Inauthentic accounts on X flocked to its owner’s post about Ukrainian president Vlodymr Zelensky, hailing “Comrade Musk” and boosting pro-Russia propaganda.

Since Elon Musk spent $44 billion on Twitter (now X) last year, the billionaire has been determined to wipe out bots and spammy accounts. Things haven’t gone smoothly. Amid the chaos, in recent weeks Russian trolls have jumped on one of Musk’s own posts and used it to push pro-Kremlin messaging, a new analysis shows.

At the start of October, Musk used his platform to mock Ukrainian president Vlodymr Zelensky with a nine-year-old meme. “When it's been five minutes and you haven't asked for a billion dollars in aid,” says the text above the “Trying to Hold a Fart Next to a Cute Girl in Class” meme, which the X owner posted to his 160 million followers. The original image shows a teenage schoolboy visibly agitated while sitting in class next to a girl. Musk’s version swapped in Zelensky’s face. Ukrainians hit back at Musk, accusing him of trolling and posting Russian propaganda.

Now analysis by a volunteer group of researchers who track Russian-language information operations on X says Russian trolls flocked to Musk’s post and news accounts that reported on his meme. “The Zelensky tweet from Musk seems to be the most commented by Kremlin trolls over nearly three months,” says Antibot4Navalny, the anonymous group of volunteers behind the findings.

In the days after the post, around 160 inauthentic accounts pushing pro-Russian messaging sent some 400 posts praising Musk as a “Russian patriot” and photoshopping him into Russian military uniforms, according to the group. They say the main messaging can be summarized, in part, as “Comrade Musk supports Russia.”

Three independent experts, including one former disinformation researcher at Twitter, reviewed the findings from Antibot4Navalny and concluded that the accounts praising Musk and pushing Russian narratives are likely to be part of a coordinated campaign. They say that while there was a small number of accounts pushing the messaging—the post has 93 million views—the targeting may show the accounts testing their messaging and tactics.

The X press office did not respond to WIRED’s request for comment, which included a sample of the accounts identified by the Antibot4Navalny researchers. “Busy now, please check back later,” its automated response says.

The Antibot4Navalny group monitors inauthentic accounts on X, focusing on the Russian language, and it identifies accounts that may not be genuine by analyzing their behavior and the replies they make to media outlets. Data gathered by the researchers shows the accounts replying both to Musk’s original tweet and also those from Russian-language news accounts, such as BBC Russian and DW Russian. The posts are mostly in Russian, but there are also a few in English. “Among troll replies addressing Musk directly, some are using memes or other images which are sometimes a part of the message,” a Antibot4Navalny representative says.

“Russia thanks you for your excellent work, Elon. And answers with memes,” one English language post says. “As usual, Musk is our comrade: like us, he ROFLs at the junkie,” a translated Russian post says. Others praise Musk for telling the “truth” and mocking the Ukrainian president.

One former Twitter disinformation researcher, granted anonymity to allow them to speak freely without fear of retaliation, looked at a sample of the accounts highlighted by Antibot4Navalny. “Most accounts had multiple signs of inauthenticity,” the former staff member says, pointing out that their analysis was done using public-facing data, and only X would be able to make “hard findings” based on technical data available to the company. The former staff member says the accounts had repeated behavior in reposts and “inconsistent or clearly falsified” personal information. “There was a spectrum for how realistically or well chosen an account's profile pic is,” they say, with some profile images being pulled from elsewhere online.

Martin Innes, codirector of the Security Crime and Intelligence Innovation Institute at Cardiff University, who has led international disinformation research, reviewed a sample of the data with colleagues. He also says there are multiple signs that the accounts may not be genuine. “The accounts examined are newly created, in the main during the period of the Ukraine-Russia war, and exhibit behavior designed to target and polarize opinion, and gain popularity through interaction with larger accounts, many of which represent popular media outlets,” Innes says.

Innes and the Cardiff University researchers say the accounts often have low or zero follower numbers, a lack of identifiable personal details, mostly just reply to other accounts’ posts, and produce anti-Ukraine and anti-Zelensky messaging, which mirror wider Russian narratives. Russia has long used social media to impact politics and divide opinions. In September, an EU report concluded that the “reach and influence” of Kremlin-backed accounts on social media had increased in 2023, particularly highlighting X.

“Since the acquisition of Twitter/X by Musk, there have been a series of policy decisions that any expert in the field of misinformation or disinformation would tell you were bad decisions,” the former Twitter staff member says. They point to X removing labels for accounts funded by governments and firing teams working on disinformation. At the same time, Russian propaganda has also focused on influencing African nations.

Kyle Walter, head of research at misinformation- and disinformation-analysis company Logically, says Musk's account has been targeted in the past, in particular with crypto scams. Walter also reviewed the accounts highlighted by Antibot4Navalny and says they appear to be inauthentic. The claims about Musk supporting Russia have “existed for a while,” Walter says. Throughout Russia’s full-scale invasion of Ukraine, which began in February 2022, Musk’s Starlink satellite internet company has provided crucial internet connections to Ukrainian forces for free and has been praised by its politicians. He was criticized last month over a decision not to allow Starlink’s use around Crimea, the Ukrainian peninsula annexed by Russia in 2014.

When it comes to the Musk posts, the Antibot4Navalny researcher says the accounts could have been looking to boost Russian propaganda talking points or to “create an illusion” for those browsing replies to Musk’s tweet that people support the message. Replying to large accounts like Musk’s has the potential to reach a wider audience, the research says.

Logically’s Walter says that it is a critical time for social media platforms as they head toward a slate of elections in 2024—including those in the US, Canada, UK, India, and the European Union. “Bad actors are testing different tactics, testing different capabilities,” Walter says. “You'll often see a lot of these kinds of unsuccessful campaigns where they're not really getting any engagement, not really getting any views on the content, but it's helping them calibrate their kind of broad efforts for future instances.”

Elon Musk Mocked Ukraine, and Russian Trolls Went Wild

Thousands of child abuse images are being created with AI. New images of old victims are appearing, as criminals trade datasets.

A horrific new era of ultrarealistic, AI-generated, child sexual abuse images is now underway, experts warn. Offenders are using downloadable open source generative AI models, which can produce images, to devastating effects. The technology is being used to create hundreds of new images of children who have previously been abused. Offenders are sharing datasets of abuse images that can be used to customize AI models, and they’re starting to sell monthly subscriptions to AI-generated child sexual abuse material (CSAM).

The details of how the technology is being abused are included in a new, wide-ranging report released by the Internet Watch Foundation (IWF), a nonprofit based in the UK that scours and removes abuse content from the web. In June, the IWF said it had found seven URLs on the open web containing suspected AI-made material. Now its investigation into one dark web CSAM forum, providing a snapshot of how AI is being used, has found almost 3,000 AI-generated images that the IWF considers illegal under UK law.

The AI-generated images include the rape of babies and toddlers, famous preteen children being abused, as well as BDSM content featuring teenagers, according to the IWF research. “We’ve seen demands, discussions, and actual examples of child sex abuse material featuring celebrities,” says Dan Sexton, the chief technology officer at the IWF. Sometimes, Sexton says, celebrities are de-aged to look like children. In other instances, adult celebrities are portrayed as those abusing children.

While reports of AI-generated CSAM are still dwarfed by the number of real abuse images and videos found online, Sexton says he is alarmed at the speed of the development and the potential it creates for new kinds of abusive images. The findings are consistent with other groups investigating the spread of CSAM online. In one shared database, investigators around the world have flagged 13,500 AI-generated images of child sexual abuse and exploitation, Lloyd Richardson, the director of information technology at the Canadian Centre for Child Protection, tells WIRED. “That's just the tip of the iceberg,” Richardson says.

A Realistic Nightmare

The current crop of AI image generators—capable of producing compelling art, realistic photographs, and outlandish designs—provide a new kind of creativity and a promise to change art forever. They’ve also been used to create convincing fakes, like Balenciaga Pope and an early version of Donald Trump’s arrest. The systems are trained on huge volumes of existing images, often scraped from the web without permission, and allow images to be created from simple text prompts. Asking for an “elephant wearing a hat” will result in just that.

It’s not a surprise that offenders creating CSAM have adopted image-generation tools. “The way that these images are being generated is, typically, they are using openly available software,” Sexton says. Offenders whom the IWF has seen frequently reference Stable Diffusion, an AI model made available by UK-based firm Stability AI. The company did not respond to WIRED’s request for comment. In the second version of its software, released at the end of last year, the company changed its model to make it harder for people to create CSAM and other nude images.

Sexton says criminals are using older versions of AI models and fine-tuning them to create illegal material of children. This involves feeding a model existing abuse images or photos of people’s faces, allowing the AI to create images of specific individuals. “We’re seeing fine-tuned models which create new imagery of existing victims,” Sexton says. Perpetrators are “exchanging hundreds of new images of existing victims” and making requests about individuals, he says. Some threads on dark web forums share sets of faces of victims, the research says, and one thread was called: “Photo Resources for AI and Deepfaking Specific Girls.”

