app to try to persuade people to buy false proof that they have been vaccinated against Covid-19 and other diseases.

“The last thing you want as a physician is for your identity to be used to promote misinformation,” Collins tells WIRED, adding that many doctors use social media specifically to make sure people have access to accurate health information. “When people are able to take that likeness and use it for bad purposes, whether it’s fraud, whether it’s misinformation, I think it’s really scary.”

The Telegram channel impersonating Collins wasn’t alone. Researchers at Logically, a UK-based disinformation detection company, have uncovered a network of around 60 Telegram channels selling Covid-19 vaccination certificates and other proof of vaccination documents, and claiming to sell various medicines. In 25 of the channels, administrators used a “Dr.” prefix in their username, with 13 of the channels using the real-world names and/or photographs of legitimate medical professionals.

The network has been operating since at least June 2022, with more than a thousand accounts on X posting links that push people toward the Telegram channels selling “vaccine passes,” according to Chris Proops and Maisie Draper, Logically researchers who investigated the activity. Overall, they say, the social media operation has reached more than 3 million people with over 62,000 posts, and cryptocurrency accounts linked to the efforts have processed $286,000.

The scam is the latest in a long line of Covid-19 and health-related misinformation and disinformation, which has broadly attempted to capitalize on conspiracy theories and some people’s concerns about vaccinations. It highlights how scammers can abuse social media platforms, particularly those with loose stances on moderation, and potentially erode trust in medical systems.

“They're directing people, anti-vaxxers primarily, on X to then move to Telegram and subscribe to the around 50 Telegram channels that they have,” Draper says. The researchers identified around 20 “campaigns” on the Elon Musk–owned social media platform that were pushing people toward Telegram channels. The first was in June 2022 and the most recent at the start of December.

Draper and Proops say the efforts used repeated messaging, often replying to “verified” accounts on X that are linked to anti-vaccination sentiments, and consistently mentioned conspiracy theories such as the “great reset.”

“A lot of it is playing on anti-vaxxers’ vulnerabilities to being paranoid about things like the next pandemic, or other kinds of vaccines, like the measles vaccine,” Draper says.

The Telegram channels, where administrators impersonate doctors, also follow similar patterns to one another. Many of the channels have names related to Covid-19 vaccinations, and they claim to sell pandemic-related travel passes, allowing people to enter the UK, US, Canada, and other countries. They can sell the passes for around $250 to $500 each, with payments often being requested in bitcoin. Photos of the documents they claim to sell look similar to the official versions of the documents.

However, the vast majority of countries no longer require proof of vaccination to enter them and haven’t done so for long periods of time—for instance, the UK removed travel restrictions in 2022. “Over time, we started seeing a trend change where it wasn't just Covid passes,” Proops says. The Telegram channels have offered tuberculosis test results, meningitis vaccine results, and documentation around hepatitis A and B, tetanus, polio, and more, he says.

The researchers say they believe doctors are being impersonated to give the scammers a veneer of legitimacy. The Logically researchers contacted several doctors who were not aware their identities were being used. One doctor, they say, had not heard of Telegram. Collins says she was not aware of her image being used in this way until she was contacted by Logically and WIRED. She added that her image had also been used on a scam Instagram account.

Since the researchers started monitoring the X accounts and Telegram channels last year, many of the accounts and channels have been removed by the social media companies; however, around half of the Telegram channels are still active. Neither Telegram nor X responded to WIRED’s request for comment on the accounts or whether Telegram was aware of the impersonation of doctors taking place.

A WIRED review of the Telegram channels still active shows regular posts from administrators and other members. Some of the channels have only a few hundred members; others have a few thousand. The administrators of some channels have been inactive for several months. Within the channels is a slurry of well-worn and debunked conspiracy theories.

One still-active channel claims itself as a “coalition of doctors” who can get people “genuinely registered documentation” for those traveling to the US, Canada, UK, Australia, and 15 EU countries. The owner of the channel uses the name of a legitimate US-based plastic surgeon who has around 50,000 followers on social media, and a photograph of another doctor. Draper says that within the communities, people “are sharing photographs of side effects of the vaccine and fearmongering about the future impacts of lockdowns.”

The channels also claim to sell the drug ivermectin, which the US Food and Drug Administration said should not be used to treat or prevent Covid-19 in 2021. One of the channels lists half a dozen different kinds of medicines it claims to be able to provide. One claims it is selling weight loss drug Ozempic, while another tells people to not get a flu shot.

“The landscape of misinformation actors is abundant,” says Aliaksandr Herasimenka, a researcher of political communication at the Oxford Internet Institute who has studied misinformation on Telegram and vaccine and health misinformation. Herasimenka, who was not involved in the Logically research, says he has not seen doctors being impersonated on Telegram regularly, but that those behind misinformation and disinformation can use a variety of tactics. He says misinformation efforts can often be run for political or social goals, while those using it to make money can be often overlooked. “There are so many people who try to make money using misinformation, they would use any opportunity to profit,” Herasimenka says.

There is no evidence indicating that the Telegram channels offer legitimate goods, and it isn’t possible to verify whether anyone purchasing items from them receives anything. Some channels have posts from “customers” who claim to have purchased items from the Telegram groups. One account, which claims it ordered a vaccine certificate and drugs to the US, shared a photo of the back of an envelope claiming they received their order. Other posts use generic photos of drugs or vaccine certificates to claim items were delivered.

The Logically researchers say the likelihood that the false documents have been sent to people is “relatively low,” and their main motivation is likely financial. Proops says that while the documents the groups claim to be selling are not of much use now, the networks could be used in different ways in the future. The continued use of the channels and spreading of anti-vaccination messages could also undermine trust in health systems around the world, Proops says.

Collins, the doctor who had her image stolen, says she is concerned that it will become easier for scammers or people looking to undermine health care professionals to do so as image generation with artificial intelligence becomes more available. “As AI gets even better, they can go beyond just taking your picture off of a website, and actually potentially make a video of you talking,” Collins says. This will make it “really hard for an average person to sort out if this is a fake account or not.”

Scammers Are Tricking Anti-Vaxxers Into Buying Bogus Medical Documents

Plus: Hackers reveal flaws in crypto wallets holding $1 billion, a massive breach of Danish electric utilities, and more.

If you work at a spy agency tasked with surveilling the communications of more than 160 million people, it’s probably a good idea to make sure all the data in your possession stays off the open internet. Just ask Bangladesh’s National Telecommunication Monitoring Center, which security researchers found connected to a leaky database that exposed everything from names and email addresses to cell phone numbers and bank account details. The data was likely just used for testing purposes, but WIRED confirmed at least some of the data is linked to real people.

