Apple updated its location-tracking system in an attempt to cut down on AirTag abuse while still preserving privacy. Researchers think they’ve found a better balance.

Apple's AirTags are meant to help you effortlessly find your keys or track your luggage. But the same features that make them easy to deploy and inconspicuous in your daily life have also allowed them to be abused as a sinister tracking tool that domestic abusers and criminals can use to stalk their targets.

Over the past year, Apple has taken protective steps to notify iPhone and Android users if an AirTag is in their vicinity for a significant amount of time without the presence of its owner's iPhone, which could indicate that an AirTag has been planted to secretly track their location. Apple hasn't said exactly how long this time interval is, but to create the much-needed alert system, Apple made some crucial changes to the location privacy design the company originally developed a few years ago for its “Find My” device tracking feature. Researchers from Johns Hopkins University and the University of California, San Diego, say, though, that they've developed a cryptographic scheme to bridge the gap—prioritizing detection of potentially malicious AirTags while also preserving maximum privacy for AirTag users.

The Find My system uses both public and private cryptographic keys to identify individual AirTags and manage their location tracking. But Apple developed a particularly thoughtful mechanism to regularly rotate the public device identifier—every 15 minutes, according to the researchers. This way, it would be much more difficult for someone to track your location over time using a Bluetooth scanner to follow the identifier around. This worked well for privately tracking the location of, say, your MacBook if it was lost or stolen, but the downside of constantly changing this identifier for AirTags was that it provided cover for the tiny devices to be deployed abusively.

In reaction to this conundrum, Apple revised the system so an AirTag's public identifier now only rotates once every 24 hours if the AirTag is away from an iPhone or other Apple device that “owns” it. The idea is that this way other devices can detect potential stalking, but won't be throwing up alerts all the time if you spend a weekend with a friend who has their iPhone and the AirTag on their keys in their pockets.

In practice, though, the researchers say that these changes have created a situation where AirTags are broadcasting their location to anyone who's checking within a 30- to 50-foot radius over the course of an entire day—enough time to track a person as they go about their life and get a sense of their movements.

“We had students walk through cities, walk through Times Square and Washington, DC, and lots and lots of people are broadcasting their locations,” says Johns Hopkins cryptographer Matt Green, who worked on the research with a group of colleagues, including Nadia Heninger and Abhishek Jain. “Hundreds of AirTags were not near the device they were registered to, and we're assuming that most of those were not stalker AirTags.”

Apple has been working with companies like Google, Samsung, and Tile on a cross-industry effort to address the threat of tracking from products similar to AirTags. And for now, at least, the researchers say that the consortium seems to have adopted Apple's approach of rotating the device public identifiers once every 24 hours. But the privacy trade-off inherent in this solution made the researchers curious about whether it would be possible to design a system that better balanced both privacy and safety.

“There’s this whole standards effort going on around how to do stalking resistance, which is really good. It means Apple and Google and the other companies are taking it seriously,” Green says. “The sad part is that Apple did the thing that everyone does when they're painted into a corner. They have a big knob—one direction is privacy, one direction is the other thing (in this case, anti-stalking)—and they turned that knob away from privacy.”

The solution Green and his fellow researchers came up with leans on two established areas of cryptography that the group worked to implement in a streamlined and efficient way so the system could reasonably run in the background on mobile devices without being disruptive. The first element is “secret sharing,” which allows the creation of systems that can't reveal anything about a “secret” unless enough separate puzzle pieces present themselves and come together. Then, if the conditions are right, the system can reconstruct the secret. In the case of AirTags, the “secret” is the true, static identity of the device underlying the public identifier that is frequently changing for privacy purposes.

Secret sharing was conceptually useful for the researchers to employ because they could develop a mechanism where a device like a smartphone would only be able to determine that it was being followed around by an AirTag with a constantly rotating public identifier if the system received enough of a certain type of ping over time. Then, suddenly, the suspicious AirTag's anonymity would fall away and the system would be able to determine that it had been in close proximity for a concerning amount of time.

Green notes, though, that a limitation of secret sharing algorithms is that they aren't very good at sorting and parsing inputs if they're being deluged by a lot of different puzzle pieces from all different puzzles—the exact scenario that would occur in the real world where AirTags and Find My devices are constantly encountering each other. With this in mind, the researchers employed a second concept known as “error correction coding,” which is specifically designed to sort signal from noise and preserve the durability of signals even if they acquire some errors or corruptions.

“Secret sharing and error correction coding have a lot of overlap," Green says. “The trick was to find a way to implement it all that would be fast, and where a phone would be able to reassemble all the puzzle pieces when needed while all of this is running quietly in the background.”

The researchers first published a paper about their findings in September and submitted it to Apple. More recently, they notified the industry consortium about the proposal. Apple did not return WIRED's request for comment about the research and whether it is considering implementing the scheme.

Green says he hopes the company will eventually do something with the work. And he adds that the project is an important reminder of the real-world impacts theoretical cryptography can have.

“What I love about this problem is it seems like there are two competing requirements that can't be reconciled,” he says. “But in cryptography, we can get full privacy and then, magically, the puzzle pieces click into place, or a ‘chemical reaction’ happens, and we phase-transition to a point where suddenly it’s obvious that this is a stalker, not just a benign AirTag. It's very powerful to be able to go between those two moments.”

This Clever New Idea Could Fix AirTag Stalking While Maximizing Privacy

Members of the US Congress touted improvements to children’s privacy protections as an urgent priority. So why didn’t they do anything about it?

It’s been 15 years since suicides overtook homicides as the second leading cause of death for children ages 10 to 14 years old. Two years since the first Meta whistleblower warned United States senators that America’s children are at risk from “disastrous” decisions being made in Silicon Valley. (And a little over a month since a second Meta whistleblower testified, “They knew and they were not acting on it.”) And it’s been roughly one year since a wave of new, younger lawmakers—many raising their own young children—were seated in the House of Representatives. “As a mom of two kids, you know, we want to make sure that their online experience is safe,” Representative Beth Van Duyne, a Texas Republican, tells WIRED.

All those changes—including an alarming doubling of the adolescent suicide rate—and yet, one constant remains: congressional inaction. Amid a flurry of blockbuster whistleblower hearings, soaring campaign promises, tear-soaked press conferences with the families of teens lost to cyberbullying, and dozens of competing bills that members have introduced aimed at protecting kids in cyberspace—nothing.

Congressional inaction has left the door open for the Biden administration to lead on the issue. On Wednesday, the Federal Trade Commission unveiled its proposal for a new set of guidelines to govern social media firms. The FTC wants to prohibit social media companies from identifying children—like targeting their cell numbers—when they’re online, while also limiting which data is collected on students, including having apps not target children under 13 with ads by default. With House Republicans now taking steps to impeach Joe Biden, why would they want to cede their oversight authority over American tech firms to the White House? Most don’t.

With so much interest—and increased pressure from agencies like the FTC—why hasn’t Congress protected kids yet? “I’ve never been able to figure that out either,” Representative Dan Crenshaw, a Texas Republican who sits on the Energy and Commerce Committee, which has jurisdiction on the issue, tells WIRED. Of course, there are theories floating around the marble halls of the US Capitol.

“M–O–N–E–Y”

Teams of tech lobbyists on Capitol Hill have dropped upward of $75 million (not including Q4 totals, which aren’t due until January 22) in 2023. Of the 637 “internet” lobbyists, as money and politics nonprofit Open Secrets dubs the sector, a whopping 73.31 percent are former government employees. Many of these lobbyists are from the same congressional offices and committees now tasked with regulating the internet. They’re not very subtle.

One social media firm or another seems to always be blanketing Washington with a feel-good, policy-focused ad campaign. At the start of the year, TikTok—which, at $3.7 million, spent more in Q3 lobbying this year than it did throughout all of 2019 and 2020 combined—plastered DC’s metro system, historic Union Station, and _The Washington Post_ with ads. When its CEO was dragged in to testify to an angry Congress this spring, it even paid for travel, room, and board for dozens of sympathetic “influencers.” For the past month or so, Meta ads have blanketed the Beltway: “Instagram supports federal legislation that puts parents in charge of teen app downloads,” the ad reads, without saying which measures it’s actively trying to kill on Capitol Hill.

Lawmakers say the ad blitz shows what they’re up against from technology firms. “M–O–N–E–Y,” Senator Josh Hawley, a Missouri Republican, spells out to WIRED. “They’re only in favor of stuff if they can write it.”