The AI-Generated Child Abuse Nightmare Is Here

Though often viewed as the “crown jewel” of the US intelligence community, fresh reports of abuse by NSA employees and chaos in the US Congress put the tool's future in jeopardy.

A federal law authorizing a vast amount of the United States military’s foreign intelligence collection is set to expire in two months, pulling the plug on history’s most prolific eavesdropping operation and the primary means by which US spies intercept the private communications of people deemed threatening, or simply interesting, by the US government—the world’s foremost surveillant.

The US National Security Agency (NSA) relies heavily on the statute, Section 702 of the Foreign Intelligence Surveillance Act, when compelling the cooperation of communications giants that oversee huge swaths of the world’s internet traffic, intercepting hundreds of millions of phone calls and email messages each year, and eavesdropping on the personal conversations of targeted foreign individuals and anyone else, including Americans, unfortunate enough to be caught in their orbit.

As of now, members of Congress have introduced exactly zero bills to prevent Section 702 from sunsetting on January 1, 2024, even though many—perhaps a majority—view this intelligence “crown jewel” as fundamental to the national defense; a flawed but fixable law. The Democrats, who control the Senate, are not blameless in stalling the reauthorization, with more than a handful vying to ensure its renewal is contingent on new rules that force the government to get a warrant before weaponizing the data against its own citizens. The internal conflict roiling the Republican Party, many of whose members share in the desire to rein in the government’s domestic surveillance capabilities, is nevertheless the biggest factor forestalling a compromise, particularly following the removal of Kevin McCarthy as House speaker earlier this month.

The US intelligence community is not without blame. A litany of reported errors, ethical violations, and at least some criminal activity bearing the telltale signs of having been swept under the rug have gone a long way in validating the concerns of Section 702’s biggest detractors: Privacy defenders on both sides of the aisle who share common ground with political allies of Donald Trump, a wellspring of animosity when it comes to military and intelligence leaders—officials routinely peppered from the right with allegations of partisanship and other “treasonous things.”

A US report published in September by an independent government privacy watchdog describes a number of new “noncompliant” uses of raw Section 702 data by analysts at the NSA, an agency where military and civilian employees have been caught repeatedly abusing classified intel for personal, and even sexual, reasons. Issued by the Privacy and Civil Liberties Oversight Board (PCLOB), a body effectively commandeered by Congress in 2005 in an effort to help gauge the scope of the explosion in surveillance after 9/11, the report adds to a decade’s worth of documented surveillance abuses.

_The Wall Street Journal_ first reported in 2013 amid the exploding Edward Snowden scandal that NSA staff had been caught on numerous occasions spying on what the paper called “love interests.” The phenomenon is common enough at the agency to receive its own internal designation: “LOVEINT,” a portmanteau of “love” and “intelligence,” abbreviated in the style of actual surveillance disciplines such SIGINT and HUMINT (“signals” and “human” intelligence, respectively.)

Senator Dianne Feinstein, who died who on September 29 at the age of 90, had defended the NSA following the report, referring to the violations as “isolated,” occurring only roughly, she said, once a year. The _Journal_ noted, meanwhile, that nearly all of the known violations had been self-reported, likely by employees fearful of failing a polygraph exam.

The term “LOVEINT” implies a degree of harmlessness, the misguided acts of a hopeless romantic or a jilted lover. Yet it signifies behavior that is by any modern definition equivalent to stalking. That it received this designation at all seemingly suggests that the abuse is constant enough to border on systemic. The watchdog report released last month by the PCLOB notes that, in 2022, one NSA analyst twice conducted queries on people they’d met “through an online dating service,” showing that despite years of procedures developed to protect against such incidents, the temptation to abuse the most expansive surveillance tool in history for personal gain remains too enticing a prospect for some.

“The US government’s incredible surveillance powers are intended to keep Americans safe from global threats, but we’ve seen time and again how officials have misused this authority at the expense of Americans’ civil liberties,” US senator Chuck Grassley, a Republican from Iowa, tells WIRED. “Instead of aiming this tool at terrorists and international criminals, some have put their political rivals and even love interests in the crosshairs.” The intelligence community’s continued access to the 702 data hinges, in part, on its ability to demonstrate that it can cooperate with oversight attempts, Grassley says, and send an “unequivocal message that abuses will be met with steep consequences.”

While any substantive detail about past 702 violations remains obscured by conditions of secrecy, what can be gleaned from unclassified reports about the “consequences” facing NSA staff for stalking is not encouraging. A 2013 letter from the NSA’s then-top internal watchdog, George Ellard, for instance, described years’ worth of abuses that coincide and even predate the existence of Section 702, which Congress passed in 2008 in an effort to legalize the widespread wiretapping of calls already going in and out of the US, as well as immunize telecommunications companies like AT&T, which was revealed early on to be eagerly cooperating with the government’s demands.

Ellard’s letter, combined with more recent abuse disclosures, paints a picture of an agency that discovers surveillance abuses mainly when its employees self-report them, often to avoid trouble during or in advance of a polygraph test. Violators are often on their way out the door, presumably bound for the private sector, or are otherwise given the option to retire rather than face any real consequences for their actions. Numerous civilian employees at the NSA have admitted to wiretapping the phones of romantic partners, yet it's clear that many escaped punishment by quitting the agency before investigations into their conduct were earnestly underway.

In one of the most egregious cases, predating the 702 program by several years, an NSA employee admitted to wiretapping nine phone numbers belonging to women. Like with other offenses, Ellard noted in his letter—made public by Grassley several years ago—that the employee had “resigned before discipline had been proposed.” (Incidentally, Ellard’s decade as the NSA inspector general came to an unceremonious end following allegations that he’d retaliated against an agency whistleblower.)

Only US service members with access to raw 702 data appear to have been held accountable to some degree, almost certainly because they were unable, due to the terms of their service, to walk away from their jobs. A member of a “tactical military unit,” for instance, was demoted and docked one month’s pay after searching the classified database for communications belonging to his wife, while another’s access was cut after the NSA discovered they’d been eavesdropping on random people’s phone calls, purportedly to learn the language the victims were speaking.

Section 702, which last year targeted more than 246,000 “non-US persons,” permits the NSA to collect both text and audio of communications belonging to Americans, even when they are not the target of an investigation or suspected of foreign or criminal ties. These communications are “highly personal and sensitive, capturing exchanges with loved ones, friends, medical providers, academic adviseors, lawyers, or religious leaders,” according to the oversight authorities; capable of providing “great insight into an individual’s whereabouts, both in a given moment and in patterns over time.” While the communications of Americans captured as part of Section 702 surveillance may be subject to “minimization” procedures down the line, they are nevertheless stored in a “raw” or unredacted format and can be viewed with the help of a Google Search-like interface.

It's unclear how many government employees can access Section 702 data, but US lawmakers have offhandedly estimated the figure to be upwards of 10,000 people. This includes many employed by the Federal Bureau of Investigation, where the process of accessing the database remains practically free from judicial review. Under its own procedures, the FBI may conduct searches of the 702 database without probable cause so long as it believes it is “reasonably likely” to retrieve evidence of a crime—the legal equivalent of a hunch. According to a 2016 memorandum authored by the secretive Foreign Intelligence Surveillance Court, the FBI has at times failed to abide by what are already notably loose restrictions on using 702 for the purpose of acquiring communications protected by attorney-client privilege. The FBI's own procedures have long permitted agents to search the 702 database for correspondence between US citizens and their attorneys, as well as disseminate that information internally, provided the target of the search has not been charged with a crime.

While the NSA refers to the communications of Americans captured under Section 702 as having been collected “incidentally”—the statute authorizes only the “targeting” of “non-US persons reasonably believed to be located outside the United States”—it is important to note that the word “incidental” does not mean “by mistake.” It is merely accepted that each year, as a cost of doing business, the NSA will “inevitably” intercept the calls and messages of an unknown but “substantial” number of Americans.

This collection may be best understood as occurring not in error but as collateral surveillance, defended by the government under an ever-expanding list of national security threats: terrorism, first and foremost; then cyberattacks launched by hostile foreign actors; and today, finally, the illicit trafficking of fentanyl from sources in China.

Since the enactment of Section 702 some 15 years ago, US intelligence chiefs have claimed that it would be impossible to provide any clear metrics regarding just how many Americans are “incidentally” eavesdropped on each year. Ironically, it is the sheer amount of surveillance conducted by the NSA that is blamed for obscuring its impact on Americans’ civil liberties. “We do not yet know the scope of incidental collection,” this year’s PCLOB report states. But it should not be understood as “occurring infrequently,” it says, nor as an “inconsequential part of the Section 702 program.”