A fight is brewing in the United States Congress over the future of a powerful surveillance program. Section 702 of the Foreign Intelligence Surveillance Act is set to expire at the end of the year. With the December 31 deadline quickly approaching, members of Congress and civil liberties groups are criticizing Section 702 for enabling the “incidental” surveillance of Americans’ communications and “abuses” by the FBI. While a privacy-preserving update to the program has been introduced in Congress, some 702 critics remain concerned that lawmakers will push through reauthorization using other, “must-pass” legislation.

The US Cybersecurity Infrastructure Security Agency this week rolled out its plan for implementing the Biden administration’s executive order on artificial intelligence. CISA’s efforts will focus on defending against weaponized AI and how to incorporate the technology for national security purposes.

Speaking of national security, WIRED spoke this week with Jacob Chansley, aka the Qanon Shaman, who plans to run for the US Congress after becoming a poster child for the US Capitol riot on January 6. Elsewhere in the world of unexpected political news, talk of 9/11 mastermind Osama bin Laden's “Letter to America” spread online this week—and was promptly used by far-right figures to push conspiracy theories.

For the first time, the Signal Foundation has revealed the cost of running its widely popular encrypted messaging app. With annual expenses set to hit $50 million by 2025, the nonprofit expects to rely more heavily on user donations to keep Signal going strong. “By being honest about these costs ourselves, we believe that helps provide a view of the engine of the tech industry, the surveillance business model, that is not always apparent to people,” Meredith Whittaker, president of the Signal Foundation, tells WIRED.

Speaking of surveillance business models, Meta has updated the way two-factor authentication works on Facebook. We’ve got a rundown on what you need to know. Speaking of multifactor authentication, Google has a new Titan Security Key that supports passkeys, pushing the long-used (and misused) password closer to its ultimate demise.

If you’re looking for a long read to while away your weekend, we’ve got you covered. First up, WIRED senior reporter Andy Greenberg reveals the wild story behind the three teenage hackers who created the Mirai botnet code that ultimately took down a huge swath of the internet in 2016. WIRED contributor Garrett Graff pulls from his new book on UFOs to lay out the proof that the 1947 “discovery” of aliens in Roswell, New Mexico, never really happened. And finally, we take a deep dive into the communities that are solving cold cases using face recognition and other AI.

That’s not all. Each week, we round up the security and privacy stories we didn’t report in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

The ransomware group known as Scattered Spider has distinguished itself this year as one of the most ruthless in the digital extortion industry, most recently inflicting roughly $100 million in damage to MGM Casinos. A damning new Reuters report—their cyber team has had a busy week— suggests that at least some members of that cybercriminal group are based in the West, within reach of US law enforcement. Yet they haven't been arrested. Executives of cybersecurity companies who have tracked Scattered Spider say the FBI, where many cybersecurity-focused agents have been poached by the private sector, may lack the personnel needed to investigate. They also point to a reluctance on the part of victims to immediately cooperate in investigations, sometimes depriving law enforcement of valuable evidence.

Denmark's critical infrastructure Computer Emergency Response Team, known as SektorCERT, warned in a report on Sunday that hackers had breached the networks of 22 Danish power utilities by exploiting a bug in their firewall appliances. The report, first revealed by Danish journalist Henrik Moltke, described the campaign as the biggest of its kind to ever target the Danish power grid. Some clues in the hackers' infrastructure suggest that the group behind the intrusions was the notorious Sandworm, aka Unit 74455 of Russia's GRU military intelligence agency, which has been responsible for the only three confirmed blackouts triggered by hackers in history, all in Ukraine. But in this case, the hackers were discovered and evicted from the target networks before they could cause any disruption to the utilities' customers.

Last month, WIRED covered the efforts of a whitehat hacker startup called Unciphered to unlock valuable cryptocurrency wallets whose owners have forgotten their passwords—including one stash of $250 million in bitcoin stuck on an encrypted USB drive. Now, the same company has revealed that it found a flaw in a random number generator widely used in cryptocurrency wallets created prior to 2016 that leaves many of those wallets prone to theft, potentially adding up to $1 billion in vulnerable money. Unciphered found the flaw while attempting to unlock $600,000 worth of crypto locked in a client's wallet. They failed to crack it but in the process discovered a flaw in a piece of open-source code called BitcoinJS that left a wide swath of other wallets potentially open to be hacked. The coder who built that flaw into BitcoinJS? None other than Stefan Thomas, the owner of that same $250 million in bitcoin locked on a thumb drive.

_Updated, 12/19/23, 3:10 pm EST: Earlier this month, Reuters temporarily removed the article, "How an Indian startup hacked the world” from its website, pursuant to a preliminary court order issued in New Delhi, India. Reuters said it stands by its reporting and that it plans to appeal the court's decision, which is based on a pending lawsuit. In light of Reuters's actions, WIRED has temporarily removed the link and description of the story in this security roundup._

Cybersecurity Industry Baffled by FBI’s Lack of Action on Ransomware Gang

Plus: Apple tightens anti-theft protections, Chinese hackers penetrate US critical infrastructure, and the long-running rumor of eavesdropping phones crystallizes into more than an urban legend.

A hacker group calling itself Solntsepek, previously linked to the infamous Russian military hacking unit Sandworm, took credit this week for a disruptive attack on the Ukrainian internet and mobile service provider Kyivstar. As Russia’s kinetic war against Ukraine has dragged on, inflicting what the World Bank estimates to be around $410 billion in recovery costs for Ukraine, the country has launched an official crowdfunding platform known as United24 as a means of raising awareness and rebuilding.

Kytch, the small company that aimed to fix McDonald’s notably often-broken ice cream machines, claims it has discovered a “smoking gun” email from the CEO of McDonald’s ice cream machine manufacturer that Kytch's lawyers say suggests an alleged plan to undermine Kytch as a potential competitor. Kytch argues in a recent court filing that the email reveals the real reason why, a couple of weeks later, McDonald’s sent an email to thousands of its restaurant franchisees claiming safety hazards related to Kytch’s ice-cream-machine-whispering device.

WIRED looked at how Microsoft’s Digital Crime Unit has refined a strategy over the past decade that combines intelligence and technical capabilities from Microsoft’s massive infrastructure with creative legal tactics to disrupt both global cybercrime and state-backed actors. And we dove into the controversy over reauthorization of Section 702 surveillance powers in the US Congress.

And there's more. Each week, we round up the security and privacy news we didn’t break or cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

Geofence warrants, which require tech companies to cough up data on everyone in a certain geographic area at a certain time, have become an incredibly powerful tool for law enforcement. Sending a geofence warrant to Google, in particular, has come to be seen as almost an “easy button” among police investigators, given that Google has long stored location data on users in the cloud, where it can be demanded to help police identify suspects based on the timing and location of a crime alone—a practice that has appalled privacy advocates and other critics who say it violates the Fourth Amendment. Now, Google has made technical changes to rein in that surveillance power.