In the last Congress and again this summer, two key kid-focused digital measures both sailed through the Senate Commerce Committee. The Children and Teens’ Online Privacy Protection Act (COPPA 2.0) outlaws targeting children with advertising while also banning data collection on teenage social media users, to name a few of its provisions. The controversial Kids Online Safety Act (KOSA) mandates annual minor-focused risk assessments within social media giants while also giving parents and regulators new tools to protect children.

The two measures enjoy broad support, which is why they get out of committee with ease. But they’ve never been brought to the Senate floor for a vote by all 100 US senators. Critics say many members are supportive in the relatively obscure confines of their committees, but some of that support withers away under the intense lobbying scrutiny that comes once bills make the queue for Senate consideration. So far, members have been shielded, but those days seem to be over. “That’s because, in committee, they know they’re not going to have to vote on it on the floor. I know that for a fact,” Hawley, who’s up for reelection in 2024, says. “I can tell you, I’m going to get much more aggressive come the new year about forcing votes. I think it’s time to start putting people on record.”

The thing is, no one really knows what would happen if COPPA 2.0 or KOSA were voted on. “I don’t have any predictions or any insights,” Senator Roger Wicker, the Mississippi Republican who chaired the Commerce Committee until Democrats reclaimed senatorial power in 2021, tells WIRED. The resistance remains hard to nail down. Republicans blame Democrats. Democrats blame Republicans. Everyone blames the tech industry. “In the legislative process where you’re not bringing something to the floor for debate—which is where you could have a lot of input—then one person can hold something up,” Senator Maria Cantwell, a Democrat who chairs the Senate Commerce Committee, tells WIRED.

Because a broader data privacy bill remains gridlocked to death on Capitol Hill, Congress now has these offshoot measures aimed specifically at children, according to Cantwell. “We want to get a privacy bill, overall,” she says. “That’s what we focused on, because we think that framework gives the biggest protections, including for kids. But we’ve allowed these \[children-focused measures\] to see if they can make it through so that they wouldn’t have to be part of a larger discussion.”

While Hawley’s convinced Big Money keeps derailing the effort, others disagree. These issues just take time, nuance, and compromise, congressional leaders in both chambers argue. “We keep trying. We need a bipartisan, bicameral consensus, and that’s what we’re trying to do,” Representative Frank Pallone, the top Democrat on the House Energy and Commerce Committee, tells WIRED. “I don’t think it’s any special interest. I think it’s just the fact that it’s hard to get the Senate and the House and the Democrats and Republicans to agree, but we’re trying. I think we’re making progress.”

KOSA Complications

In the last Congress, KOSA—the Kids Online Safety Act—was formally endorsed by 13 Senate cosponsors. That number has more than tripled to 46 cosponsors in this Congress. KOSA cosponsors—Senators Marsha Blackburn, a Republican from Tennessee, and Richard Blumenthal, a Connecticut Democrat—say their personal lobbying of their colleagues is paying off, even if the measure remains stalled. “We’re pushing forward,” Blumenthal tells WIRED. “I’m very hopeful we’ll see a vote early next year. I think we’re feeling it.” Still, while the measure is broadly bipartisan, there’s been a recent wave of opposition to it on the civil libertarian left.

In our post-_Roe_ reality, digital rights and reproductive freedom are now intertwined, and highly suspect. KOSA is now in the crosshairs of groups like the American Civil Liberties Union (ACLU) over free speech and expression concerns. This fall, upward of 100 parents of trans and gender-expansive children penned an open letter opposing KOSA, saying it would “make our kids less safe, not more safe.”

“It would grant extraordinary new power to right-wing state attorneys general to dictate what content younger users can see on social media, cutting our kids off from lifesaving online resources and community,” the letter, released by digital rights group Fight for The Future, reads. “These are the same attorneys general that are actively working to ban gender-affirming health care that saves kids’ lives, criminalize drag performances, and label families that accept our children as ‘groomers’ and ‘child abusers.’”

The outcry from the progressive end of the spectrum has given those groups new, powerful advocates in Congress. In the end of the year legislative-twister at the Capitol, some KOSA supporters were itching for the proposal to be “fast-tracked,” a unanimous consent agreement where all 100 senators surrender their right to filibuster. But opponents got word and put an end to those efforts. “Until the bill is amended to foreclose the ability of state attorneys general to wage war on important reproductive and LGBTQ content, I will object to any unanimous consent request in relation to this legislation,” Senator Ron Wyden, an Oregon Democrat, told his Senate colleagues in a speech on the Senate floor last month.

KOSA’s sponsors know they still haven’t secured the 60 votes needed for passage, so one alerted party leaders they would oppose their own measure if it were brought up before the New Year. Senate Majority Leader Chuck Schumer’s office didn’t respond to a request for comment on whether he had—or has—plans to bring it to the floor. But Schumer says that before Congress can effectively regulate generative AI—one of his top priorities—America needs a federal data privacy law. “There was pretty much consensus that we need some kind of privacy law,” Schumer told reporters last month. “There are lots of disagreements, but it’s important to try and get that done.”

One Thing After Another

Over in the House, most eyes are on whether freshman speaker Mike Johnson can avert a government shutdown in the New Year. With such a green leader at the helm, House committees are, seemingly, more powerful than before, as members report trying to be the first person to get Johnson’s ear on an array of issues. While there’s no companion measure to KOSA in the House, children’s data privacy remains a top priority for the GOP majority in that chamber. The issue came up as a top priority in the last weekly in-person meeting of the Republican majority on the powerful House Energy and Commerce Committee.

“It’s not dead. It’s a priority for us,” Representative Richard Hudson, a North Carolina Republican, tells WIRED. He’s the current chair of the National Republican Congressional Campaign Committee where he’s tasked with helping the GOP expand its House majority—or, at least, not lose its majority—in 2024. Hudson knows many of his newer members ran on protecting the nation’s children from online predators, legal and illegal ones alike. Now comes the hard work of threading the proverbial needle. “It’s a very difficult question,” Hudson says. “You’re trying to balance rights versus protecting kids, and that’s tough. But our chairwoman is very focused on getting it done.”

If these children’s data measures are ever debated and voted on, dozens of other more niche privacy protection measures will likely be offered by both party’s rank-and-file lawmakers. Some ideas focus on protecting reproductive and geolocation data from law enforcement, especially in states that have outlawed most abortions. Other measures would strip Section 230 liability protections from sites that, say, host child sexual abuse material or promote the sexual abuse of minors. Another proposal would incentivize, through drastically increased federal fines, tech firms to proactively report any child exploitation efforts they uncover.

There’s more. This year in the Senate, a new bipartisan measure was introduced to outright ban social media for children under 13, while also requiring parental consent until those minors turn 18. Its sponsors include some of the Senate’s most conservative lawmakers—Tom Cotton, an Arkansas Republican, and Katie Britt, an Alabama Republican—and some of the chamber’s most progressive members—Chris Murphy, a Connecticut Democrat, and Brian Schatz, a Hawaii Democrat. Just bringing a measure to protect minors to the floor without ensuring its passage isn’t good enough for Schatz.

“If we can enact it, that would be great, but there’s no sense bringing something to the floor just to make a point,” Schatz, a father of two, tells WIRED.

If party leaders don’t put one or all of these bills on the floor for votes, Hawley, the Republican senator, vows to use all the instruments in his senatorial toolkit to force the issue in 2024.

“I think it’s time to start putting people on record,” Hawley, who authored a measure prohibiting social media accounts for children under age 16, tells WIRED. “Clearly, the leadership’s not going to bring this to the floor. I think that’s pretty clear. So I think we’ve got to get much more aggressive about forcing votes. What I’d really love to do is start trying to attach this to bills where we have roll call votes, because members hate roll call votes. So expect me to get very aggressive about this.”

Hot Air

Congress knows how to grab headlines—making laws is another conversation. This 118th Congress, with a mere 22 bills signed into law, is currently the least productive session witnessed in decades.

While no data privacy votes are scheduled in the new year, a fireworks display is already on the books. Fresh into the start of 2024, senators on the judiciary committee are dragging in five tech CEOs for a made-for-campaign-fodder hearing on children’s privacy issues. Law enforcement was already called in. See, while TikTok CEO Shou Zi Chew and Meta’s Mark Zuckerberg agreed to testify, subpoenas—some hand-delivered by US marshals after Discord and X “refused to cooperate”—were issued for the other three tech titans: X CEO Linda Yaccarino, Snap’s Evan Spiegel, and Discord’s Jason Citron.