A Powerful Tool US Spies Misused to Stalk Women Faces Its Potential Demise

An EU government body is pushing a proposal to combat child sexual abuse material that has significant privacy implications. Its lead advocate is making things even messier.

Danny Mekić, an Amsterdam-based PhD researcher, was studying a proposed European law meant to combat child sexual abuse when he came across a rather odd discovery. All of a sudden, he started seeing ads on X, formerly Twitter, that featured young girls and sinister-looking men against a dark background, set to an eerie soundtrack. The advertisements, which displayed stats from a survey about child sexual abuse and online privacy, were paid for by the European Commission.

Mekić thought the videos were unusual for a governmental organization and decided to delve deeper. The survey findings highlighted in the videos suggested that a majority of EU citizens would support the scanning of all their digital communications. Following closer inspection, he discovered that these findings appeared biased and otherwise flawed. The survey results were gathered by misleading the participants, he claims, which in turn may have misled the recipients of the ads; the conclusion that EU citizens were fine with greater surveillance couldn’t be drawn from the survey, and the findings clashed with those of independent polls.

The micro-targeting ad campaign categorized recipients based on religious beliefs and political orientation criteria—all considered sensitive information under EU data protection laws—and also appeared to violate X’s terms of service. Mekić found that the ads were meant to be seen by select targets, such as top ministry officials, while they were concealed from people interested in Julian Assange, Brexit, EU corruption, Eurosceptic politicians (Marine Le Pen, Nigel Farage, Viktor Orban, Giorgia Meloni), the German right-wing populist party AfD, and “anti-Christians.”

Mekić then found out that the ads, which have garnered at least 4 million views, were only displayed in seven EU countries: the Netherlands, Sweden, Belgium, Finland, Slovenia, Portugal, and the Czech Republic.

At first, Mekić could not figure out the country selection, he tells WIRED, until he realized that neither the timing nor the purpose of the campaign was accidental. The Commission’s campaign was launched a day after the EU Council met without securing sufficient support for the proposed legislation Mekić had been studying, and the targeted counties were those that did not support the draft.

The legislation in question is a controversial proposal by the EU Commission known as Chat Control or CSA Regulation (CSAR) that would obligate digital platforms to detect and report any trace of child sexual abuse material on their systems and in their users’ private chats, covering platforms such as Signal, WhatsApp, and other messaging apps. Digital rights activists, privacy regulators, and national governments have strongly criticized the proposal, which the European data protection supervisor (EDSR) Wojciech Wiewiorowski said would amount to “crossing the Rubicon” in terms of mass surveillance of EU citizens.

“I think it is fair to say that this was an attempt to influence public opinion in countries critical of the indiscriminate scanning of all digital communications of all EU citizens and to put pressure on the negotiators of these countries to agree to the legislation,” says Mekić. “If the European Commission, a significant institution in the EU, can engage in targeted disinformation campaigns, it sets a dangerous precedent.”

The Dutch researcher’s find adds to the controversy surrounding the Commission, which has recently come under fire due to allegations that certain AI firms and advocacy groups with significant financial backing have had a notable level of influence over the shaping of CSAR—allegations that lead Commissioner Ylva Johansson countered, asserting that she had committed no wrongdoing. Johansson’s office did not respond to WIRED’s request for comment.

“There’s an inexplicable obsession with this file \[CSAR\] in the Commission. I don’t know where that comes from,” EU lawmaker Sophie in ’t Veld told WIRED after she submitted a priority parliamentary question on the case. “Why are they doing \[the campaign\] while the legislative process is still ongoing?”

As the pressure on the Commission has been mounting, Johansson lashed out against the influential civil rights nonprofit European Digital Rights, one of the strongest critics of the legislation and a defender of end-to-end encryption. She referred to its funding from Apple, suggesting EDRi was laundering the company’s talking points. “Apple was accused of moving encryption keys to China, which critics say could endanger customer data. Yet no one asks if these are strange bedfellows, no one assumes Apple is drafting EDRI’s speaking points,” she noted in a Commission blog on October 13.

Referring to EDRi’s independence and transparent funding processes, senior policy adviser Ella Jakubowska tells WIRED: “Attempts to delegitimize civil society suggest a worrying effort to silence critical voices, in line with broader trends of shrinking civic space. When both the content and the process regarding this law are so troubling, we need to ask how the European Commission allowed it to reach this point.”

Adding to the Commission’s conspicuous ad campaign, Mekić’s discovery came on the same day the European Commission formally sent X a request for information under the Digital Services Act, the sweeping EU digital disinformation law, following indications of “spreading of illegal content and disinformation” on the platform.

“The Commission’s ability to enforce the DSA could be undermined if their own services are willing to flagrantly disregard these rules. Whilst the DSA is supposed to rein in the power of big tech, the CSA Regulation would force digital service providers to become a privatized police force in all our online chats, emails, and messages,” says Jakubowska. “It’s hard to see how these regimes can coexist or more broadly, how the EU can uphold fundamental human rights if it passes a law which could violate the essence of certain rights.”

The votes in the European Parliament and EU Council are still pending. “The Commission seems to forget its own role here: It is not a legislator. It only has the prerogative of proposing legislation,” says in ’t Veld. “It has no business interfering in the internal debate, neither in the Council nor in the European Parliament. The Commission is completely out of bounds here.”

Commenting on the negotiations, the outcome of which remains uncertain, EDRi’s Jakubowska observed that “it is reassuring to see that many lawmakers are alert to just how terrifying it would be for the EU to endorse a proposal that in essence amounts to distributed spyware on everyone’s devices.”

As far as the contested ad campaign is concerned, Wiewiorowski, the European data protection supervisor, initiated a pre-investigation requesting from the Commission “information related to the described use of microtargeted ads,” with a response due by the end of last week. Wiewiorowski’s office declined WIRED’s request to comment on the potential for a formal investigation.

Ironically, Danny Mekić now believes he’s been shadowbanned by X, alongside other journalists, scientists, and researchers who have been critical of CSAR. X did not respond to WIRED’s request for comment.

“I haven’t received any response from X,” Mekić says. “Steps are currently being taken to find out what caused this and whether it was an algorithmic or human decision or whether it was done at the request of so-called trusted flaggers—such as, for example, the European Commission itself, or one of the organizations involved in the CSAR lobby.”

A Controversial Plan to Scan Private Messages for Child Abuse Meets Fresh Scandal

Stefan Thomas lost the password to an encrypted USB drive holding 7,002 bitcoins. One team of hackers believes they can unlock it—if they can get Thomas to let them.

At 9:30 am on a Wednesday in late September, a hacker who asked to be called Tom Smith sent me a nonsensical text message: “query voltage recurrence.”

Those three words were proof of a remarkable feat—and potentially an extremely valuable one. A few days earlier, I had randomly generated those terms, set them as the passphrase on a certain model of encrypted USB thumb drive known as an IronKey S200, and shipped the drive across the country to Smith and his teammates in the Seattle lab of a startup called Unciphered.

Unciphered’s staff in the company’s Seattle lab.

Photograph: Meron Menghistab

Smith had told me that guessing my passphrase might take several days. Guessing it at all, in fact, should have been impossible: IronKeys are designed to permanently erase their contents if someone tries just 10 incorrect password guesses. But Unciphered's hackers had developed a secret IronKey password-cracking technique—one that they've still declined to fully describe to me or anyone else outside their company—that gave them essentially infinite tries. My USB stick had reached Unciphered’s lab on Tuesday, and I was somewhat surprised to see my three-word passphrase texted back to me the very next morning. With the help of a high-performance computer, Smith told me, the process had taken only 200 trillion tries.

Smith’s demonstration was not merely a hacker party trick. He and Unciphered’s team have spent close to eight months developing a capability to crack this specific, decade-old model of IronKey for a very particular reason: They believe that in a vault in a Swiss bank 5,000 miles to the east of their Seattle lab, an IronKey that's just as vulnerable to this cracking technique holds the keys to 7,002 bitcoins, worth close to $235 million at current exchange rates.

For years, Unciphered's hackers and many others in the crypto community have followed the story of a Swiss crypto entrepreneur living in San Francisco named Stefan Thomas, who owns this 2011-era IronKey, and who has lost the password to unlock it and access the nine-figure fortune it contains. Thomas has said in interviews that he's already tried eight incorrect guesses, leaving only two more tries before the IronKey erases the keys stored on it and he loses access to his bitcoins forever.

Screens in Unciphered’s lab show a microscopic image of the layout of the IronKey’s controller chip (left) and a CT scan of the drive.

Photograph: Meron Menghistab

Now, after months of work, Unciphered's hackers believe they can open Thomas' locked treasure chest, and they're ready to use their secret cracking technique to do it. “We were hesitant to reach out to him until we had a full, provable, reliable attack,” says Smith, who asked WIRED not to reveal his real name due to the sensitivities of working with secret hacking techniques and very large sums of cryptocurrency. “Now we’re in that place.”