The company announced this week that it would store location history only on users' phones, delete it by default after three months, and, if the user does choose to store it in a cloud account, keep it encrypted so that even Google can't decrypt it. The move has been broadly cheered by the privacy and civil liberties crowds as a long-overdue protection for users. It will also strip law enforcement of a tool it had come to increasingly rely on. Geofence warrants were sent to Google, for instance, to obtain data on more than 5,000 devices present at the storming of the US Capitol on January 6, 2021, but they have also been used to solve far smaller crimes, including nonviolent ones. So much for the “easy button.”

In a different sort of technical move to tighten users' data protections, Apple has added new security features designed to make it harder for thieves to exploit users' sensitive data and accounts. _The Wall Street Journal_ had previously reported on how thieves who merely learned someone's passcode—say, by looking over their shoulder—and then stole their phone could access their online accounts and even make payments to drain their bank balances. Apple has now created a Stolen Device Protection feature that, when enabled, will require you to use a biometric feature like TouchID or FaceID to access certain accounts and phone features, in addition to the passcode that unlocks the phone. For the most sensitive features, like changing passwords or passcodes or turning off Find My, Apple will also force you to wait an hour and authenticate again if the phone isn't in a location the user typically frequents.

The group of Chinese hackers known as Volt Typhoon has rung alarm bells across the cybersecurity industry all year with news of its intrusions targeting power grids and other critical infrastructure in the Pacific region and the US. A new report from _The Washington Post_ offers fresh details of the disturbing mix of networks that the group has breached, including a water utility in Hawaii, an oil and gas pipeline, and a major West Coast port. The hackers haven't actually caused any disruptions, nor have they penetrated the industrial control system side of their targets' networks—the sensitive systems capable of triggering physical effects. But in combination with previous reports of Volt Typhoon's work to plant malware inside electric utilities in the continental US and Guam, the report paints a picture of China's escalating moves to prepare the groundwork for disruption in the event of a crisis, such as an invasion of Taiwan.

The notion that your iPhone or Amazon Echo is quietly listening to your conversations has long been one of the most paranoid suspicions of all technology users—bolstered, of course, by the targeted ads that are often so accurate that they seem to be pulled directly from verbal conversations. This week, that suspicion finally became more than an urban legend when 404 Media reported on an advertising company actively claiming that it can eavesdrop on conversations via those kinds of devices. The company, Cox Media Group, (CMG) brags in its marketing materials that it's already offering the technique to clients and “the ROI is already impressive.” It lists Amazon, Microsoft, and Google as alleged customers. But 404 Media couldn't verify if the technique works as advertised—an enormous “if”—and CMG didn't respond to 404 Media's request for comment.

Google Just Denied Cops a Key Surveillance Tool

Kytch, the company that tried to fix McDonald’s broken ice cream machines, has unearthed a 3-year-old email it says proves claims of an alleged plot to undermine their business.

A little over three years have passed since McDonald's sent out an email to thousands of its restaurant owners around the world that abruptly cut short the future of a three-person startup called Kytch—and with it, perhaps one of McDonald's best chances for fixing its famously out-of-order ice cream machines.

Until then, Kytch had been selling McDonald's restaurant owners a popular internet-connected gadget designed to attach to their notoriously fragile and often broken soft-serve McFlurry dispensers, manufactured by McDonalds equipment partner Taylor. The Kytch device would essentially hack into the ice cream machine's internals, monitor its operations, and send diagnostic data over the internet to an owner or manager to help keep it running. But despite Kytch's efforts to solve the Golden Arches’ intractable ice cream problems, a McDonald’s email in November 2020 warned its franchisees not to use Kytch, stating that it represented a safety hazard for staff. Kytch says its sales dried up practically overnight.

Now, after years of litigation, the ice-cream-hacking entrepreneurs have unearthed evidence that they say shows that Taylor, the soft-serve machine maker, helped engineer McDonald's Kytch-killing email—kneecapping the startup not because of any safety concern, but in a coordinated effort to undermine a potential competitor. And Taylor's alleged order, as Kytch now describes it, came all the way from the top.

Secret codes. Legal threats. Betrayal. How one couple built a device to fix McDonald’s notoriously broken soft-serve machines—and how the fast-food giant froze them out.

On Wednesday, Kytch filed a newly unredacted motion for summary adjudication in its lawsuit against Taylor for alleged trade libel, tortious interference, and other claims. The new motion, which replaces a redacted version from August, refers to internal emails Taylor released in the discovery phase of the lawsuit, which were quietly unsealed over the summer. The motion focuses in particular on one email from Timothy FitzGerald, the CEO of Taylor parent company Middleby, that appears to suggest that either Middleby or McDonald's send a communication to McDonald's franchise owners to dissuade them from using Kytch's device.

“Not sure if there is anything we can do to slow up the franchise community on the other solution,” FitzGerald wrote on October 17, 2020. “Not sure what communication from either McD or Midd can or will go out.”

In their legal filing, the Kytch cofounders, of course, interpret “the other solution” to mean their product. In fact, FitzGerald's message was sent in an email thread that included Middleby's then COO, David Brewer, who had wondered earlier whether Middleby could instead acquire Kytch. Another Middleby executive responded to FitzGerald on October 17 to write that Taylor and McDonald’s had already met the previous day to discuss sending out a message to franchisees about McDonald’s lack of support for Kytch.

But Jeremy O'Sullivan, a Kytch cofounder, claims—and Kytch argues in its legal motion—that FitzGerald’s email nonetheless proves Taylor's intent to hamstring a potential competitor. “It's the smoking gun,” O'Sullivan says of the email. “He's plotting our demise.”

Although FitzGerald's email doesn't actually order anyone to act against Kytch, the company’s motion argues that Taylor played a key role in what happened next. It's an “ambiguous yet direct message to his underlings,” argues Melissa Nelson, Kytch's other cofounder. “It's just like a mafia boss giving coded instructions to his team to whack someone."

On November 2, 2020, a little over two weeks after FitzGerald's open-ended suggestion that perhaps a “communication” from McDonald's or Middleby to franchisees could “slow up” adoption of “the other solution,” McDonald's sent out its email blast cautioning restaurant owners not to use Kytch's product.

The email stated that the Kytch gadget “allows complete access to all aspects of the equipment’s controller and confidential data”—meaning Taylor’s and McDonald’s data, not the restaurant owners’ data; that it “creates a potential very serious safety risk for the crew or technician attempting to clean or repair the machine"; and finally, that it could cause “serious human injury.” The email concluded with a warning in italics and bold: “McDonald’s strongly recommends that you remove the Kytch device from all machines and discontinue use.”