“We’ve known from the beginning that our efforts to protect children online would be met with hesitation from Big Tech. They finally are being forced to acknowledge their failures when it comes to protecting kids. Now that all five companies are cooperating, we look forward to hearing from their CEOs,” Senators Dick Durbin, the committee’s Democratic chair, and Lindsey Graham, the committee’s top Republican, released in a joint statement the Monday before Thanksgiving. “Parents and kids demand action.”

Parents and kids are still wondering whether they can count on this Congress for that action. As of now, Congress has shown they can’t.

Congress Sure Made a Lot of Noise About Kids’ Privacy in 2023—and Not Much Else

I tried to sell a futon on Facebook Marketplace and nearly all I got were scammers.

This year, I decided to get rid of my Amazon starter couch and buy a real one. So I listed the generic, velvet-green futon on Facebook Marketplace, thinking some college students or recent New York transplants would happily scoop it up at a discounted price.

Since September, I have received many inquiries about this couch—nearly all from people who are likely scammers. They respond to the listing and offer me full price in Facebook Messenger from the jump (maybe my first clue, a real Facebook Marketplace veteran knows to haggle). Then, they ask some basic questions that are already in the item’s description: “Where are you located?” “What’s the condition?” Once I’ve repeated myself and given the cross streets closest to my home, there comes another refrain: The buyer either says they must pay now, so that I would take the item off the listing, or so that their husband/brother/son/mover, you name it, can come pick up the futon later that day.

Because it seems no real person would offer to send payment over Zelle _before_ ever seeing that the futon is real, I didn’t accept any of these offers. If I did, it’s likely these people would have sent a phishing link—either as a text to my phone number or in an email—disguised as communication from Zelle, looking to drain me of more money than the couch is worth. For now, I’m stuck with this futon, folded up in the corner of my tiny apartment. So far I’ve been unable to use Facebook Marketplace for its intended purpose: buying and selling useful things among my neighbors.

What happened to me is just one example of the many ways experts say people are getting scammed on Facebook Marketplace. Some scams come from what looks like a seller listing big-ticket items that don’t exist, like a car, and asking for prepaid debit cards purporting to be for eBay and Amazon payments as down payments before vanishing. Peer-to-peer online shopping has always been a buyer-beware endeavor, but sellers themselves are being scammed too. A freelance writer from Australia recounted her own embarrassing story in _The Guardian_ just last month, when she lost $1,000 while trying to sell a pair of boots after plugging sensitive information into a phishing link sent by a scammer.

Facebook is far from the only place scams happen—they’re common across many online selling platforms. But as its Marketplace has soared in popularity since its debut in 2016, scammers have sought to exploit the tool, experts say. Marketplace’s design supplied a layer of transparency and trust for person-to-person transactions; rather than interacting anonymously through a Craigslist ad, people were using profiles that typically included full names and photos. And with an existing Facebook profile, users could upload photos, write descriptions, and seamlessly post a listing with just a few clicks. By 2021, Facebook Marketplace had 1 billion monthly users, growing as ecommerce flourished during the height of the Covid-19 pandemic.

Now, bad actors are relying on that built-in trust to manipulate people out of far more money than their second-hand items may be worth. The scams have become a common feature of the app, and Meta, the $800 billion parent company of Facebook, hasn’t been able to shut them down.

“What happens offline often makes its way into online environments, and that unfortunately includes scams," Ryan Daniels, a Meta spokesperson, tells me. Daniels says the company works “aggressively to quickly identify, disable, and ban scams and accounts associated with them.” The company is also working on a new notification system to “help people better identify potential scams around payment apps" that should begin rolling out over the next few months. Daniels did not share more information about how those notifications will work.

Many scams and attempted scams go unreported, so it’s impossible to understand the scale of the problem. In a 2022 survey of 1,000 people in England, one in six said they were scammed on the marketplace. Another 2022 survey of 1,000 people in the US found that 62 percent had encountered a scam on Facebook. From January 2022 to November 2023, the Better Business Bureau’s scam tracker logged more than 1,200 reports that mentioned Facebook Marketplace in the US and Canada.

The scammers targeting me followed the same script: two messages from different accounts even included the same odd spacing format and just changed a word or two from each other, asking: “Alright I hope this is a legit post because I will be paying the $100 now so you can mark the item as sold my sister will come pick it up but I’ll send the money?” As more of these messages flowed into my DMs, I insisted on being paid in person, and the potential buyers vanished after one or two more wild excuses as to why that wouldn’t be possible. When I wrote “bye, scammer” to one, they replied with “lmao” just before I reported the profile to Facebook.

The scams follow similar patterns, because fraudsters conduct business like multilevel marketers, says Adrianus Warmenhoven, a member of the security advisory board for network security company NordVPN. Someone may develop a scam, then sell it as a toolkit with scripts and phishing links. People also can buy orphaned and hacked Facebook accounts, giving them access to profiles that look like real people with long account histories. Many of the messages I received came from accounts that were created a decade ago or more, showing that these aren’t new accounts created for the sole purpose of scamming people on Marketplace. “A lot of criminal stuff is not being executed by computer-savvy or even criminal-savvy people,” Warmenhoven says. Some of these tools, experts say, are sold on the dark web. But there are also chats on Telegram advertising hundreds of bundled bunches of Facebook accounts from specific countries for sale in bulk. Telegram did not respond to a request for comment.

Some scams encourage people to upgrade their Zelle accounts to a business tier to receive money from a buyer, according to the Better Business Bureau, and come from emails mimicking Zelle, but with different domains. That upgrade appears to cost $300, and the buyer promises to send it if the seller will then refund it. The catch: the $300 was never sent and appeared only in faked screenshots or emails. So, when the seller sends $300, they're really just losing the money.

Zelle’s website notes that it will send emails only from domains ending in @zelle.com and @zellepay.com, and any others could be scams. The company did not answer more specific questions about Facebook Marketplace scams, citing an effort to keep intel from fraudsters.

Other scammers use Google Voice, asking people for their verification code—all under the guise of verifying that the person isn’t a scammer. But with that code, a scammer can then create a Google Voice number using the victim’s phone number, which helps them to conceal their identity for future scams. Additionally, it can help them impersonate someone and get access to their accounts, according to the US Federal Trade Commission. When asked for comment on Facebook Marketplace scams, Google pointed to guidance it posts for people to not share their verification codes, and the company has ways for people to reclaim stolen Google Voice numbers.

Experts say the constant evolving nature of scams makes them tricky for companies to defeat. “It’s a giant game of whack-a-mole,” says Zulfikar Ramzan, chief scientist with digital security company Aura. “They change something about the way they’ve done a scam. It’s really difficult for any organization to keep up with that volume at scale.”

Meta has continued to grow Facebook Marketplace even as scams linger. A 2022 ProPublica investigation found that Facebook Marketplace scams had run rampant and that the company was potentially understaffed to a degree that impeded its ability to stop scammers. In addition to in-house workers, Meta had contracted 400 Accenture workers around the world and gave each person more than 600 complaints or requests for help to process each day. Even worse, ProPublica found a number of alleged armed robberies and murders had occurred in relation to Facebook Marketplace meetups. Meta, Facebook’s parent company, did not answer questions about how it monitors scams now and the information in the ProPublica investigation.

Facebook Marketplace has evolved to more than just selling in the neighborhood. There are options to ship products after a sale, and some small shops have used the platform to grow their business. All of these different types of transactions bring different concerns about scams. Marketplace offers purchase protection, but it doesn’t cover payments made through third-party sites like Zelle, items picked up locally, or transactions conducted through Facebook Messenger.

I lost track of the number of people who seemed eager to scam me—I reported lots of scammers and then left chats, which disappeared. A few people may have been legitimately interested but dropped off early in the conversation. In the end, the frustration wasn’t worth the cash. I’m stuck with this couch, and there’s only one solution left. I’m heading over to another side of Facebook entirely: Buy Nothing.

Facebook Marketplace Is Being Ruined by Zelle Scammers

After an 18-month rampage, global law enforcement finally moved against the notorious Alphv/BlackCat ransomware group. Within hours, the operation faced obstacles.