The only problem: Thomas doesn't seem to want their help.

Earlier this month, not long after performing their USB-decrypting demonstration for me, Unciphered reached out to Thomas through a mutual associate who could vouch for the company’s new IronKey-unlocking abilities and offer assistance. The call didn't even get as far as discussing Unciphered's commission or fee before Thomas politely declined.

Thomas had already made a “handshake deal” with two other cracking teams a year earlier, he explained. In an effort to prevent the two teams from competing, he had offered each a portion of the proceeds if either one could unlock the drive. And he remains committed, even a year later, to giving those teams more time to work on the problem before he brings in anyone else—even though neither of the teams has shown any sign of pulling off the decryption trick that Unciphered has already accomplished.

That has left Unciphered in a strange situation: It holds what is potentially one of the most valuable lockpicking tools in the cryptocurrency world, but with no lock to pick. “We cracked the IronKey,” says Nick Federoff, Unciphered's director of operations. “Now we have to crack Stefan. This is turning out to be the hardest part.”

In an email to WIRED, Thomas confirmed that he had turned down Unciphered's offer to unlock his encrypted fortune. “I have already been working with a different set of experts on the recovery so I'm no longer free to negotiate with someone new,” Thomas wrote. “It's possible that the current team could decide to subcontract Unciphered if they feel that's the best option. We'll have to wait and see.” Thomas declined to be interviewed or to comment further.

A Very Valuable, Worthless USB Stick

In past interviews, Thomas has said that his 7,002 bitcoins were left over from a payment he received for making a video titled “What is Bitcoin?” that published on YouTube in early 2011, when a bitcoin was worth less than a dollar. Later that year, he told WIRED that he'd inadvertently erased two backup copies of the wallet that held those thousands of coins, and then lost the piece of paper with the password to decrypt the third copy, stored on the IronKey. By then, his lost coins were worth close to $140,000. “I spent a week trying to recover it,” he said at the time. “It was pretty painful.”

In the 12 years since, the value of the inaccessible coins on Thomas' IronKey has at times swelled to be worth nearly half a billion dollars, before settling to its current, still-staggering price. In January 2021, as Bitcoin began to approach its peak exchange rate, Thomas described to _The New York Times_ the angst that his long-lost hoard had caused him over the years. “I would just lay in bed and think about it,” he said. “Then I would go to the computer with some new strategy, and it wouldn’t work, and I would be desperate again.”

Around that same time in 2021, a team of cryptographers and white-hat hackers founded Unciphered with the goal of unlocking exactly the sort of vast, frozen funds that many unlucky crypto holders like Thomas have long since given up on. At the time of Unciphered’s official launch, the cryptocurrency tracing firm Chainalysis estimated the total sum of those forgotten wallets across blockchains to be worth $140 billion. Unciphered says it has since successfully helped clients open locked wallets worth “many millions” of dollars—often through novel cryptographic vulnerabilities or software flaws it has discovered in cryptocurrency wallets—though nothing close to the size of Thomas' IronKey stash.

A deconstructed IronKey inside of Unciphered’s laser cutting tool.

Photograph: Meron Menghistab

Only around the beginning of 2023 did Unciphered begin to hunt for potential avenues to unlock Thomas' IronKey prize. Smith says that they quickly started to see hints that the IronKey's manufacturer, which was sold to storage hardware firm iMation in 2011, had left them some potential openings. “We were seeing little bits and pieces,” Smith says. “Like, this looks a little sloppy, or this looks not quite like how someone should be doing things.” (Kingston Storage, which now owns IronKey, didn’t respond to WIRED’s request for comment.)

Even a decade-old IronKey is a daunting target for hackers. The USB stick, whose development was funded in part by the United States Department of Homeland Security, is FIPS-140-2 Level 3 certified, meaning it's tamper-resistant and its encryption is secure enough for use by military and intelligence agencies for classified information. But emboldened by the few hints of security flaws they'd found—and still with no participation from Thomas—Unciphered's founders decided to take on the project of cracking it. “If there is an Everest to attempt, this is it,” Federoff remembers telling the team. The company's founders would eventually pull together a group of around 10 staffers and outside consultants, several of whom had backgrounds at the National Security Agency or other three-letter government agencies. They called it Project Everest.

A $235 Million Treasure Hunt

One of their first moves was to determine the exact model of IronKey that Thomas must have used, based on timing and a process of elimination. Then they bought the entire supply of that decade-plus-old model that they could find available for sale online, eventually amassing hundreds of them in their lab.

To fully reverse engineer the device, Unciphered scanned an IronKey with a CT scanner, then began the elaborate surgery necessary to deconstruct it. Using a precise laser cutting tool, they carved out the Atmel chip that serves as the USB stick's “secure enclave” holding its cryptographic secrets. They bathed that chip in nitric acid to “decap” it, removing the layers of epoxy designed to prevent tampering. They then began to polish down the chip, layer by layer, with an abrasive silica solution and a tiny spinning felt pad, removing a fraction of a micron of material from its surface at a time, taking photos of each layer with either optical microscopes or scanning electron microscopes, and repeating the process until they could build a full 3D model of the processor.

Because the chip's read-only memory, or ROM, is built into the layout of its physical wiring for better efficiency, Unciphered's visual model gave it a head start toward deciphering much of the logic of the IronKey's cryptographic algorithm. But the team went much further, attaching tenth-of-a-millimeter gauge wires to the secure element’s connections to “wiretap” the communications going into and out of it. They even tracked down engineers who had worked on the Atmel chip and another microcontroller in the IronKey that dated back to the 1990s to quiz them for details about the hardware. “It felt very much like a treasure hunt," says Federoff. “You’re following a map that’s faded and coffee-stained, and you know there’s a pot of gold at the end of a rainbow, but you have no idea where that rainbow’s leading.”

That cracking process culminated in July, when Unciphered's team gathered at an Airbnb in San Francisco. They describe standing around a table covered with millions of dollars’ worth of lab equipment when a member of the team read out the contents of a decrypted IronKey for the first time. “What just happened?” Federoff asked the room. “We just summited Everest,” said Unciphered's CEO, Eric Michaud.

Unciphered still won't reveal its full research process, or any details of the technique it ultimately found for cracking the IronKey and defeating its “counter” that limits password guesses. The company argues that the vulnerabilities they discovered are still potentially too dangerous to be made public, given that the model of IronKeys it cracked are too old to be patched with a software update, and some may still store classified information. “If this were to leak somehow, there would be much bigger national security implications than a cryptocurrency wallet,” Federoff says.

The team notes that the final method they developed doesn't require any of the invasive or destructive tactics that they used in their initial research. They've now unlocked 2011-era IronKeys—without destroying them—more than a thousand times, they say, and unlocked three IronKeys in demonstrations for WIRED.

Cryptic Contracts

None of that, however, has gotten them any closer to persuading Stefan Thomas to let them crack _his_ IronKey. Unciphered’s hackers say they learned from the intermediary who contacted Thomas on their behalf that Thomas has already been in touch with two other potential players in the crypto- and hardware-hacking world to help unlock his USB stick: the cybersecurity forensics and investigations firm Naxo, and the independent security researcher Chris Tarnovsky.

Naxo declined WIRED’s request to comment. But Chris Tarnovsky, a renowned chip reverse engineer, confirmed to WIRED that he had a “meet-and-greet” call with Thomas in May of last year. Tarnovsky says that, in the meeting, Thomas had told him that if he could successfully unlock the IronKey, he would be "generous," but didn't specify a fee or commission. Since then, Tarnovsky says that he has done very little work on the project, and that he has essentially been waiting for Thomas to start paying him on a monthly basis for initial research. "I want Stefan to cough up some money up front," says Tarnovsky. “It's a lot of work, and I need to worry about my mortgage and my bills.”

But Tarnovsky says he hasn't heard from Thomas since that first call. “Nothing came out of it,” he says. “It's weird.”

Unciphered’s director of operations Nick Federoff.

Photograph: Meron Menghistab

Unciphered's team remains skeptical about Naxo’s progress and whether it’s any further along than Tarnovsky. There are only a small number of hardware hackers capable of the reverse engineering necessary to crack the IronKey, they argue, and none appear to be working with Naxo. As for Thomas' suggestion that they could subcontract to Naxo or another team working on the project, Unciphered's Federoff says he won't rule it out, but argues it doesn't make sense when Unciphered alone can crack the IronKey. “Based on what we know, we don't see any benefit to anyone in going that route,” Federoff says.

Thomas, meanwhile, seems to display an unusual lack of urgency in unlocking his $235 million, and has offered only vague hints about why he has yet to reveal any progress toward that goal. “When you're dealing with so much money, everything takes forever,” he told the _Thinking Crypto_ podcast in an interview over the summer. “The person you're working with, you need some contract with them, and that contract needs to be rock solid, because if there's some issue with the contract, there's suddenly hundreds of millions of dollars at stake.”