Kytch has long argued that McDonald’s safety warning was bogus: In its legal complaint, it noted that its devices received certification from Underwriters Laboratory, an independent product safety nonprofit, including meeting its safety standards. It also countered in the complaint any claim that a Kytch device's remote connection to an ice cream machine could result in the machine turning on while a person's hand was inside—in fact, Taylor's own manual advises unplugging the machine before servicing it, and removing the door of the machine to access its rotating barrels automatically disables its motor.

Kytch's legal motion now argues that FitzGerald's email reveals that the McDonald's warning to restaurant owners was never really about safety, so much as protecting its equipment partner from a startup that might represent competition. The CEO's email “essentially put into place their plan to defame us," Nelson says.

She and O’Sullivan also argue that the internal email directly contradicts FitzGerald’s public statements that Middleby hadn’t sought to kill Kytch. “We’re not in business to put other companies out of business,” FitzGerald told _The New York Times_ early last year.

When WIRED reached out to Middleby, Taylor’s parent company, for comment, a spokesperson responded in a statement disputing Kytch’s interpretation of its internal emails. “McDonald’s decided to issue the November 2020 field brief on its own accord, not at Middleby or Taylor’s direction,” the statement reads. “Taylor stood, and continues to stand, by the accuracy of statements made in the field brief.” The spokesperson also notes that Taylor won an early ruling in the lawsuit against Kytch’s request for a preliminary injunction—which would have prevented Taylor from developing a device that Kytch claims was copied from its product—and promises an upcoming filing responding to Kytch’s argument, which court documents say will happen in early 2024.

At the time of McDonald's warning email to franchisees about Kytch, Taylor was developing its own internet-connected ice cream machine, what it referred to as Taylor Shake/Sundae Connectivity, which McDonald's recommended in the same email. But, even now, more than two years after it was promised for delivery, that device has yet to arrive in restaurants—and the publicly documented ice cream headaches at McDonald’s appear to have continued. According to the website McBroken, which tracks ice cream machine downtime at McDonald's restaurants across the US, between 13 percent and 17 percent of McDonald's restaurants have had broken ice cream machines at any given time just this month. That percentage has recently been as high as 35 percent in New York City and 28 percent in Washington, DC.

Taylor declined to comment on any upcoming internet-connected ice cream machine model. But that long-touted solution to the problem has still not been made available to franchisees, according to one McDonald's restaurant owner who goes by the handle McFranchisee (and previously used the handle McD Truth) on X. But McFranchisee says that Taylor has integrated those new features into its next model, which is expected to be available in four to six months. (McFranchisee has also criticized Kytch, claiming that the startup's failure was due to its own reliability problems and an increase in its prices, not a Taylor or McDonald's conspiracy against them.)

Despite the email from Middleby's CEO that Kytch claims suggests dissuading franchisees from using Kytch's product, Kytch argues that other documents released in the lawsuit’s discovery phase show McDonald's itself was also eager to stymie Kytch from the beginning. In February 2020, Taylor president Jeremy Dobrowolski wrote in another email that “McDonald's is all hot and heavy about” Kytch's growing use in restaurants. Before the company sent out its November 2 email warning franchisees about Kytch, Taylor and McDonald’s executives had a meeting to discuss the message, and a McDonald's exec also sent a draft to Taylor for its approval. A Taylor executive wrote to others within the ice cream machine company, “I am a bit in shock they are willing to take such a strong position.”

When WIRED reached out to McDonald’s for comment on Kytch’s new argument about the “smoking gun” email from Taylor’s CEO, a spokesperson responded with a statement: “McDonald’s won’t speculate about the intent behind this email discussion that we weren't a part of. The intent of our Nov. 2020 communication was to bring awareness to potential safety concerns regarding the unapproved Kytch device.”

In addition to its lawsuit against Taylor, Kytch is still pursuing a bigger lawsuit against McDonald's itself, asking for $900 million in damages for what it describes in its legal complaint as McDonald’s effort to “drive Kytch out of the marketplace.” That lawsuit against McDonald's, if it moves forward, may soon produce more answers explaining Kytch’s legal claims that McDonald's appears to have cooperated with Taylor in telling its customers not to use Kytch—even as many of its restaurants took a significant hit from lost ice cream sales.

In the meantime, Kytch says it plans, if necessary, to take the lawsuit against Taylor to a jury trial, currently set for May. “The conspiracy described in Kytch's complaint involved folks at the highest levels of leadership, not just at Taylor but also at Middleby and at McDonald’s,” says Daniel Watkins, Kytch's attorney. “We’re really looking forward to the opportunity to present it to an open trial.”

McDonald’s Ice Cream Machine Hackers Say They Found the ‘Smoking Gun’ That Killed Their Startup

Ten years in, Microsoft’s DCU has honed its strategy of using both unique legal tactics and the company’s technical reach to disrupt global cybercrime and state-backed actors.

Governments and the tech industry around the world have been scrambling in recent years to curb the rise of online scamming and cybercrime. Yet even with progress on digital defenses, enforcement, and deterrence, the ransomware attacks, business email compromises, and malware infections keep on coming. Over the past decade, Microsoft's Digital Crimes Unit (DCU) has forged its own strategies, both technical and legal, to investigate scams, take down criminal infrastructure, and block malicious traffic.

The DCU is fueled, of course, by Microsoft's massive scale and the visibility across the internet that comes from the reach of Windows. But DCU team members repeatedly told WIRED that their work is motivated by very personal goals of protecting victims rather than a broad policy agenda or corporate mandate.

In just its latest action, the DCU announced Wednesday evening efforts to disrupt a cybercrime group that Microsoft calls Storm-1152. A middleman in the criminal ecosystem, Storm-1152 sells software services and tools like identity verification bypass mechanisms to other cybercriminals. The group has grown into the number one creator and vendor of fake Microsoft accounts—creating roughly 750 million scam accounts that the actor has sold for millions of dollars.

The DCU used legal techniques it has honed over many years related to protecting intellectual property to move against Storm-1152. The team obtained a court order from the Southern District of New York on December 7 to seize some of the criminal group’s digital infrastructure in the US and take down websites including the services 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, as well as a site that sold fake Outlook accounts called Hotmailbox.me.

The strategy reflects the DCU’s evolution. A group with the name “Digital Crimes Unit” has existed at Microsoft since 2008, but the team in its current form took shape in 2013 when the old DCU merged with a Microsoft team known as the Intellectual Property Crimes Unit.

“Things have become a lot more complex,” says Peter Anaman, a DCU principal investigator. “Traditionally you would find one or two people working together. Now, when you’re looking at an attack, there are multiple players. But if we can break it down and understand the different layers that are involved it will help us be more impactful.”