The United States Department of Justice said Tuesday that it worked with an international group of law enforcement agencies to conduct a takedown of infrastructure related to the notorious ransomware gang Alphv, also known as BlackCat.

In recent days researchers began noticing that the group's dark-web communication and leak site was having outages, but the attackers claimed that they had simply been dealing with hardware malfunctions. Then, Tuesday morning, a message splashed across the site read, “The Federal Bureau of Investigation seized this site as part of a coordinated law enforcement action taken against Alphv Blackcat Ransomware.”

In a twist Tuesday afternoon, the gang's dark-web site roared back to life with an image of a cartoon black cat in silhouette and a banner proclaiming, “THIS WEBSITE HAS BEEN UNSEIZED.” The message remained for roughly two hours before law enforcement seemed to get control of the situation and the takedown message returned.

Alphv has become increasingly audacious in recent months. The gang memorably filed a US Securities and Exchange Commission complaint in November, for example, alleging that the digital lender MeridianLink hadn't made the proper disclosures about a data breach that Alphv itself takes credit for perpetrating.

In retaliation against the law enforcement action, Alphv said on its briefly reanimated site that it was removing its targeting rules for criminal customers who want to use the group's ransomware to attack critical infrastructure.

The group and its affiliates have already been very aggressive in their operations. The Justice Department said that the gang has targeted more than 1,000 victims around the world—including some in US critical infrastructure—and that over the past 18 months Alphv has been “the second most prolific ransomware-as-a-service variant in the world,” raking in hundreds of millions of dollars from victims. Alphv's rampage has been extremely visible, causing disruptions to popular companies including MGM Resorts, and extorting massive payments from victims, like roughly $15 million from Caesars Entertainment. The targeting has also extended to health care and emergency services, defense companies, schools, manufacturing, and government entities.

While Tuesday morning's law enforcement action was meant to deal a critical blow to the gang, it did not come with sanctions or indictments, and ultimately seemed to simply cap more than a year of pervasive and deeply consequential attacks. The fact that the gang briefly seemed to “unseize” the site on Tuesday afternoon only added to a sense of complexity about dealing with such cybercriminal actors, especially those who, like those behind Alphv, appear to be based in the relative safe haven of Russia.

“Law enforcement is moving a lot faster, but it is still not fast enough," says Allan Liska, an analyst for the security firm Recorded Future who specializes in ransomware. “It takes a while to build a case, and in the meantime these groups wreak havoc.”

Part of the reason for law enforcement's delay in attempting to take down Alphv's infrastructure may have been an ongoing investigation into the actors behind the group. Alphv/BlackCat seems to have evolved from a gang known as BlackMatter, which, in turn, seemed to emerge as a recombination of the notorious Darkside ransomware group that targeted Colonial Pipeline in the US.

“This isn't their first shit show. Unfortunately, it probably won't be their last either,” says Brett Callow, a threat analyst at antivirus company Emsisoft. “But Alphv's partners in crime will be wondering, what information law enforcement was able to collect? And who does it implicate?”

The takedown effort involved collaboration and parallel investigations from multiple law enforcement agencies, including those in the United Kingdom, Australia, Germany, Spain, and Denmark. The US Justice Department said Tuesday that a decryptor tool for the Alphv ransomware that was developed by the FBI has already helped more than 500 victims recover from attacks and avoid paying roughly $68 million in ransoms.

As ransomware groups rely more on a hybrid model, in which much of their leverage for extortion comes from the threat that they will leak data stolen from victims, decryptors are only one of many tools needed to help victims avoid paying ransoms. But Alphv's attempt on Tuesday afternoon to let its customers use its ransomware for attacks on vital services like hospitals and nuclear plants made the existence of the decryptor more significant, given how dangerous and disruptive that activity might be.

“The statement about targeting critical infrastructure is pretty concerning. This will be an ongoing battle, for sure. Law enforcement will have to aggressively roll out the decryption keys and tools for victims,” says Alex Leslie, a threat intelligence analyst at Recorded Future. “And data extortion is still on the table. Generally speaking, data extortion wouldn’t be as disruptive in terms of a national security crisis in the short term, but who knows.”

A search warrant released by the FBI says that law enforcement got login credentials for the ransomware gang's platforms from a “confidential human source” with access to the group. Though it was not immediately clear how Alphv had “unseized” its site following the law enforcement action, researchers began to coalesce around some theories on Tuesday afternoon. Since both the cybercriminals and law enforcement had access to the login keys, it's possible that multiple sites were registered to the same Tor address or that Alphv was able to add another registration and then point the site to servers that law enforcement did not control. In the same way, though, law enforcement's presumably deep access to the gang's infrastructure is likely what allowed it to retake the site.

The US Justice Department noted Tuesday morning that people with information about Alphv/Blackcat and its affiliates should come forward and may still be may be eligible for a reward through the US State Department.

_Updated 12/19/23, 2:55 pm ET to reflect that law enforcement reestablished its control of Alphv's dark-web leak site._

A Major Ransomware Takedown Suffers a Strange Setback

On Telegram, scammers are impersonating doctors to sell fake Covid-19 vaccination certificates and other products, showing how criminals are taking advantage of conspiracy theories.

Kristina Collins didn’t know her photo was being used on Telegram. Over the past few months, an Instagram picture of Collins, a Texas-based doctor and dermatologist, has been used by scammers on the chat app to try to persuade people to buy false proof that they have been vaccinated against Covid-19 and other diseases.

“The last thing you want as a physician is for your identity to be used to promote misinformation,” Collins tells WIRED, adding that many doctors use social media specifically to make sure people have access to accurate health information. “When people are able to take that likeness and use it for bad purposes, whether it’s fraud, whether it’s misinformation, I think it’s really scary.”

The Telegram channel impersonating Collins wasn’t alone. Researchers at Logically, a UK-based disinformation detection company, have uncovered a network of around 60 Telegram channels selling Covid-19 vaccination certificates and other proof of vaccination documents, and claiming to sell various medicines. In 25 of the channels, administrators used a “Dr.” prefix in their username, with 13 of the channels using the real-world names and/or photographs of legitimate medical professionals.

The network has been operating since at least June 2022, with more than a thousand accounts on X posting links that push people toward the Telegram channels selling “vaccine passes,” according to Chris Proops and Maisie Draper, Logically researchers who investigated the activity. Overall, they say, the social media operation has reached more than 3 million people with over 62,000 posts, and cryptocurrency accounts linked to the efforts have processed $286,000.

The scam is the latest in a long line of Covid-19 and health-related misinformation and disinformation, which has broadly attempted to capitalize on conspiracy theories and some people’s concerns about vaccinations. It highlights how scammers can abuse social media platforms, particularly those with loose stances on moderation, and potentially erode trust in medical systems.

“They're directing people, anti-vaxxers primarily, on X to then move to Telegram and subscribe to the around 50 Telegram channels that they have,” Draper says. The researchers identified around 20 “campaigns” on the Elon Musk–owned social media platform that were pushing people toward Telegram channels. The first was in June 2022 and the most recent at the start of December.

Draper and Proops say the efforts used repeated messaging, often replying to “verified” accounts on X that are linked to anti-vaccination sentiments, and consistently mentioned conspiracy theories such as the “great reset.”

“A lot of it is playing on anti-vaxxers’ vulnerabilities to being paranoid about things like the next pandemic, or other kinds of vaccines, like the measles vaccine,” Draper says.

The Telegram channels, where administrators impersonate doctors, also follow similar patterns to one another. Many of the channels have names related to Covid-19 vaccinations, and they claim to sell pandemic-related travel passes, allowing people to enter the UK, US, Canada, and other countries. They can sell the passes for around $250 to $500 each, with payments often being requested in bitcoin. Photos of the documents they claim to sell look similar to the official versions of the documents.

However, the vast majority of countries no longer require proof of vaccination to enter them and haven’t done so for long periods of time—for instance, the UK removed travel restrictions in 2022. “Over time, we started seeing a trend change where it wasn't just Covid passes,” Proops says. The Telegram channels have offered tuberculosis test results, meningitis vaccine results, and documentation around hepatitis A and B, tetanus, polio, and more, he says.

The researchers say they believe doctors are being impersonated to give the scammers a veneer of legitimacy. The Logically researchers contacted several doctors who were not aware their identities were being used. One doctor, they say, had not heard of Telegram. Collins says she was not aware of her image being used in this way until she was contacted by Logically and WIRED. She added that her image had also been used on a scam Instagram account.