To potentially accelerate that cryptic contract process, Unciphered plans to publish an open letter to Thomas and a video in the coming days designed to persuade—or pressure—Thomas into working with them. But Federoff concedes that it's possible Thomas doesn't actually care about the money: In its piece about his locked coins in 2021, _The New York Times_ wrote that Thomas already had “more riches than he knows what to do with,” thanks to other crypto ventures.

Federoff notes that it's impossible to know for certain what Thomas' IronKey holds. Maybe the keys to the 7,002 bitcoins are held elsewhere, or gone altogether.

He says Unciphered is still hopeful. But the team is also ready to move on if Thomas won't work with them. There are, after all, other locked wallets out there for the company to crack. And the decision of whether and how to unlock this particular USB drive's riches will ultimately fall to its owner alone. “It's incredibly frustrating,” says Federoff. “But when you're dealing with people, that's always the most complex part. Code doesn't change unless you tell it to. Circuitry doesn't either. But humans are incredibly unpredictable creatures.”

They Cracked the Code to a Locked USB Drive Worth $235 Million in Bitcoin. Then It Got Weird

Hamas has threatened to broadcast videos of hostage executions. With the war between Israel and Hamas poised to enter a new phase, are social platforms ready?

For the past decade, social media platforms have struggled to stop the spread of extremist violence livestreamed on their platforms. Now they face a much different problem: This time, they know what’s coming.

In the days after Hamas attacked Israel on October 7, the group’s military wing said it would kill an Israeli hostage every time Israel launched an attack on Gaza. Abu Obeida, a spokesperson for the al-Qassam Brigades, added that these executions would be broadcast “in audio and video.” As of today, Hamas is holding 220 people hostage, according to the Israel Defense Forces.

Amid the October 7 attack, one person livestreamed footage showing Hamas fighters murdering Israeli citizens—a clip of which was later shared by Donald Trump Jr. on X. And in the days after the attack, Hamas hijacked the accounts of those hostages on platforms like Facebook and Instagram to livestream attacks and issue death threats.

In response, tech companies appeared to take things seriously.

Meta launched a “special operations center” to track content on Facebook, Instagram, and Threads. TikTok activated its “command center.” X (formerly Twitter) mobilized its “cross-company leadership group.” YouTube activated its “intelligence desk.” And Reddit tells WIRED its “safety team” is on alert.

But when WIRED asked for specific details about how they are going to prevent bad actors from weaponizing the platforms’ livestreaming capabilities, none of the companies offered any specific details, instead pointing to their general online guidance about livestreaming policies, if they responded at all. For example, Meta directed WIRED to a 2019 blog post from chief information security officer Guy Rosen about how the company was planning to curb the use of its livestream products in the wake of the Christchurch massacre, during which a gunman killed 51 people at a mosque in New Zealand in March of that year.

Despite the press releases indicating all-hands-on-deck attention to the livestreaming problem, industry experts say social media companies are showing a lack of transparency and an unwillingness to take the measures needed to prevent execution videos from spreading on their platforms, such as suspending livestreaming capabilities completely during the Israel-Hamas war.

“Hamas’ threats to execute these people on livestreams is happening because it’s possible for them to broadcast it,” Imran Ahmed, the founder and CEO of Center for Countering Digital Hate, a nonprofit that tracks hate speech on social platforms, tells WIRED. “They’re doing this for the spectacle because it terrorizes us. If we took away their ability to generate that spectacle, would they be doing this? What comes first, the livestream or the execution?”

Ahmed alleges that the companies are failing to implement systems that automatically detect violent extremist content as effectively as they detect some other kinds of content. “If you have a snatch of copyrighted music in your video, their systems will detect it within a microsecond and take it down,” Ahmed says, adding that “the fundamental human rights of the victims of terrorist attacks” should carry as much urgency as the “property rights of music artists and entertainers.”

The lack of details about how social platforms plan to curb the use of livestreams is, in part, because they are concerned about giving away too much information, which may allow Hamas, Palestinian Islamic Jihad (PIJ), and other militant groups or their supporters to circumvent the measures that are in place, an employee of a major platform who was granted anonymity because they are not authorized to speak publicly claimed in a communication with WIRED.

Adam Hadley, founder and executive director of Tech Against Terrorism, a United Nations-affiliated nonprofit that tracks extremist activity online, tells WIRED that while maintaining secrecy around content moderation methods is important during a sensitive and volatile conflict, tech companies should be more transparent about how they work.

“There has to be some degree of caution in terms of sharing the details of how this material is discovered and analyzed,” Hadley says. “But I would hope there are ways of communicating this ethically that don’t tip off terrorists to detection methods, and we would always encourage platforms to be transparent about what they’re doing.”

The social media companies say their dedicated teams are working around the clock right now as they await the launch of Israel’s expected ground assault in Gaza, which Hadley believes could trigger a spate of hostage executions.

And yet, for all of the time, money, and resources these multibillion-dollar companies appear to be putting into tackling this potential crisis, they are still reliant on Tech Against Terrorism, a tiny nonprofit, to alert them when new content from Hamas or PIJ, another paramilitary group based in Gaza, is posted online.

Hadley says his team of 20 typically knows about new terrorist content before any of the big platforms. So far, while tracking verified content from Hamas’ military wing or the PIJ, Hadey says the volume of content on the major social platforms is “very low.”

“Examples that we can find on large platforms of that official content are in the thousands, so not a lot of examples, compared with significantly more on Telegram,” Hadley says. “We are sharing alerts to 60 platforms who have been implicated with \[Hamas\] and PIJ content to date, but very low volumes are present.”

Hamas is banned on Facebook, Instagram, YouTube, and TikTok, so it has typically not used these mainstream platforms to any great extent, though X said earlier this month that it had removed hundreds of Hamas-affiliated accounts. Instead, Hamas prefers to use Telegram.

“Because the use of Telegram is so widespread and simple, we will assume they will continue to do this because terrorists prioritize platforms they can use most easily,” Hadley says, “and why would they bother with anything other than Telegram?”

Meta, X, and YouTube collaborate to share information about what they are seeing on the platforms. Telegram does not take part in such partnerships. While it has blocked some channels in certain jurisdictions, Telegram has typically taken a hands-off approach to content moderation, meaning Hamas and related groups have been mostly free to post whatever content they like on its platform.

Telegram did not respond to WIRED’s questions about how it would deal with execution videos on its platform, nor did X or Twitch. Discord declined to provide an on-the-record comment.

While Hadley sees Telegram as the primary concern, mainstream platforms are still at risk of facilitating the spread of this content. Videos can easily be downloaded from Telegram and reposted on any other platform, which is where the mainstream social media networks face the challenge of stopping them.

When asked to provide more details about their efforts, Meta and TikTok directed WIRED to their policy pages outlining the work they are doing to prevent the spread of these videos. YouTube spokesperson Jack Malon tells WIRED that “our teams are working around the clock to monitor for harmful footage across languages and locales.” A Reddit spokesperson says the company has “dedicated teams with linguistic and subject-matter expertise actively monitoring the conflict and continuing to enforce Reddit’s Content Policy across the site.”

One of the key ways that tech companies try to keep violent extremist content from going viral on their platforms is by using what are known as hashing databases. When content from a terrorist organization is identified, it is “hashed” to create a unique identifier that can then be shared among all companies to automatically prevent that video or image from being reshared elsewhere.

The sharing of these hashes and communication around incidents like the Israel-Hamas war are coordinated by the Global Internet Forum to Counter Terrorism (GIFCT), a small team of experts whose mission is to stop tech platforms from being exploited by violent extremists. The group was founded in 2017 by Facebook, Microsoft, X (then Twitter), and YouTube as a way of centralizing and coordinating the sharing of information. Companies like Dropbox, Amazon, Pinterest, and Zoom also provide funding to the group.

GIFCT did not provide a spokesperson to answer WIRED’s questions, but a statement on the group’s website says it is “providing regular situational awareness across member companies and support in addressing content relating to this conflict that violates their platform policies.”

Even when mainstream platforms have access to a shared database of verified terrorist content and centralized communications with experts who are tracking this content closely, they still have a lot of work to do in order to prevent violent videos from spreading on their platforms.

“This will be a big litmus test for the mainstream platforms,” Hadley says. “We would expect their algorithmic systems to be able to detect the \[Hamas\] logo, for instance, and respond accordingly. So actually, we’re quietly confident that those platforms will be alright to handle it. And I would hope that they’ve been training their algorithms in anticipation of this, based on the very large amounts of existing content from \[Hamas and PIJ\]. But unfortunately, we have no insight into that at all.”