The DCU’s hybrid technical and legal approach to chipping away at cybercrime is still unusual, but as the cybercriminal ecosystem has evolved—alongside its overlaps with state-backed hacking campaigns—the idea of employing creative legal strategies in cyberspace has become more mainstream. In recent years, for example, Meta-owned WhatsApp and Apple both took on the notorious spyware maker NSO Group with lawsuits.

Still, the DCU's particular progression was the result of Microsoft's unique dominance during the rise of the consumer internet. As the group's mission came into focus while dealing with threats from the late 2000s and early 2010s—like the widespread Conficker worm—the DCU's unorthodox and aggressive approach drew criticism at times for its fallout and potential impacts on legitimate businesses and websites.

“There's simply no other company that takes such a direct approach to taking on scammers,” WIRED wrote in a story about the DCU from October 2014. “That makes Microsoft rather effective, but also a little bit scary, observers say.”

Richard Boscovich, the DCU’s assistant general counsel and a former assistant US attorney in Florida’s Southern District, told WIRED in 2014 that it was frustrating for people within Microsoft to see malware like Conficker rampage across the web and feel like the company could improve the defenses of its products, but not do anything to directly deal with the actors behind the crimes. That dilemma spurred the DCU’s innovations and continues to do so.

“What’s impacting people? That’s what we get asked to take on, and we’ve developed a muscle to change and to take on new types of crime,” says Zoe Krumm, the DCU’s director of analytics. In the mid-2000s, Krumm says, Brad Smith, now Microsoft’s vice chair and president, was a driving force in turning the company’s attention toward the threat of email spam.

“The DCU has always been a bit of an incubation team. I remember all of a sudden, it was like, ‘We have to do something about spam.’ Brad comes to the team and he’s like, ‘OK, guys, let’s put together a strategy.’ I’ll never forget that it was just, ‘Now we’re going to focus here.’ And that has continued, whether it be moving into the malware space, whether it be tech support fraud, online child exploitation, business email compromise.”

As the group has matured and expanded into all of these areas, Boscovich says, a “preoccupation with exposure to liability and risk” is another element of the work that keeps him up at night.

“You want to help, and you want to do all these things, but no good deed goes unpunished sometimes,” he says. “Sometimes, we would try to help someone—and to help them you kind of shut their computer down—and even though you’re trying to help them, their small business goes down. So how do you manage that? That’s always been the hardest part of my job. The legal creativity is cool, but how do I make sure that it’s acceptable risk and that we research everything so there’s no collateral damage?”

The legal strategies the group has focused on developing evolve as digital threats evolve. In 2016, the DCU began taking the approach of establishing a court “special master” when working on disruptions related to state-sponsored hacking. This judge-appointed official is a direct point of contact for ongoing cases and even remains active for years after a case has been officially closed, enabling the DCU to get court approval for infrastructure takedowns and other actions without having to file for new court orders.

“It allows us to stay on top of these threats and get an order within minutes,” Boscovich says. “We can accelerate the process of litigation almost to the speed of cyber.”

He also points out the challenge of taking action against threat actors given the professionalization of the cybercriminal ecosystem in recent years. Crime groups now operate as syndicates with different departments working on different aspects of carrying out crimes while also contracting with third parties for services they don't develop in-house.

“There’s a legal problem: How do you get a bunch of people doing separate activities into one complaint or one charge? They don’t always even know each other,” Boscovich says. To address this situation, the group worked on legal strategies under the US Racketeer Influenced and Corrupt Organizations Act (RICO), which is designed to focus on criminal organizations rather than individual criminal acts.

“These are the guys who developed the malware, brokered the malware, operate the malware, so we can put them all into one legal filing to bring them together,” he says. “Now that has become part of our legal game plan as well.”

As cybercriminal and state-backed hacking has continued to escalate, the DCU has expanded its collaborations with law enforcement and used its techniques during an ever-changing array of global crises. In 2016, for example, the group carried out its first disruption of a state actor, conducting takedowns related to Russia’s APT 28, known as Fancy Bear. The attackers had been using Microsoft-like domains in their notorious phishing rampages and disinformation campaigns related to that year’s US elections. In 2018, the group shared findings with the Delhi police about the actors behind 10 criminal call centers in India who were scamming victims in the US, Canada, the Netherlands, and Australia. The information-sharing resulted in 63 arrests. In 2020, the DCU seized domains used in pandemic-related cybercrime and also conducted takedowns against the notorious Trickbot ransomware group ahead of the 2020 US elections.

“We tend to think about it from the victim protection perspective,” says Amy Hogan-Burney, who oversees the DCU as Microsoft's general manager and associate general counsel of cybersecurity policy and protection. “I leave deterrence generally to governments, but what I always focus on is victim protection. That can be narrow, meaning a Microsoft customer or type of Microsoft customer, or it can be really broad—anyone who is using the internet who may be impacted by cybercrime.”

Microsoft’s Digital Crime Unit Goes Deep on How It Disrupts Cybercrime

A hacker group calling itself Solntsepek—previously linked to Russia’s notorious Sandworm hackers—says it carried out a disruptive breach of Kyivstar, a major Ukrainian mobile and internet provider.

Over nearly a decade, the hacker group within Russia's GRU military intelligence agency known as Sandworm has launched some of the most disruptive cyberattacks in history against Ukraine's power grids, financial system, media, and government agencies. Signs now point to that same usual suspect being responsible for sabotaging a major mobile provider for the country, cutting off communications for millions and even temporarily sabotaging the air raid warning system in the capital of Kyiv.

On Tuesday, a cyberattack hit Kyivstar, one of Ukraine's largest mobile and internet providers. The details of how that attack was carried out remain far from clear. But it “resulted in essential services of the company’s technology network being blocked,” according to a statement posted by Ukraine’s Computer Emergency Response Team, or CERT-UA.

Kyivstar's CEO, Oleksandr Komarov, told Ukrainian national television on Tuesday, according to Reuters, that the hacking incident “significantly damaged \[Kyivstar's\] infrastructure \[and\] limited access.”

“We could not counter it at the virtual level, so we shut down Kyivstar physically to limit the enemy's access,” he continued. “War is also happening in cyberspace. Unfortunately, we have been hit as a result of this war.”

The Ukrainian government hasn't yet publicly attributed the cyberattack to any known hacker group—nor have any cybersecurity companies or researchers. But on Tuesday, a Ukrainian official within its SSSCIP computer security agency, which oversees CERT-UA, pointed out in a message to reporters that a group known as Solntsepek had claimed credit for the attack in a Telegram post, and noted that the group has been linked to the notorious Sandworm unit of Russia's GRU.