Since the researchers started monitoring the X accounts and Telegram channels last year, many of the accounts and channels have been removed by the social media companies; however, around half of the Telegram channels are still active. Neither Telegram nor X responded to WIRED’s request for comment on the accounts or whether Telegram was aware of the impersonation of doctors taking place.

A WIRED review of the Telegram channels still active shows regular posts from administrators and other members. Some of the channels have only a few hundred members; others have a few thousand. The administrators of some channels have been inactive for several months. Within the channels is a slurry of well-worn and debunked conspiracy theories.

One still-active channel claims itself as a “coalition of doctors” who can get people “genuinely registered documentation” for those traveling to the US, Canada, UK, Australia, and 15 EU countries. The owner of the channel uses the name of a legitimate US-based plastic surgeon who has around 50,000 followers on social media, and a photograph of another doctor. Draper says that within the communities, people “are sharing photographs of side effects of the vaccine and fearmongering about the future impacts of lockdowns.”

The channels also claim to sell the drug ivermectin, which the US Food and Drug Administration said should not be used to treat or prevent Covid-19 in 2021. One of the channels lists half a dozen different kinds of medicines it claims to be able to provide. One claims it is selling weight loss drug Ozempic, while another tells people to not get a flu shot.

“The landscape of misinformation actors is abundant,” says Aliaksandr Herasimenka, a researcher of political communication at the Oxford Internet Institute who has studied misinformation on Telegram and vaccine and health misinformation. Herasimenka, who was not involved in the Logically research, says he has not seen doctors being impersonated on Telegram regularly, but that those behind misinformation and disinformation can use a variety of tactics. He says misinformation efforts can often be run for political or social goals, while those using it to make money can be often overlooked. “There are so many people who try to make money using misinformation, they would use any opportunity to profit,” Herasimenka says.

There is no evidence indicating that the Telegram channels offer legitimate goods, and it isn’t possible to verify whether anyone purchasing items from them receives anything. Some channels have posts from “customers” who claim to have purchased items from the Telegram groups. One account, which claims it ordered a vaccine certificate and drugs to the US, shared a photo of the back of an envelope claiming they received their order. Other posts use generic photos of drugs or vaccine certificates to claim items were delivered.

The Logically researchers say the likelihood that the false documents have been sent to people is “relatively low,” and their main motivation is likely financial. Proops says that while the documents the groups claim to be selling are not of much use now, the networks could be used in different ways in the future. The continued use of the channels and spreading of anti-vaccination messages could also undermine trust in health systems around the world, Proops says.

Collins, the doctor who had her image stolen, says she is concerned that it will become easier for scammers or people looking to undermine health care professionals to do so as image generation with artificial intelligence becomes more available. “As AI gets even better, they can go beyond just taking your picture off of a website, and actually potentially make a video of you talking,” Collins says. This will make it “really hard for an average person to sort out if this is a fake account or not.”

Scammers Are Tricking Anti-Vaxxers Into Buying Bogus Medical Documents

Plus: Hackers reveal flaws in crypto wallets holding $1 billion, a massive breach of Danish electric utilities, and more.

If you work at a spy agency tasked with surveilling the communications of more than 160 million people, it’s probably a good idea to make sure all the data in your possession stays off the open internet. Just ask Bangladesh’s National Telecommunication Monitoring Center, which security researchers found connected to a leaky database that exposed everything from names and email addresses to cell phone numbers and bank account details. The data was likely just used for testing purposes, but WIRED confirmed at least some of the data is linked to real people.

A fight is brewing in the United States Congress over the future of a powerful surveillance program. Section 702 of the Foreign Intelligence Surveillance Act is set to expire at the end of the year. With the December 31 deadline quickly approaching, members of Congress and civil liberties groups are criticizing Section 702 for enabling the “incidental” surveillance of Americans’ communications and “abuses” by the FBI. While a privacy-preserving update to the program has been introduced in Congress, some 702 critics remain concerned that lawmakers will push through reauthorization using other, “must-pass” legislation.

The US Cybersecurity Infrastructure Security Agency this week rolled out its plan for implementing the Biden administration’s executive order on artificial intelligence. CISA’s efforts will focus on defending against weaponized AI and how to incorporate the technology for national security purposes.

Speaking of national security, WIRED spoke this week with Jacob Chansley, aka the Qanon Shaman, who plans to run for the US Congress after becoming a poster child for the US Capitol riot on January 6. Elsewhere in the world of unexpected political news, talk of 9/11 mastermind Osama bin Laden's “Letter to America” spread online this week—and was promptly used by far-right figures to push conspiracy theories.

For the first time, the Signal Foundation has revealed the cost of running its widely popular encrypted messaging app. With annual expenses set to hit $50 million by 2025, the nonprofit expects to rely more heavily on user donations to keep Signal going strong. “By being honest about these costs ourselves, we believe that helps provide a view of the engine of the tech industry, the surveillance business model, that is not always apparent to people,” Meredith Whittaker, president of the Signal Foundation, tells WIRED.

Speaking of surveillance business models, Meta has updated the way two-factor authentication works on Facebook. We’ve got a rundown on what you need to know. Speaking of multifactor authentication, Google has a new Titan Security Key that supports passkeys, pushing the long-used (and misused) password closer to its ultimate demise.

If you’re looking for a long read to while away your weekend, we’ve got you covered. First up, WIRED senior reporter Andy Greenberg reveals the wild story behind the three teenage hackers who created the Mirai botnet code that ultimately took down a huge swath of the internet in 2016. WIRED contributor Garrett Graff pulls from his new book on UFOs to lay out the proof that the 1947 “discovery” of aliens in Roswell, New Mexico, never really happened. And finally, we take a deep dive into the communities that are solving cold cases using face recognition and other AI.

That’s not all. Each week, we round up the security and privacy stories we didn’t report in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

The ransomware group known as Scattered Spider has distinguished itself this year as one of the most ruthless in the digital extortion industry, most recently inflicting roughly $100 million in damage to MGM Casinos. A damning new Reuters report—their cyber team has had a busy week— suggests that at least some members of that cybercriminal group are based in the West, within reach of US law enforcement. Yet they haven't been arrested. Executives of cybersecurity companies who have tracked Scattered Spider say the FBI, where many cybersecurity-focused agents have been poached by the private sector, may lack the personnel needed to investigate. They also point to a reluctance on the part of victims to immediately cooperate in investigations, sometimes depriving law enforcement of valuable evidence.

Denmark's critical infrastructure Computer Emergency Response Team, known as SektorCERT, warned in a report on Sunday that hackers had breached the networks of 22 Danish power utilities by exploiting a bug in their firewall appliances. The report, first revealed by Danish journalist Henrik Moltke, described the campaign as the biggest of its kind to ever target the Danish power grid. Some clues in the hackers' infrastructure suggest that the group behind the intrusions was the notorious Sandworm, aka Unit 74455 of Russia's GRU military intelligence agency, which has been responsible for the only three confirmed blackouts triggered by hackers in history, all in Ukraine. But in this case, the hackers were discovered and evicted from the target networks before they could cause any disruption to the utilities' customers.

Last month, WIRED covered the efforts of a whitehat hacker startup called Unciphered to unlock valuable cryptocurrency wallets whose owners have forgotten their passwords—including one stash of $250 million in bitcoin stuck on an encrypted USB drive. Now, the same company has revealed that it found a flaw in a random number generator widely used in cryptocurrency wallets created prior to 2016 that leaves many of those wallets prone to theft, potentially adding up to $1 billion in vulnerable money. Unciphered found the flaw while attempting to unlock $600,000 worth of crypto locked in a client's wallet. They failed to crack it but in the process discovered a flaw in a piece of open-source code called BitcoinJS that left a wide swath of other wallets potentially open to be hacked. The coder who built that flaw into BitcoinJS? None other than Stefan Thomas, the owner of that same $250 million in bitcoin locked on a thumb drive.

_Updated, 12/19/23, 3:10 pm EST: Earlier this month, Reuters temporarily removed the article, "How an Indian startup hacked the world” from its website, pursuant to a preliminary court order issued in New Delhi, India. Reuters said it stands by its reporting and that it plans to appeal the court's decision, which is based on a pending lawsuit. In light of Reuters's actions, WIRED has temporarily removed the link and description of the story in this security roundup._

Cybersecurity Industry Baffled by FBI’s Lack of Action on Ransomware Gang

Plus: Apple tightens anti-theft protections, Chinese hackers penetrate US critical infrastructure, and the long-running rumor of eavesdropping phones crystallizes into more than an urban legend.