The Hamas Threat of Hostage Execution Videos Looms Large Over Social Media

Plus: IT workers secretly funnel money to North Korea, a court in the US upholds keyword search warrants, and WhatsApp gets a passwordless upgrade on Android

With the Israel-Hamas war intensifying by the day, many people are desperate for accurate information about the conflict. Getting it has proven difficult. This has been most apparent on Elon Musk’s X, formerly Twitter, where insiders say even the company’s primary fact-checking tool, Community Notes, has been a source of disinformation and is at risk of coordinated manipulation.

Case in point: An explosion at a hospital in Gaza on Tuesday was followed by a wave of mis- and disinformation around the cause. In the hours following the explosion, Hamas blamed Israel, Israel blamed militants in Gaza, mainstream media outlets repeated both sides’ claims without confirmation either way, and people posing as open source intelligence experts rushed out dubious analyses. The result was a toxic mix of information that made it harder than ever to know what’s real.

On Thursday, the United States Department of the Treasury proposed plans to treat foreign-based cryptocurrency “mixers”—services that obscure who owns which specific coins—as suspected money laundering operations, citing as justification crypto donations to Hamas and the Palestinian Islamic Jihad, a Gaza-based militant group with ties to Hamas that Israel blamed for the hospital explosion. While these types of entities do use mixers, experts say they do so far less than criminal groups linked to North Korea and Russia—likely the real targets of the Treasury’s proposed crackdown.

In Myanmar, where a military junta has been in power for two years, people who speak out against deadly air strikes on social media are being systematically doxed on pro-junta Telegram channels. Some were later tracked down and arrested.

Finally, the online ecosystem of AI-generated deepfake pornography is quickly spiraling out of control. The number of websites specializing in and hosting these faked, nonconsensual images and videos has greatly increased in recent years. With the rise of generative AI tools, creating these images is quick and dangerously easy. And finding them is trivial, researchers say. All you have to do is a quick Google or Bing search, and this invasive content is a click away.

That’s not all. Each week, we round up the security and privacy stories we didn’t cover in-depth ourselves. Click the headlines to read the full stories, and stay safe out there.

The recent theft of user data from genetics testing giant 23andMe may be more expansive than previously thought. On October 6, the company confirmed a trove of user data had been stolen from its website, including names, years of birth, and general descriptions of genetic data. The data related to hundreds of thousands of users of Chinese descent and primarily targeted Ashkenazi Jews. This week, a hacker claiming to have stolen the data posted millions of more records for sale on the platform BreachForums, TechCrunch reports. This time, the hacker claimed, the records pertained to people from the United Kingdom, including “the wealthiest people living in the US and Western Europe on this list.” A 23andMe spokesperson tells The Verge that the company is “currently reviewing the data to determine if it is legitimate.”

According to 23andMe, its systems were not breached. Instead, it said, the data theft was likely due to people reusing passwords on their 23andMe accounts that were exposed in past breaches and then used to access their accounts. If you need some motivation to stop recycling passwords, this is it.

The US Department of Justice on Wednesday said it had uncovered a vast network of IT workers who were collecting paychecks from US-based companies then sending that money to North Korea. The freelance IT workers are accused of sending millions of dollars to Pyongyang, which used the funds to help build its ballistic missile program. While the workers allegedly pretended to live and work in the US, the DOJ says they often lived in China and Russia and took steps to obscure their real identities. According to an FBI official involved in the case, it’s “more than likely” that any freelance IT worker a US company hired was part of the plot.

Searching online may have just gotten a little bit more dangerous. On Monday, a Colorado Supreme Court upheld police use of a so-called keyword search warrant. Using this type of warrant, law enforcement demands companies like Google hand over the identities of anyone who searched for specific information. This is the opposite of how traditional search warrants work, where cops identify a suspect and then use search warrants to obtain information about them.

Keyword search warrants have long been criticized as “fishing expeditions” that violate the US Constitution’s Fourth Amendment rights against unreasonable searches and seizures, because it potentially hands police information about innocent people who searched for a specific term but were not involved in any related crime.

The 23andMe User Data Leak May Be Far Worse Than Believed

Hamas has long touted its military drones, but little is known about the true scale of the threat. The answer may have consequences for people on both sides of the Israel-Gaza border.

When Hamas launched its attacks against Israel on October 7, it unleashed a flood of rockets as cover, while militants streamed through holes in the fence surrounding the Gaza strip. One particular clip released by Hamas, played on news stations the world over, provoked a particular bit of paranoia: video of balaclava-clad Hamas fighters standing in a desert landscape, launching a line of suicide drones.

Amid the terror and chaos, the video seems to underscore a long-held fear that Hamas—with the help of Iranian technology—had developed the ability to conduct air strikes on Israel. What’s more, these drones may prove more adept than Hamas’ supply of rockets at thwarting Israel’s sophisticated Iron Dome air defense system.

Hamas had been building this capacity for some time. In 2022, it touted its drone program with an ominous warning: Israel no longer had a monopoly on its skies. According to Hamas Telegram channels, roughly 40 suicide drones have been fired toward Israel since the war began earlier this month. Yet, besides some undated propaganda videos, there is scant evidence that these drones have actually been deployed against Israel—and, if they have, they don’t appear to have done much damage.

Drone warfare has dramatically altered the dynamics in a number of recent conflicts—from Ukraine to Nagorno-Karabakh to Yemen—but not in the war between Hamas and Israel.

Why? The answer could have significant implications for people on both sides of the Israel-Gaza border.

Since the early 2000s, Hamas, which was elected to lead Gaza’s government in 2006 and has held power ever since, has drastically scaled up its ability to hit targets inside Israel.

The earliest versions of its Qassam rocket were rudimentary: lightweight and capable of traveling just a few miles. In each successive generation of the missile, however, they became bigger, capable of flying farther, and equipped with larger warheads.

Over the past two decades, Hamas and Israel have engaged in a race—Hamas, to develop its offensive capabilities and extend its reach; and Israel, to frustrate those efforts as much as possible.

Like more than 20 non-state actors in conflict zones around the world, Hamas recognized that the drones could substantially upgrade its ability to wage war. Unlike its unguided missiles, which are designed to beat Israel’s air defenses simply by overwhelming them, drones are considerably harder to intercept. They fly low and don’t travel in a predictable, parabolic arch. As a number of countries have recently learned, thwarting an advancing drone—much less a number of them—is a tricky problem to solve.

Unlike Russia or Ukraine, Hamas couldn’t source military drones through an open tender. So it tapped Tunisian-born aerospace engineer Mohamed Zouari to, in the early 2010s, design Hamas’ first fleet of operational drones and stand up an industry to produce them. They called the first model Ababeel1, which was very similar to an Iranian drone and had three different models. One version was designed to conduct surveillance, one to deliver small munitions, and the third was a suicide drone.

Israel began targeting Hamas’ drone program before it even produced results, striking a production facility in 2012. But the program continued.

Around that time, there were ample signs that Hamas’ domestic production capacity had not grown as it had hoped. Small—probably commercial—drones were dispatched into Israel from Gaza in 2012 and 2013, according to reports of a talk by an Israeli air defense official. Israeli jets and anti-air systems soon began to intercept the drones over Israeli airspace. Around 2014, Hamas made headlines after claiming it had penetrated deep into Israeli airspace, flying over Tel Aviv. But analysts say, despite Hamas’ insistence, the drones were not locally made in the Gaza strip: They were likely the Ababil-1, a product of the Iranian drone program.

In 2016, Zouari was assassinated in his hometown of Sfax, Tunisia, in what has been described by Tunisian investigators as a multiyear operation. While Israel did not admit responsibility for the killing, then-defense minister Avigdor Lieberman said only that Israel “will continue to do in the best possible way what we know how to do—that is to protect our interests.” Fadi al-Batsh, who had written papers on drone technology and who Israeli media alleged was part of Hamas’ drone program, was assassinated in 2018. Lieberman suggested that al-Batsh was killed as part of a “settling of scores among terrorist organizations.” In January 2022, the Hamas-led Gaza Interior Ministry arrested a Gaza resident for al-Batsh’s death and alleged the man worked for Mossad, Israel’s intelligence agency.

As Hamas seemed to struggle to establish its own domestic drone industry, other non-state actors began showing just how devastating these unmanned aerial vehicles (UAVs) could be. The Islamic State leveraged a huge number of commercial and hobbyist drones to conduct reconnaissance and drop grenades on advancing forces. Houthi rebels in Yemen began deploying sophisticated attack drones in its fight against the state military—analysts noted that, despite claims that these drones were locally made, they bore striking similarities to Iranian attack drones.

Faced with the looming possibility that Hamas could leverage some of the same techniques, Israel began running drills, practicing with fighter jets to intercept UAVs. In February 2014, it announced a prototype of a new air defense system: The “Iron Beam”—a directed energy weapon which, it hoped, will be able to track and destroy incoming drones.