“We, the Solntsepek hackers, take full responsibility for the cyber attack on Kyivstar. We destroyed 10 computers, more than 4 thousand servers, all cloud storage and backup systems,” reads the message in Russian, addressed to Ukrainian president Volodymyr Zelenskyy and posted to the group's Telegram account. The message also includes screenshots that appear to show access to Kyivstar's network, though this could not be verified. “We attacked Kyivstar because the company provides communications to the Ukrainian Armed Forces, as well as government agencies and law enforcement agencies of Ukraine. The rest of the offices helping the Armed Forces of Ukraine, get ready!”

Solntsepek has previously been used as a front for the hacker group Sandworm, the Moscow-based Unit 74455 of Russia's GRU, says John Hultquist, the head of threat intelligence at Google-owned cybersecurity firm Mandiant and a longtime tracker of the group. He declined, however, to say which of Solntsepek’s network intrusions have been linked to Sandworm in the past, suggesting that some of those intrusions may not yet be public. “It's a group that has claimed credit for incidents we know were carried out by Sandworm,” Hultquist says, adding that Solntsepek's Telegram post bolsters his previous suspicions that Sandworm was responsible. "Given their consistent focus on this type of activity, it's hard to be surprised that another major disruption is linked to them.”

If Solntsepek is a front for Sandworm, it would be far from the first. Over its years of targeting Ukrainian infrastructure, the GRU unit has used a wide variety of covers, hiding behind false flags such as independent hacktivist groups and cybercriminal ransomware gangs. It even attempted to frame North Korea for its attack on the 2018 Winter Olympics.

Today, Kyivstar countered some of Solntsepek's claims in a post on X, writing that “we assure you that the rumors about the destruction of our ‘computers and servers’ are simply fake.” The company had also written on the platform that it hoped to restore its network's operations by Wednesday, adding that it's working with the Ukrainian government and law enforcement agencies to investigate the attack. Kyivstar's parent company, Veon, headquartered in Amsterdam, didn't respond to WIRED's request for more information.

While the fog of war continues to obscure the exact scale of the Kyivstar incident, it already appears to be one of the most disruptive cyberattacks to have hit Ukraine since Russia's full-scale invasion began in February 2022. In the year that followed, Russia launched more data-destroying wiper attacks on Ukrainian networks than have been seen anywhere else in the world in the history of computing, though most have had far smaller effects than the Kyivstar intrusion. Other major Russian cyberattacks to hit Ukraine over the past 20 months include a cyberattack that crippled thousands of Viasat satellite modems across the country and other parts of Europe, now believed to have been carried out by the GRU. Another incident of cybersabotage, which Mandiant attributes to Sandworm specifically, caused a blackout in a Ukrainian city just as it was being hit by missile strikes, potentially hampering defensive efforts.

It's not yet clear if the Kyivstar attack—if it was indeed carried out by a Russian state-sponsored hacker group—was merely intended to sow chaos and confusion among the company's customers, or if it had a more specific tactical intention, such as disguising intelligence-gathering within Kyivstar's network, hampering Ukrainian military communications, or silencing its alerts to civilians about air raids.

“Telecoms offer intelligence opportunities, but they're also very effective targets for disruption," says Mandiant's Hultquist. “You can cause significant disruption to people's lives. And you can even have military impacts.”

Hacker Group Linked to Russian Military Claims Credit for Cyberattack on Kyivstar

Competing bills moving through the House of Representatives both reauthorize Section 702 surveillance—but they pave very different paths forward for Americans’ privacy and civil liberties.

Two surveillance bills are barreling their way through the US House of Representatives this week. Both claim to achieve roughly the same goal: Enact sweeping reforms and save a dying surveillance program beleaguered by “persistent and widespread” abuse.

Under this program, Section 702, the US government collects hundreds of millions of phone calls, emails, and text messages each year. An inestimable chunk belongs to American citizens, permanent residents, and others in the United States neither suspected nor accused of any crime.

While both bills would extend the program’s life, only one of them can credibly lay claim to the title of reform. Legislation introduced last week by Representative Andy Biggs in the House Judiciary Committee would require the Federal Bureau of Investigation (FBI) to obtain warrants before accessing the communications of Americans collected under Section 702. The second bill, introduced by the House Intelligence Committee, contains no equivalent protection.

The House Judiciary Committee’s Protect Liberty and End Warrantless Surveillance Act (PLEWSA, unfortunately) secures a glaring loophole in US law that helps police and intelligence agencies buy their way around the Fourth Amendment by paying US companies for information that they’d otherwise demand a warrant to disclose. The House Intelligence Committee’s bill—the FISA Reform and Reauthorization Act, or FRRA—does nothing to address this privacy threat.

What the FRRA does appear to do, despite its name, is explode the number of companies the US government may compel to cooperate with wiretaps under Section 702. That was the assessment on Friday of Marc Zwillinger, amicus curiae to the Foreign Intelligence Surveillance Court of Review (FISCR). “These changes would vastly widen the scope of businesses, entities, and their affiliates who are eligible to be compelled to assist 702 surveillance,” Zwillinger wrote in an article with Steve Lane, a former Justice Department (DOJ) attorney.

Section 702 currently allows the government to compel a class of companies called “electronic communications providers” to collect communications. If the FRRA becomes law, according to Zwillinger, that category would be greatly expanded to include a slew of new businesses, including “data centers, colocation providers, business landlords, and shared workspaces,” as well as, he says, “hotels where guests connect to the internet.”

Congressional sources tell WIRED that officials at the DOJ, Department of Defense, and National Security Agency have been placing urgent calls directly to House lawmakers to oppose the PLEWSA and advance the FRRA—an effort, the sources say, being coordinated by White House advisers. Privately, some Democrats have been urged to help kill the “Jim Jordan bill,” an aide said, explaining the apparent jab is meant to frame an entirely bipartisan bill as an extreme Republican measure. (Jordan, the aide noted, is not the bill’s author and did not introduce it.) Regardless, a major chunk of the PLEWSA was cannibalized from privacy legislation with a record of broad bipartisan support, and particularly in the Senate, where top Democrat Chuck Schumer has previously lent his name to a bill banning police and intelligence agencies from buying people’s personal data.

The PLEWSA likewise exited the House Judiciary Committee last week with broad bipartisan support from both Jordan, the Republican chair, and Jerrold Nadler, its ranking Democrat.

Section 702 surveillance begins with monitoring the communications of foreigners believed to be located outside of the United States. Under these conditions, the US government can ignore most constitutional protections, wiretapping nearly any individual it deems likely to possess—or likely to possess in the future—information of intelligence value.