A hacker group calling itself Solntsepek, previously linked to the infamous Russian military hacking unit Sandworm, took credit this week for a disruptive attack on the Ukrainian internet and mobile service provider Kyivstar. As Russia’s kinetic war against Ukraine has dragged on, inflicting what the World Bank estimates to be around $410 billion in recovery costs for Ukraine, the country has launched an official crowdfunding platform known as United24 as a means of raising awareness and rebuilding.

Kytch, the small company that aimed to fix McDonald’s notably often-broken ice cream machines, claims it has discovered a “smoking gun” email from the CEO of McDonald’s ice cream machine manufacturer that Kytch's lawyers say suggests an alleged plan to undermine Kytch as a potential competitor. Kytch argues in a recent court filing that the email reveals the real reason why, a couple of weeks later, McDonald’s sent an email to thousands of its restaurant franchisees claiming safety hazards related to Kytch’s ice-cream-machine-whispering device.

WIRED looked at how Microsoft’s Digital Crime Unit has refined a strategy over the past decade that combines intelligence and technical capabilities from Microsoft’s massive infrastructure with creative legal tactics to disrupt both global cybercrime and state-backed actors. And we dove into the controversy over reauthorization of Section 702 surveillance powers in the US Congress.

And there's more. Each week, we round up the security and privacy news we didn’t break or cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

Geofence warrants, which require tech companies to cough up data on everyone in a certain geographic area at a certain time, have become an incredibly powerful tool for law enforcement. Sending a geofence warrant to Google, in particular, has come to be seen as almost an “easy button” among police investigators, given that Google has long stored location data on users in the cloud, where it can be demanded to help police identify suspects based on the timing and location of a crime alone—a practice that has appalled privacy advocates and other critics who say it violates the Fourth Amendment. Now, Google has made technical changes to rein in that surveillance power.

The company announced this week that it would store location history only on users' phones, delete it by default after three months, and, if the user does choose to store it in a cloud account, keep it encrypted so that even Google can't decrypt it. The move has been broadly cheered by the privacy and civil liberties crowds as a long-overdue protection for users. It will also strip law enforcement of a tool it had come to increasingly rely on. Geofence warrants were sent to Google, for instance, to obtain data on more than 5,000 devices present at the storming of the US Capitol on January 6, 2021, but they have also been used to solve far smaller crimes, including nonviolent ones. So much for the “easy button.”

In a different sort of technical move to tighten users' data protections, Apple has added new security features designed to make it harder for thieves to exploit users' sensitive data and accounts. _The Wall Street Journal_ had previously reported on how thieves who merely learned someone's passcode—say, by looking over their shoulder—and then stole their phone could access their online accounts and even make payments to drain their bank balances. Apple has now created a Stolen Device Protection feature that, when enabled, will require you to use a biometric feature like TouchID or FaceID to access certain accounts and phone features, in addition to the passcode that unlocks the phone. For the most sensitive features, like changing passwords or passcodes or turning off Find My, Apple will also force you to wait an hour and authenticate again if the phone isn't in a location the user typically frequents.

The group of Chinese hackers known as Volt Typhoon has rung alarm bells across the cybersecurity industry all year with news of its intrusions targeting power grids and other critical infrastructure in the Pacific region and the US. A new report from _The Washington Post_ offers fresh details of the disturbing mix of networks that the group has breached, including a water utility in Hawaii, an oil and gas pipeline, and a major West Coast port. The hackers haven't actually caused any disruptions, nor have they penetrated the industrial control system side of their targets' networks—the sensitive systems capable of triggering physical effects. But in combination with previous reports of Volt Typhoon's work to plant malware inside electric utilities in the continental US and Guam, the report paints a picture of China's escalating moves to prepare the groundwork for disruption in the event of a crisis, such as an invasion of Taiwan.

The notion that your iPhone or Amazon Echo is quietly listening to your conversations has long been one of the most paranoid suspicions of all technology users—bolstered, of course, by the targeted ads that are often so accurate that they seem to be pulled directly from verbal conversations. This week, that suspicion finally became more than an urban legend when 404 Media reported on an advertising company actively claiming that it can eavesdrop on conversations via those kinds of devices. The company, Cox Media Group, (CMG) brags in its marketing materials that it's already offering the technique to clients and “the ROI is already impressive.” It lists Amazon, Microsoft, and Google as alleged customers. But 404 Media couldn't verify if the technique works as advertised—an enormous “if”—and CMG didn't respond to 404 Media's request for comment.

Google Just Denied Cops a Key Surveillance Tool

Kytch, the company that tried to fix McDonald’s broken ice cream machines, has unearthed a 3-year-old email it says proves claims of an alleged plot to undermine their business.

A little over three years have passed since McDonald's sent out an email to thousands of its restaurant owners around the world that abruptly cut short the future of a three-person startup called Kytch—and with it, perhaps one of McDonald's best chances for fixing its famously out-of-order ice cream machines.

Until then, Kytch had been selling McDonald's restaurant owners a popular internet-connected gadget designed to attach to their notoriously fragile and often broken soft-serve McFlurry dispensers, manufactured by McDonalds equipment partner Taylor. The Kytch device would essentially hack into the ice cream machine's internals, monitor its operations, and send diagnostic data over the internet to an owner or manager to help keep it running. But despite Kytch's efforts to solve the Golden Arches’ intractable ice cream problems, a McDonald’s email in November 2020 warned its franchisees not to use Kytch, stating that it represented a safety hazard for staff. Kytch says its sales dried up practically overnight.

Now, after years of litigation, the ice-cream-hacking entrepreneurs have unearthed evidence that they say shows that Taylor, the soft-serve machine maker, helped engineer McDonald's Kytch-killing email—kneecapping the startup not because of any safety concern, but in a coordinated effort to undermine a potential competitor. And Taylor's alleged order, as Kytch now describes it, came all the way from the top.

Secret codes. Legal threats. Betrayal. How one couple built a device to fix McDonald’s notoriously broken soft-serve machines—and how the fast-food giant froze them out.

On Wednesday, Kytch filed a newly unredacted motion for summary adjudication in its lawsuit against Taylor for alleged trade libel, tortious interference, and other claims. The new motion, which replaces a redacted version from August, refers to internal emails Taylor released in the discovery phase of the lawsuit, which were quietly unsealed over the summer. The motion focuses in particular on one email from Timothy FitzGerald, the CEO of Taylor parent company Middleby, that appears to suggest that either Middleby or McDonald's send a communication to McDonald's franchise owners to dissuade them from using Kytch's device.

“Not sure if there is anything we can do to slow up the franchise community on the other solution,” FitzGerald wrote on October 17, 2020. “Not sure what communication from either McD or Midd can or will go out.”

In their legal filing, the Kytch cofounders, of course, interpret “the other solution” to mean their product. In fact, FitzGerald's message was sent in an email thread that included Middleby's then COO, David Brewer, who had wondered earlier whether Middleby could instead acquire Kytch. Another Middleby executive responded to FitzGerald on October 17 to write that Taylor and McDonald’s had already met the previous day to discuss sending out a message to franchisees about McDonald’s lack of support for Kytch.

But Jeremy O'Sullivan, a Kytch cofounder, claims—and Kytch argues in its legal motion—that FitzGerald’s email nonetheless proves Taylor's intent to hamstring a potential competitor. “It's the smoking gun,” O'Sullivan says of the email. “He's plotting our demise.”

Although FitzGerald's email doesn't actually order anyone to act against Kytch, the company’s motion argues that Taylor played a key role in what happened next. It's an “ambiguous yet direct message to his underlings,” argues Melissa Nelson, Kytch's other cofounder. “It's just like a mafia boss giving coded instructions to his team to whack someone."

On November 2, 2020, a little over two weeks after FitzGerald's open-ended suggestion that perhaps a “communication” from McDonald's or Middleby to franchisees could “slow up” adoption of “the other solution,” McDonald's sent out its email blast cautioning restaurant owners not to use Kytch's product.

The email stated that the Kytch gadget “allows complete access to all aspects of the equipment’s controller and confidential data”—meaning Taylor’s and McDonald’s data, not the restaurant owners’ data; that it “creates a potential very serious safety risk for the crew or technician attempting to clean or repair the machine"; and finally, that it could cause “serious human injury.” The email concluded with a warning in italics and bold: “McDonald’s strongly recommends that you remove the Kytch device from all machines and discontinue use.”