In 2021, Hamas again sounded the trumpets over its supposedly game-changing drone program. This time it unveiled a whole new model: the Shehab. The suicide drones starred in slickly made propaganda videos and have been lionized for years in Hamas communiques. Yet they proved woefully ineffective in the field. Some were intercepted by the Iron Dome (as was one Israeli reconnaissance UAV) while others were shot down by F-16 jets. Video footage and unverified claims from Hamas suggest that one drone may have exploded near an Israeli chemical plant in May 2014—but appeared to do little to no damage.

Despite the program’s Iranian influence, Hamas claimed some of its drones were “locally made.” It said in a May 2022 press release that its drone program had made major progress, and it touted these new drones as a “turning point” for its fight against Israel. In September 2022, Hamas inaugurated “Shehab Square,” a public square featuring a model of the suicide drone on a pillar.

Despite all this fanfare, a December 2022 report from the International Center for Counter-Terrorism (ICCT) took a dim view of Hamas’ drone program. “Hamas has not demonstrated any ability to regularly use drones successfully,” the researchers wrote. As to why Hamas would continue investing in a capability that has such a poor record, the ICCT surmised that “the association of drone technology with military status may explain the group’s continued employment of drones.”

What’s more, the ICCT noted that Hamas’ technical failures seemed to be compounded by a lack of strategy or plan for what to do with these drones. The paper suggested that Hamas may lack the technical know-how to use these drones effectively, that it may be ineffective against Israel’s defenses, or possibly that “the group is more concerned about being seen using drones than using them effectively.”

“I think it’s surprising that Hamas didn’t use more commercial and tactical drones in its invasion,” Paul Lushenko wrote on Twitter in the hours after Hamas’ October 7 assault on Israel. “For all the concern of an Israeli intelligence failure, I think the lack of Hamas’ use of drones suggests poor organizational learning.”

Lushenko is a faculty professor at the United States Army War College and an expert in the emerging field of drone warfare. Speaking with WIRED, Lushenko says there’s little sign that Hamas, despite their usual bragging, actually managed to put its drone program into action. “We haven’t seen the evidence.”

Certainly, Hamas made some targeted use of several over-the-counter drones and quadcopters—similar to how the Islamic State deployed the UAVs during its brief control of a proclaimed caliphate. Videos reportedly released by Hamas purportedly showed drones dropping explosive devices on Israeli communications towers and machine gun positions near the Gaza border. These UAVs pose a particular challenge because they are often too small and too nimble to be successfully intercepted. Instead, Israel says it is stepping up jamming efforts to break the link between those drones and their controllers within Gaza.

Beyond those short-range and lightweight UAVs, however, Hamas’ use of its homemade, Iranian-inspired suicide drones seems to be not much more than bluster.

The much-broadcast Hamas propaganda video of its fixed-wing UAVs being fired does not, in fact, show part of the assault on Israel. It was filmed before the attack—the full video shows the suicide drones crashing into a fake Israeli outpost—the explosion knocking over cardboard cutouts, as a blue-and-white Israeli flag flaps nearby.

Hamas Telegram channels have claimed repeatedly in recent weeks that their drones struck positions in Israel but offered little in the way of visual evidence or specifics. One supposed strike was conducted on “a parking lot for vehicles and personnel east of Gaza.” There has been no confirmation of any of these strikes or claims of any damage inflicted.

The Israel Defense Forces declined WIRED’s request to comment on whether it had intercepted any of these drones, writing that “the IDF is currently focused on eliminating the threat from the terrorist organization Hamas.”

There may be two possible explanations for this apparent lack of impact. One is that Hamas has opted to stockpile these drones, saving them for an anticipated Israeli ground operation. The other is that, like past attempts, Hamas’ drone program has simply failed to launch.

The first possibility could pose an enormous challenge for Israel. As we’ve seen on both sides of the Ukraine-Russia war, drones have substantially changed the reality on the ground. While analysts say Russia has used Iranian-made kamikaze drones to attack Ukrainian critical infrastructure, Ukraine has responded with Turkish-made Bayraktar TB2 drones to hammer Russian convoys and defensive positions. Smaller quadcopters have given both sides unparalleled visibility behind enemy lines and have proved remarkably deadly in urban warfare. If Hamas is sitting on a reserve of these drones, to be used if Israeli forces cross into Gaza—where they will not have the protection of the Iron Dome—it could be highly effective at frustrating a possible ground assault.

“It's not uncommon for non-states \[actors\] and states to not use all of their decisive weapons all at once,” James Patton Rogers, executive director of the Cornell Brooks Tech Policy Institute, tells WIRED. “Will this be something that happens in the coming days and weeks? Is this something that was deliberately held back en masse from being launched against Israel?”

The fact that Hamas has, on dozens of occasions over the past two years, fired these drones toward Israel with little to no effect suggests that its reach may have extended its grasp. “We don't know the full impact of those yet, if there wasn't much impact,” Rogers says. “Did they do anything more than the rockets or the mortars would do? Were they able to penetrate the Iron Dome more than a mortar or a rocket?”

Normally, these loitering munitions are more effective at beating missile defense systems, as they tend to fly low and slow, hugging the ground. But given that Israel has one of the most advanced air-defense systems in the world, Hamas may simply not have had the time, capacity, or skill to adequately learn how to overcome the Iron Dome.

“I do think it's a bit too early to tell in this one,” Rogers says.

Lushenko adds that, even if these drones do very little physical damage, the threat they pose will still loom large. “They really have a psychological effect.”

The Dangerous Mystery of Hamas’ Missing ‘Suicide Drones’

With a new emphasis on the Hamas attacks on Israel, the US Treasury has proposed designating foreign cryptocurrency “mixer” services as money launderers and national security threats.

Hamas’ attacks Against Israel on October 7 have shifted the geopolitical landscape and triggered a looming Israeli ground assault in the Gaza Strip. Now the ripple effects are reaching the cryptocurrency industry, where they’ve become the United States Department of the Treasury’s rallying cry for a crackdown on cryptocurrency anonymity services.

The US Treasury’s Financial Crimes Enforcement Network (FinCEN) today released a set of proposed rules that would designate foreign cryptocurrency “mixers”—services that blend users’ digital funds to offer more anonymity and make them harder to trace—as money laundering tools that pose a threat to national security and would thus face new sanctions and regulations. The new rules, if adopted following a 90-day period of public comment and debate, would potentially represent the broadest restrictions imposed yet on the mixing services and could make it far harder for cryptocurrency holders to put their money through the services before cashing it out at a US cryptocurrency exchange, or even at a foreign exchange that accepts US customers.

While the proposed rules were almost certainly in the works long before October 7, the Treasury’s announcement of the proposed rules tied the push for a change in policy directly to the use of cryptocurrency by Hamas and militant groups in Gaza. “The Treasury Department is aggressively combatting illicit use of all aspects of the CVC ecosystem by terrorist groups,” Wally Adeyemo, deputy secretary of the Treasury, wrote in a statement, using the term “CVC” to mean convertible virtual currency. Adeyemo says that this includes Hamas and Palestinian Islamic Jihad, a militant group that often aligns with Hamas, which Israel blamed for an explosion at a hospital in Gaza earlier this week.

Cryptocurrency mixers have existed almost as long as Bitcoin itself. They offer to take in a user’s cryptocurrency, blend it with that of other users, and return the funds so that they are harder to follow from their origin to destination on blockchains, which generally record every transaction in full public view. The Treasury’s rule change would designate those cryptocurrency-mixing services—or at least the majority of them that are based outside the US—as a “primary money laundering concern.” They would thus be considered a threat to US national security as defined by section 311 of the Patriot Act, a section of the law designed to restrict how domestic financial institutions interact with potential sources of terrorist financing.

The rule change would mean that US financial services, as well foreign ones with US customers—including cryptocurrency exchanges—would have to go through extra record-keeping and reporting requirements for funds that have touched a foreign cryptocurrency mixer, and it might even allow the Treasury to block US exchanges from handling those funds. “We’ve never seen anything like this before,” says Ari Redbord, the head of global policy for TRM Labs, a blockchain analysis firm. Redbord notes that the rule change isn’t proposing a blanket ban on foreign mixing services, only new rules for interacting with them. “The reality, however, is that 311 actions oftentimes have a sort of name-and-shame effect, where people are just not wanting to engage with these platforms out of fear of being caught up in money laundering or other type of illicit activity.”

Redbord, who previously served as an advisor to the Treasury’s undersecretary for Terrorism and Financial Intelligence, also notes that the proposal was no doubt being considered prior to the latest Hamas attacks and that the Treasury must have changed the proposal’s focus from the use of cryptocurrency by other national security threats, like North Korea and Russia, to Hamas and militant groups in recent days. “Having been at Treasury for a number of years, you don’t just roll out an action like this out over the course of 10 days,” says Redbord. “They’ve kind of shifted the narrative toward Hamas because that’s the news.”