Correspondence between foreign targets and their lawyers, doctors, religious leaders, wives, husbands, and children are all open for collection, a fact that would not change if every one of them were a US citizen. Whatever calls, emails, or texts are intercepted as a result of targeting a foreigner under 702 are legally permissible, or “incidental,” in spy agency parlance.

Once that information is legally in the government’s possession, the use of it is subject to a different set of legal doctrines, many of which ignore the novel circumstances under which it was initially seized. A federal appeals court in 2021 described the “two-step” process by which communications may be seized under 702 and only years later dug up for an entirely different reason. The process on the whole is constitutional, it said, so long as each step “independently complies with the Fourth Amendment.” Under this logic, the FBI has been permitted to treat the private communications of Americans—secretly obtained during foreign surveillance—as roughly the equivalent of information it stumbles across in plain view.

How often Americans are targeted by Section 702 surveillance is a question that the government says it genuinely can’t answer. It does, however, disapprove of using the word “target” to describe Americans whose calls and texts are intercepted by US spies.

Congressional sources opposed to the FRRA, the House Intelligence Committee’s bill, say it reflects a deference toward executive power that has become customary among House and Senate intelligence staff. In arguing that constant experience has never shown secret agencies to be predisposed to self-restraint, a senior aide pointed to the case of an intelligence analyst caught abusing 702 data for “online dating” purposes last year. It had recently been confirmed, they said, that the analyst had not been fired.

“The Intelligence Committee’s ‘FISA Reform and Reauthorization Act’ may have the word ‘reform’ in its name, but the bill’s text proves otherwise,” says Representative Zoe Lofgren. “Congress must not green-light another major surveillance reauthorization without enacting surveillance reform measures that curb abuses and protect Americans’ civil liberties."

Talking points obtained by WIRED that were being circulated over the weekend by critics of the PLEWSA bill’s deeper reforms allude to the “grave damage” it poses to national security. Supporters of the FRRA bill have dubiously credited the 702 with halting “another 9/11.” But the PLEWSA bill strikes an appreciable balance between privacy and security for a surveillance authority aimed at foiling tier-one threats. It contains clear caveats to help the government advance investigations of cybercrime and exigencies for most immediate, violent threats.

Sources say both the PLEWSA and the FRRA could receive a floor vote as early as Tuesday under rarely prescribed Queen-of-the-Hill rules—meaning, in short, that the bill with the greatest number of supporters might ultimately carry the day.

Congress Clashes Over the Future of America’s Section 702 Spy Program

With its war against Russia raging on, Ukraine has begun raising funds to rebuild homes and structures one by one using its own crowdfunding platform.

While Ukraine remains locked in a brutal war with Russia, Ukraine’s government in Kyiv is already looking forward to a day when the country rebuilds itself from the ground up.

It will be no small task. The World Bank estimates that, as of early this year, Ukraine’s rebuilding costs surpassed $410 billion. To recover from Russia’s bombing, shelling, and attacks against critical infrastructure, Ukraine will need massive investments in its water services, agriculture, mine disposal, health care system, and more.

While the push to rebuild Ukraine’s critical infrastructure will be gargantuan, there is also a mounting need to repair the country’s housing stock. The World Bank estimates Ukraine will need at least $69 billion to replace homes and apartment buildings damaged and destroyed by the war—roughly $2 billion of that amount is needed urgently.

While billions are pouring in from governments around the world to fund Ukraine’s defensive efforts and to replace critical infrastructure, the country is turning to private donors to help replace its citizens’ wrecked homes. Using United24, Kyiv’s official crowdfunding platform, the government is hoping to show its supporters what’s been lost and what might be rebuilt.

As part of the crowdfunding campaign, supporters can explore a map of homes that are in need of repair. Each address features a 3D rendering of the home before it was damaged in the war. It also includes personal stories from the building’s former residents and testimonials about their desire to return. Some even include a livestream of the construction in progress.

One, in Irpin, is a nine-storey apartment building whose 390 residents were forced to abandon their homes after the structure was shelled by a Russian tank, which “would aimlessly shoot” at the building, according to the crowdfunding page. Photos of the damage to the exterior are bad, a former resident told United24: “It is even worse to see these completely destroyed and burnt apartments live.”

Another, a brutalist apartment block in Borodianka, was devastated by air strikes and mortar shells—some of its residents stayed in the building through the frigid Ukrainian winter, having repaired a hole in the wall themselves.

In Hostomel, a huge apartment building was damaged by a Russian missile before being occupied by the invading soldiers. The Russians mined the area before leaving, according to Kyiv. Alyona, a former resident, explained in a statement supplied by United24 that she hasn’t given up on it: “Despite everything, this is the house in which we lived happily with our husband and children.”

The new fundraising appeal comes amid a certain “tiredness” from donors, as Ukraine’s finance minister put it. Yaroslava Gres, United24’s main coordinator, says overcoming that fatigue is his mission. “We ask ourselves: What will motivate them to keep standing with Ukraine?” he tells WIRED.

Gres says he hopes that letting prospective donors see the homes they will help rebuild, and hear from the people who want to return home, will inspire the support to keep coming. “Storytelling gives our donors an opportunity to feel complicity with the specific people they support, as well as with the specific targets they help rebuild,” he says.

The 3D renderings come via LUN, a Ukrainian realty website that partnered with United24 for the project. The company dispatched photographers, equipped with drones, to buildings across the country. The footage is used to create a digital replica of a damaged building. From there, its architects plot the reconstruction of the building.

“We have been digitizing the future for years, modeling how cities can develop, and how new buildings can be built,” a LUN spokesperson tells WIRED. “It was difficult to see destruction instead; to look through hundreds of photos of the damage dealt and depict everything as is.”

Video: United24

These 3D renderings will also be made available through augmented reality, letting users picture the buildings through their phone camera or AR headset.

The logistics behind rebuilding Ukraine’s civil infrastructure is going to be enormous and complicated. In a presentation delivered in May, Maksym Smilianets—co-owner of Ukrainian internet service provider Viner—highlighted the magnitude of the problem they face in rebuilding and reconnecting the country. The air strikes and shelling did an enormous amount of damage to the telecommunications infrastructure, he explained. Hundreds of kilometers of fiber-optic cable have already been laid to repair that destruction.

In the areas currently under Russian control, the invading army quickly switched the connection to the Moscow-controlled internet. “They rebuilt the connections and stole our equipment,” Smilianets’ presentation explained. In the liberated parts of Ukraine, repair crews found boobytraps inside the telecommunications infrastructure, he said. “They did everything possible for total disconnection.”

Even as ISPs like Smilianets’ Viner work to rebuild the shared infrastructure of Ukraine, once one of the best-connected countries in Europe, there will be enormous work required to reconnect each damaged home and apartment block across the country. That “last mile” will likely require hundreds of kilometers more fiber-optic cable.