Kytch has long argued that McDonald’s safety warning was bogus: In its legal complaint, it noted that its devices received certification from Underwriters Laboratory, an independent product safety nonprofit, including meeting its safety standards. It also countered in the complaint any claim that a Kytch device's remote connection to an ice cream machine could result in the machine turning on while a person's hand was inside—in fact, Taylor's own manual advises unplugging the machine before servicing it, and removing the door of the machine to access its rotating barrels automatically disables its motor.

Kytch's legal motion now argues that FitzGerald's email reveals that the McDonald's warning to restaurant owners was never really about safety, so much as protecting its equipment partner from a startup that might represent competition. The CEO's email “essentially put into place their plan to defame us," Nelson says.

She and O’Sullivan also argue that the internal email directly contradicts FitzGerald’s public statements that Middleby hadn’t sought to kill Kytch. “We’re not in business to put other companies out of business,” FitzGerald told _The New York Times_ early last year.

When WIRED reached out to Middleby, Taylor’s parent company, for comment, a spokesperson responded in a statement disputing Kytch’s interpretation of its internal emails. “McDonald’s decided to issue the November 2020 field brief on its own accord, not at Middleby or Taylor’s direction,” the statement reads. “Taylor stood, and continues to stand, by the accuracy of statements made in the field brief.” The spokesperson also notes that Taylor won an early ruling in the lawsuit against Kytch’s request for a preliminary injunction—which would have prevented Taylor from developing a device that Kytch claims was copied from its product—and promises an upcoming filing responding to Kytch’s argument, which court documents say will happen in early 2024.

At the time of McDonald's warning email to franchisees about Kytch, Taylor was developing its own internet-connected ice cream machine, what it referred to as Taylor Shake/Sundae Connectivity, which McDonald's recommended in the same email. But, even now, more than two years after it was promised for delivery, that device has yet to arrive in restaurants—and the publicly documented ice cream headaches at McDonald’s appear to have continued. According to the website McBroken, which tracks ice cream machine downtime at McDonald's restaurants across the US, between 13 percent and 17 percent of McDonald's restaurants have had broken ice cream machines at any given time just this month. That percentage has recently been as high as 35 percent in New York City and 28 percent in Washington, DC.

Taylor declined to comment on any upcoming internet-connected ice cream machine model. But that long-touted solution to the problem has still not been made available to franchisees, according to one McDonald's restaurant owner who goes by the handle McFranchisee (and previously used the handle McD Truth) on X. But McFranchisee says that Taylor has integrated those new features into its next model, which is expected to be available in four to six months. (McFranchisee has also criticized Kytch, claiming that the startup's failure was due to its own reliability problems and an increase in its prices, not a Taylor or McDonald's conspiracy against them.)

Despite the email from Middleby's CEO that Kytch claims suggests dissuading franchisees from using Kytch's product, Kytch argues that other documents released in the lawsuit’s discovery phase show McDonald's itself was also eager to stymie Kytch from the beginning. In February 2020, Taylor president Jeremy Dobrowolski wrote in another email that “McDonald's is all hot and heavy about” Kytch's growing use in restaurants. Before the company sent out its November 2 email warning franchisees about Kytch, Taylor and McDonald’s executives had a meeting to discuss the message, and a McDonald's exec also sent a draft to Taylor for its approval. A Taylor executive wrote to others within the ice cream machine company, “I am a bit in shock they are willing to take such a strong position.”

When WIRED reached out to McDonald’s for comment on Kytch’s new argument about the “smoking gun” email from Taylor’s CEO, a spokesperson responded with a statement: “McDonald’s won’t speculate about the intent behind this email discussion that we weren't a part of. The intent of our Nov. 2020 communication was to bring awareness to potential safety concerns regarding the unapproved Kytch device.”

In addition to its lawsuit against Taylor, Kytch is still pursuing a bigger lawsuit against McDonald's itself, asking for $900 million in damages for what it describes in its legal complaint as McDonald’s effort to “drive Kytch out of the marketplace.” That lawsuit against McDonald's, if it moves forward, may soon produce more answers explaining Kytch’s legal claims that McDonald's appears to have cooperated with Taylor in telling its customers not to use Kytch—even as many of its restaurants took a significant hit from lost ice cream sales.

In the meantime, Kytch says it plans, if necessary, to take the lawsuit against Taylor to a jury trial, currently set for May. “The conspiracy described in Kytch's complaint involved folks at the highest levels of leadership, not just at Taylor but also at Middleby and at McDonald’s,” says Daniel Watkins, Kytch's attorney. “We’re really looking forward to the opportunity to present it to an open trial.”

McDonald’s Ice Cream Machine Hackers Say They Found the ‘Smoking Gun’ That Killed Their Startup

Ten years in, Microsoft’s DCU has honed its strategy of using both unique legal tactics and the company’s technical reach to disrupt global cybercrime and state-backed actors.

Governments and the tech industry around the world have been scrambling in recent years to curb the rise of online scamming and cybercrime. Yet even with progress on digital defenses, enforcement, and deterrence, the ransomware attacks, business email compromises, and malware infections keep on coming. Over the past decade, Microsoft's Digital Crimes Unit (DCU) has forged its own strategies, both technical and legal, to investigate scams, take down criminal infrastructure, and block malicious traffic.

The DCU is fueled, of course, by Microsoft's massive scale and the visibility across the internet that comes from the reach of Windows. But DCU team members repeatedly told WIRED that their work is motivated by very personal goals of protecting victims rather than a broad policy agenda or corporate mandate.

In just its latest action, the DCU announced Wednesday evening efforts to disrupt a cybercrime group that Microsoft calls Storm-1152. A middleman in the criminal ecosystem, Storm-1152 sells software services and tools like identity verification bypass mechanisms to other cybercriminals. The group has grown into the number one creator and vendor of fake Microsoft accounts—creating roughly 750 million scam accounts that the actor has sold for millions of dollars.

The DCU used legal techniques it has honed over many years related to protecting intellectual property to move against Storm-1152. The team obtained a court order from the Southern District of New York on December 7 to seize some of the criminal group’s digital infrastructure in the US and take down websites including the services 1stCAPTCHA, AnyCAPTCHA, and NoneCAPTCHA, as well as a site that sold fake Outlook accounts called Hotmailbox.me.

The strategy reflects the DCU’s evolution. A group with the name “Digital Crimes Unit” has existed at Microsoft since 2008, but the team in its current form took shape in 2013 when the old DCU merged with a Microsoft team known as the Intellectual Property Crimes Unit.

“Things have become a lot more complex,” says Peter Anaman, a DCU principal investigator. “Traditionally you would find one or two people working together. Now, when you’re looking at an attack, there are multiple players. But if we can break it down and understand the different layers that are involved it will help us be more impactful.”

The DCU’s hybrid technical and legal approach to chipping away at cybercrime is still unusual, but as the cybercriminal ecosystem has evolved—alongside its overlaps with state-backed hacking campaigns—the idea of employing creative legal strategies in cyberspace has become more mainstream. In recent years, for example, Meta-owned WhatsApp and Apple both took on the notorious spyware maker NSO Group with lawsuits.

Still, the DCU's particular progression was the result of Microsoft's unique dominance during the rise of the consumer internet. As the group's mission came into focus while dealing with threats from the late 2000s and early 2010s—like the widespread Conficker worm—the DCU's unorthodox and aggressive approach drew criticism at times for its fallout and potential impacts on legitimate businesses and websites.

“There's simply no other company that takes such a direct approach to taking on scammers,” WIRED wrote in a story about the DCU from October 2014. “That makes Microsoft rather effective, but also a little bit scary, observers say.”

Richard Boscovich, the DCU’s assistant general counsel and a former assistant US attorney in Florida’s Southern District, told WIRED in 2014 that it was frustrating for people within Microsoft to see malware like Conficker rampage across the web and feel like the company could improve the defenses of its products, but not do anything to directly deal with the actors behind the crimes. That dilemma spurred the DCU’s innovations and continues to do so.

“What’s impacting people? That’s what we get asked to take on, and we’ve developed a muscle to change and to take on new types of crime,” says Zoe Krumm, the DCU’s director of analytics. In the mid-2000s, Krumm says, Brad Smith, now Microsoft’s vice chair and president, was a driving force in turning the company’s attention toward the threat of email spam.