Hamas and militant groups’ use of cryptocurrency, while significant, pales in comparison to the amount of cryptocurrency used by other illicit actors. Hamas, for instance, raised $41 million in cryptocurrency over the past two years, and Palestinian Islamic Jihad raised $91 million, according to a report last week in the _Wall Street Journal_ that cited analyses by cryptocurrency tracing firms and seizures by the Israeli government.

It’s not clear, however, how much of those funds actually made it to these groups before being seized. In fact, Hamas asked its donors to stop using cryptocurrency in April of 2023, due to the public nature of the transactions on blockchains and the risk of prosecution. Cryptocurrency tracing firm Chainalysis, which frequently works with government and law enforcement customers, went so far as to publish a blog post yesterday cautioning against mistaken analyses that overestimate the role of cryptocurrency in financing entities like Hamas and the Palestinian Islamic Jihad.

North Korean state-sponsored cybercriminals, Russian ransomware gangs, and other criminal groups, by contrast, have pocketed billions of dollars through their theft of cryptocurrency or use of the technology as a means of demanding extortion payments from victims. Thieves stole $3.8 billion in crypto last year—much of which went to the North Korean regime—and ransomware hackers extorted close to $450 million in just the first half of 2023, according to Chainalysis.

Those criminals often use cryptocurrency mixing services, funneling hundreds of millions of dollars into mixing services like ChipMixer and Sinbad.io. In fact, US law enforcement and the Treasury Department have aggressively sanctioned or shut down one mixer service after another in recent years, including Blender, TornadoCash, and Bitzlato, often citing their use in laundering the profits of those North Korean and Russian hackers.

The new FinCEN rules would be less severe than those sanctions, indictments, and busts—a new regulatory process rather than a ban—but also far wider in scope, says Jason Somensatto, Chainalysis’ head of North America public policy. “The impact can be much broader,” says Somensatto. “They can say that this applies to _all_ mixing services that people are interacting with.”

As the Treasury doubles down on its push to cut off crypto-based money laundering—and now points to Hamas as a new impetus for that crackdown—TRM Labs’ Redbord cautions that US regulators shouldn’t go too far in censuring services that do, in some cases, offer financial privacy to legitimate users. After all, without mixers, most cryptocurrency transactions are fully public in nature. “I think the challenge for regulators is, how do we thread the needle between stopping illicit actors from using these platforms but at the same time allow regular users to enable some degree of privacy?” Redbord says. “I think the concern is that this could very much be throwing the baby out with the bathwater.”

Citing Hamas, the US Wants to Treat Crypto "Mixers" as Suspected Money Launderers

A flood of false information, partisan narratives, and weaponized “fact-checking" has obscured efforts to find out who’s responsible for an explosion at a hospital in Gaza.

Yesterday evening around 7 pm local time, an explosion rocked the Al-Ahli Baptist Hospital in Gaza City. Within minutes, information about what had happened was distorted by partisan narratives, disinformation, and a rush to be first to post about the blast. Add in mainstream media outlets parroting official statements without verifying their veracity, and the result was a chaotic information environment in which no one was sure what had happened or how.

“There’s just been this massive sort of pressure to get videos out there, get your take, get your analysis, and it’s like a perfect storm for chaos,” Kolina Koltai, a senior researcher at open source intelligence (OSINT) news outlet Bellingcat, tells WIRED.

Moments after the explosion was reported, Gaza’s health ministry claimed the blast was caused by an Israeli rocket attack and that hundreds of people had died, marking what would be among the deadliest attacks of the current conflict between Israel and Hamas, which controls the Palestinian territory of Gaza. News organizations such as _The_ _New York Times_ and Reuters ran with the claim, pushing notification alerts to people’s phones with the news that Israeli rockets had killed Palestinians sheltering in a hospital in Gaza. “Breaking news: Israeli strike on hospitals kill hundreds, Palestinian officials say,” _The_ _New York Times_ alert read.

Soon after those push notifications went out, the Israeli military said its intelligence officers had tracked rockets fired by the Palestinian Islamic Jihad, an armed militant group in Gaza that is aligned with Hamas against Israel but often acts independently. Israeli military officials said they observed Islamic Jihad rockets passing the hospital at the time of the strike, adding that it was these projectiles—not an Israeli rocket—that hit the facility’s parking lot.

News organizations quickly changed their headlines to reflect the counterclaim from Israel and pushed out more notifications to their audiences. The updated headline from _The_ _New York Times_ read: “At least 500 dead in blast at Gaza hospital, Palestinians say.”

This was only the beginning of the confusion.

In the hours after the attack, @Israel, the official Israeli account on X (formerly Twitter), posted a video it claimed was proof that the explosion was the result of a misguided rocket launched by Islamic Jihad militants. But within minutes, Aric Toler, a former Bellingcat researcher who now works for _The_ _New York Times_, pointed out that the time stamp on the video showed 8 pm local time, a full hour after the explosion took place.

“When you see people in such a capacity putting out a claim, walking it back, putting out a video, deleting the video, it makes it tough, not just for us to do our job, but even for the public to find out what’s going on,” Koltai says.

The post on Israel’s official account was subsequently edited to remove the video while maintaining its claim that the attack was not the result of an Israeli strike.

Meanwhile, social media was flooded with videos and images that claimed to provide proof of the origin of the attacks, with many accounts making definitive judgments about those they claimed were responsible for the attack, all without any actual proof.

For experts in the OSINT community who have spent years working on incidents just like this, the confusion and misinformation were frustrating. Figuring out what happened takes time, and the deluge of misinformation only made that work more difficult.

“It’s because we are trying to track a rocket, at night, via a couple of livestreams, a security camera, and a phone camera,” an OSINT researcher, who posts anonymously on social media using the handle OSINTtechnical, tells WIRED. “Oh, and there are bad actors purposely trying to muddy the waters. I would say we still have an acceptable number of resources to see into Gaza, but it takes some time to parse everything to a complete degree.”

The researcher adds that their job was made infinitely more difficult by media outlets running with the claim that Israel was responsible. “That blows everything out of the water,” OSINTtechnical says.

Koltai says she began trying to figure out what had happened within hours of the incident, before her colleagues in Europe took over today. Despite being among the first to begin investigating the incident, as of this afternoon Bellingcat had still not confirmed how the attack happened or who was responsible.

Similarly, the BBC Verify team published its analysis of the explosion based on the available information but has been unable to conclude what exactly happened. A number of videos captured with mobile phones and circulated on social media appear to show the moment of the explosion from different angles. A livestream operated by Al Jazeera shows two flashes, one further away from the camera and one much closer, which some claim shows the rocket launching, followed by the explosion. Footage captured this morning shows the hospital’s parking lot, and what appears to be a small impact crater. Footage shows damage to a number of cars, but only minor damage to the exterior of the hospital building.

Today, _The New York Times_ reported that US officials said they have “multiple strands of intelligence,” including infrared satellite imagery, indicating that the deadly blast was caused by the Islamic Jihad group, though that evidence has not been released publicly. US president Joe Biden, who is meeting with officials in Israel today, echoed Israel’s claim that its military did not fire the rocket that hit the hospital. “Based on the information we have seen today, it appears the result of an errant rocket fired by a terrorist group in Gaza,” he said.

In the days since Hamas attacked Israel on October 7, people claiming to be OSINT practitioners have emerged on social media who are much more willing to make conclusive findings almost immediately than people who have a long history of conducting OSINT work.

This new group is “publishing analysis as quickly as possible when events are taking place, in an attempt to compete for public attention,” ​​Francesco Sebregondi, a forensic architect who helps investigate human rights abuses through a technique known as forensic architecture, tells WIRED. “This is of course detrimental to the fundamental goal of citizen-led open source investigations.”

The purpose of OSINT investigations is to independently verify information “and to enable counter-investigations of authoritative arguments and sometimes misleading official accounts,” Sebregondi says.

Sebregondi says OSINT accounts that rush to post analyses prematurely not only mislead their followers but help bolster the narrative of political actors who may be “counting on the eagerness of some OSINT actors to use any image, material, or data to quickly publish new content or ‘analysis’—and thereby more or less directly support its version of the events.”

Aside from the apparent bragging rights of being first, there is also now a financial incentive to post updates before anyone else because if you’re “first and put out a hot take even if you’re maybe not correct you can actually get paid out for it,” Koltai says, referring to X’s revenue-sharing program.

Fact-checking and open source investigations have long been seen as a way to hold platforms accountable by debunking disinformation that spreads unchecked on social media, but the Israel-Hamas war has shown how the language of OSINT investigators has been co-opted by self-interested parties, says Caroline Orr, a behavioral scientist and postdoctoral researcher at the University of Maryland who tracks disinformation online.

“I think one of the most disturbing aspects of studying disinfo is when you realize that even fact-checking has become weaponized,” Orr wrote on X. “Most people don’t care about the truth about the hospital being bombed; they just care about finding a truth to use against the other side.”

Source

Wired