“No one has the power to cleanse the depths of human nature from the evil that sometimes rises to the surface and destroys and kills,” Ukrainian president Voldomyr Zelensky told the Ukraine Recovery Conference held in London this past June. “But you and I, and right now, we are able to protect life and overcome the ruins.”

Ukraine Is Crowdfunding Its Reconstruction

Videos featuring Elijah Wood, Mike Tyson, and Priscilla Presley have been edited to push anti-Ukraine disinformation, according to Microsoft researchers.

For around $340, actor Elijah Wood can record you a personalized video wishing you happy birthday. John McGinley, best known for his role in medical TV show _Scrubs_, will give you a lengthy pep talk for around $475. Priscilla Presley will record a clip talking about everything from Christmas shopping to Graceland for around $200.

These celebrities all use the video-sharing platform Cameo to quickly snap homemade videos for fans who pay them for the honor. They can be seen celebrating anniversaries, lightly roasting people, or offering advice. This summer, however, some videos have been weaponized by an unknown Russian group, which has crudely edited the clips and used them as part of its wide-ranging information warfare tactics against Ukraine.

At least seven seemingly unaware celebrities, including those listed above, have had their Cameo videos manipulated by pro-Russian actors to appear as if they are criticizing Ukrainian president Volodymyr Zelensky, according to new Microsoft research published today. The altered Cameo videos were shared on social media then heavily reported on by Russian government-owned or controlled newspapers and TV channels, the research says.

The videos started appearing in July and follow similar patterns. “It's at a regular interval,” says Clint Watts, the general manager of Microsoft Threat Analysis Center, which published the research in an update on Russian information and cyber activities. “It's a different actor or actress popping up saying a very similar script,” Watts says.

The videos often see the celebrity talking to “Vladimir” and saying they should get help with possible substance abuse. The videos are later edited to appear as if the celebrity were addressing Ukrainian president Volodymyr Zelensky—the Kremlin has consistently pushed disinformation calling Zelensky an addict. The videos can have emoji, links, and social handles added to them before they are shared on social media.

The seven celebrities Microsoft highlights are actors Elijah Wood, John McGinley, Dean Norris, Kate Flannery, and Priscilla Presley; musician Shavo Odadjian; and boxer Mike Tyson. There is no suggestion that the celebrities knew their videos would be edited or manipulated in this way.

“I just want to make sure you are getting help,” Wood, the former _Lord of the Rings_ actor, appears to say in the video. The manipulated video has a Ukrainian flag, a social media handle for Zelensky, and a link to a drug and alcohol research center, and has been made to look like it appeared on Instagram. The video has several jarring cuts throughout and is evidently altered. “I hope you get the help that you need. Lots of love, Vladimir, take care,” Wood seemingly says at the end of the footage. In another video, Kate Flannery, who starred in _The Office_, appears to say, “You need to go to the rehab,” and that Vladimir deserves a good life.

Over the past decade, Russian disinformation efforts have evolved to keep up with the current web trends, Watts says. Around the 2016 US elections, pro-Russian accounts were sharing their messages using blog post links. Watts says that the Cameo videos did not appear to have reached a wide audience, but the effort was “novel” and part of Russia’s ever-changing tactics. “It’s very hard to influence if you’re not in video, in the current era,” Watts says, adding that the Cameo videos were not edited to a high quality.

“The request was submitted through Cameo and was in no way intended to be addressed to Zelensky or have anything at all to do with Russia or Ukraine or the war,” says a representative for Elijah Wood. A spokesperson for boxer Mike Tyson says the video of him is “false” and he does not produce such content. “Anything outside of his usual lighthearted Cameo videos \[is\] being altered,” the representative says. Representatives for other celebrities in the Cameo videos did not immediately respond to requests for comment or could not be reached ahead of publication.

Brandon Kazimer, a spokesperson for Cameo, says it is the company’s policy not to comment on any trust and safety investigations. However, Kazimer says the kind of videos described in the research would violate the company’s community guidelines, and “Cameo will typically take steps to remove the problematic content and suspend the purchaser's account to help prevent further issues.”

Additional analysis of the Cameo videos shows how they spread through Russian government-owned or backed media outlets. Antibot4Navalny, an anonymous Russia-based disinformation research group, looked at mentions of the seven celebrities and the videos and found they appeared dozens of times in Russian media, which is largely state-backed or owned.

An Antibot4Navalny member, who was not involved in the Microsoft research, says it appears that one celebrity was targeted each week for nearly two months. The researcher says that Priscilla Presley’s video was mentioned on one of the biggest “prime-time political talk shows” in Russia. The “widest coverage, as measured by number of major media agencies mentioning \[them\], was received by John McGinley,” the researcher says. This included news service RT, which is sanctioned in Europe. They add that Russian fact-checking website Provereno has debunked several of the videos.

The Cameo videos are not the first time that pro-Russian actors have used celebrities to try and push their messages. This week, WIRED revealed how a notorious Russian disinformation effort called Doppelganger, which has links to Russian military intelligence, has been using images of celebrities, including Taylor Swift, Beyoncé, Oprah, Justin Bieber, and Cristiano Ronaldo, to promote anti-Ukraine messages on social media. The efforts reached more than 7.6 million people on Facebook in November, according to an analysis of ads on the platform.

The Antibot4Navalny researcher says people trust well-known, public figures, even if they are not an expert on a subject area. “This is exactly what is exploited by Russian media domestically, and in a quite similar way by Doppelganger operators targeting other countries,” the researcher says. “If you are out of experts saying what you need, just use a video footage (or a photo) with whoever looks familiar, and add subtitles, voiceover, or a written ‘quote,’ with whatever talking points you are seeking to amplify.”

“When the Russians are particularly successful is when they're quick and tied to current events and news stories,” says Microsoft’s Watts. In recent weeks, researchers, including those at Microsoft, have linked some disinformation about the Israel–Hamas war to Russian actors trying to capitalize on the moment. Videos faking news reports from the BBC and Bellingcat have been posted on Russian Telegram channels in the past two months. The videos, according to researchers, include false quotes attributed to Bellingcat founder Eliot Higgins and use a similar style to the BBC. The videos push messages incorrectly claiming that Ukraine is selling weapons to Hamas.

Most of the Russian narratives highlighted by recent research focus on discrediting Ukraine and its leadership as Russia’s full-scale war enters its second winter. However, next year, dozens of countries—including the US, EU, and UK—are set to hold elections. As this happens, Russian influence operations may also change course. Microsoft’s Watts says he expects that by March, one of the biggest concerns will be whether Russian malicious actors, including hacker groups, are targeting more European and North American targets to potentially conduct “hack and leak operations to drive narratives around any sort of political warfare that they want to pursue.”

Source

Wired