“The DCU has always been a bit of an incubation team. I remember all of a sudden, it was like, ‘We have to do something about spam.’ Brad comes to the team and he’s like, ‘OK, guys, let’s put together a strategy.’ I’ll never forget that it was just, ‘Now we’re going to focus here.’ And that has continued, whether it be moving into the malware space, whether it be tech support fraud, online child exploitation, business email compromise.”

As the group has matured and expanded into all of these areas, Boscovich says, a “preoccupation with exposure to liability and risk” is another element of the work that keeps him up at night.

“You want to help, and you want to do all these things, but no good deed goes unpunished sometimes,” he says. “Sometimes, we would try to help someone—and to help them you kind of shut their computer down—and even though you’re trying to help them, their small business goes down. So how do you manage that? That’s always been the hardest part of my job. The legal creativity is cool, but how do I make sure that it’s acceptable risk and that we research everything so there’s no collateral damage?”

The legal strategies the group has focused on developing evolve as digital threats evolve. In 2016, the DCU began taking the approach of establishing a court “special master” when working on disruptions related to state-sponsored hacking. This judge-appointed official is a direct point of contact for ongoing cases and even remains active for years after a case has been officially closed, enabling the DCU to get court approval for infrastructure takedowns and other actions without having to file for new court orders.

“It allows us to stay on top of these threats and get an order within minutes,” Boscovich says. “We can accelerate the process of litigation almost to the speed of cyber.”

He also points out the challenge of taking action against threat actors given the professionalization of the cybercriminal ecosystem in recent years. Crime groups now operate as syndicates with different departments working on different aspects of carrying out crimes while also contracting with third parties for services they don't develop in-house.

“There’s a legal problem: How do you get a bunch of people doing separate activities into one complaint or one charge? They don’t always even know each other,” Boscovich says. To address this situation, the group worked on legal strategies under the US Racketeer Influenced and Corrupt Organizations Act (RICO), which is designed to focus on criminal organizations rather than individual criminal acts.

“These are the guys who developed the malware, brokered the malware, operate the malware, so we can put them all into one legal filing to bring them together,” he says. “Now that has become part of our legal game plan as well.”

As cybercriminal and state-backed hacking has continued to escalate, the DCU has expanded its collaborations with law enforcement and used its techniques during an ever-changing array of global crises. In 2016, for example, the group carried out its first disruption of a state actor, conducting takedowns related to Russia’s APT 28, known as Fancy Bear. The attackers had been using Microsoft-like domains in their notorious phishing rampages and disinformation campaigns related to that year’s US elections. In 2018, the group shared findings with the Delhi police about the actors behind 10 criminal call centers in India who were scamming victims in the US, Canada, the Netherlands, and Australia. The information-sharing resulted in 63 arrests. In 2020, the DCU seized domains used in pandemic-related cybercrime and also conducted takedowns against the notorious Trickbot ransomware group ahead of the 2020 US elections.

“We tend to think about it from the victim protection perspective,” says Amy Hogan-Burney, who oversees the DCU as Microsoft's general manager and associate general counsel of cybersecurity policy and protection. “I leave deterrence generally to governments, but what I always focus on is victim protection. That can be narrow, meaning a Microsoft customer or type of Microsoft customer, or it can be really broad—anyone who is using the internet who may be impacted by cybercrime.”

Microsoft’s Digital Crime Unit Goes Deep on How It Disrupts Cybercrime

A hacker group calling itself Solntsepek—previously linked to Russia’s notorious Sandworm hackers—says it carried out a disruptive breach of Kyivstar, a major Ukrainian mobile and internet provider.

Over nearly a decade, the hacker group within Russia's GRU military intelligence agency known as Sandworm has launched some of the most disruptive cyberattacks in history against Ukraine's power grids, financial system, media, and government agencies. Signs now point to that same usual suspect being responsible for sabotaging a major mobile provider for the country, cutting off communications for millions and even temporarily sabotaging the air raid warning system in the capital of Kyiv.

On Tuesday, a cyberattack hit Kyivstar, one of Ukraine's largest mobile and internet providers. The details of how that attack was carried out remain far from clear. But it “resulted in essential services of the company’s technology network being blocked,” according to a statement posted by Ukraine’s Computer Emergency Response Team, or CERT-UA.

Kyivstar's CEO, Oleksandr Komarov, told Ukrainian national television on Tuesday, according to Reuters, that the hacking incident “significantly damaged \[Kyivstar's\] infrastructure \[and\] limited access.”

“We could not counter it at the virtual level, so we shut down Kyivstar physically to limit the enemy's access,” he continued. “War is also happening in cyberspace. Unfortunately, we have been hit as a result of this war.”

The Ukrainian government hasn't yet publicly attributed the cyberattack to any known hacker group—nor have any cybersecurity companies or researchers. But on Tuesday, a Ukrainian official within its SSSCIP computer security agency, which oversees CERT-UA, pointed out in a message to reporters that a group known as Solntsepek had claimed credit for the attack in a Telegram post, and noted that the group has been linked to the notorious Sandworm unit of Russia's GRU.

“We, the Solntsepek hackers, take full responsibility for the cyber attack on Kyivstar. We destroyed 10 computers, more than 4 thousand servers, all cloud storage and backup systems,” reads the message in Russian, addressed to Ukrainian president Volodymyr Zelenskyy and posted to the group's Telegram account. The message also includes screenshots that appear to show access to Kyivstar's network, though this could not be verified. “We attacked Kyivstar because the company provides communications to the Ukrainian Armed Forces, as well as government agencies and law enforcement agencies of Ukraine. The rest of the offices helping the Armed Forces of Ukraine, get ready!”

Solntsepek has previously been used as a front for the hacker group Sandworm, the Moscow-based Unit 74455 of Russia's GRU, says John Hultquist, the head of threat intelligence at Google-owned cybersecurity firm Mandiant and a longtime tracker of the group. He declined, however, to say which of Solntsepek’s network intrusions have been linked to Sandworm in the past, suggesting that some of those intrusions may not yet be public. “It's a group that has claimed credit for incidents we know were carried out by Sandworm,” Hultquist says, adding that Solntsepek's Telegram post bolsters his previous suspicions that Sandworm was responsible. "Given their consistent focus on this type of activity, it's hard to be surprised that another major disruption is linked to them.”

If Solntsepek is a front for Sandworm, it would be far from the first. Over its years of targeting Ukrainian infrastructure, the GRU unit has used a wide variety of covers, hiding behind false flags such as independent hacktivist groups and cybercriminal ransomware gangs. It even attempted to frame North Korea for its attack on the 2018 Winter Olympics.

Today, Kyivstar countered some of Solntsepek's claims in a post on X, writing that “we assure you that the rumors about the destruction of our ‘computers and servers’ are simply fake.” The company had also written on the platform that it hoped to restore its network's operations by Wednesday, adding that it's working with the Ukrainian government and law enforcement agencies to investigate the attack. Kyivstar's parent company, Veon, headquartered in Amsterdam, didn't respond to WIRED's request for more information.

While the fog of war continues to obscure the exact scale of the Kyivstar incident, it already appears to be one of the most disruptive cyberattacks to have hit Ukraine since Russia's full-scale invasion began in February 2022. In the year that followed, Russia launched more data-destroying wiper attacks on Ukrainian networks than have been seen anywhere else in the world in the history of computing, though most have had far smaller effects than the Kyivstar intrusion. Other major Russian cyberattacks to hit Ukraine over the past 20 months include a cyberattack that crippled thousands of Viasat satellite modems across the country and other parts of Europe, now believed to have been carried out by the GRU. Another incident of cybersabotage, which Mandiant attributes to Sandworm specifically, caused a blackout in a Ukrainian city just as it was being hit by missile strikes, potentially hampering defensive efforts.

It's not yet clear if the Kyivstar attack—if it was indeed carried out by a Russian state-sponsored hacker group—was merely intended to sow chaos and confusion among the company's customers, or if it had a more specific tactical intention, such as disguising intelligence-gathering within Kyivstar's network, hampering Ukrainian military communications, or silencing its alerts to civilians about air raids.

“Telecoms offer intelligence opportunities, but they're also very effective targets for disruption," says Mandiant's Hultquist. “You can cause significant disruption to people's lives. And you can even have military impacts.”

Source

Wired