X’s Trust and Safety team says it’s working to remove false information related to the Israel-Hamas war. Meanwhile, Elon Musk is sharing conspiracies and chatting with QAnon promoters.

yesterday night, what’s left of the Trust and Safety team at X (formerly Twitter) announced the measures it was taking to try and curb the virulent spread of disinformation around the Israel-Hamas war on its platform.

The statement, issued three days after the conflict began, reads: “As the events continue to unfold rapidly, a cross-company leadership group has assessed this moment as a crisis requiring the highest level of response.”

One person who does not appear to be part of this crisis team is X owner Elon Musk.

Instead of tackling the dangerous disinformation problem on his platform, Musk instead spent yeterday night into this morning continuing to spread disinformation about the conflict, conversing with a known QAnon promoter, boosting anti-Muslim conspiracy theories, and laughing at a video detailing how transphobic content on X can get you new followers.

Musk also promoted a new feature that allows X Premium subscribers to see only replies from other people willing to pay $8 a month, which Musk said would “help a lot with spam bots” on the platform—an issue Musk previously claimed he had already all but eradicated.

“​​If successful, X will evolve to be the collective consciousness of humanity or, more accurately, the human-machine collective,” Musk posted in reply to a follower who said he was doing a great job running the company.

Meanwhile, disinformation about the conflict in the Middle East continues to rage on the platform, driven primarily by verified accounts.

Yesterday evening, X’s Trust and Safety team, which is currently leaderless after Ella Irwin resigned in June, wrote on X that it had “removed newly created Hamas-affiliated accounts” and was working with the Global Internet Forum to Counter Terrorism (GIFCT), an industry body that helps coordinate content moderation across social media platforms, to “try and prevent terrorist content from being distributed online.”

The Safety team’s statement also lauded the user-generated Community Notes system and said new accounts were being enrolled to address the flood of disinformation on the platform. The Safety team also revealed that it had removed “several hundreds accounts for attempting to manipulate trending topics.”

Since Musk took control of the platform just under a year ago, he has restructured it to encourage engagement over everything else. As a result, accounts that subscribe to X Premium now have a monetary incentive to post content that is engaging regardless of how truthful it is. This was highlighted clearly on yesterday night when, at the same time as the Safety team posted its update, a new viral piece of disinformation was spreading unchecked on X.

Sulaiman Ahmed, a self-described investigative journalist, posted the false claim that the Church of Saint Porphyrius in Gaza City, one of the oldest churches in the world, was destroyed by an Israeli bomb. The post received over 1 million views in the span of three hours.

Ahmed is a subscriber to X Premium, which means his posts are given priority in search results and newsfeeds over other users, and he also allows followers to subscribe to his content directly through X, allowing him to profit from increased engagement with his content.

Yesterday evening, the church posted an update on Facebook dismissing the claim, adding that it was taking in refugees left homeless following Israel’s bombing campaign in retaliation to the Hamas attack that began on Saturday morning.

Despite the church’s rebuttal—and Ahmed himself subsequently admitting that the church was untouched—the disinformation spread far and wide on X. WIRED conducted a search for the “Saint Porphyrius Orthodox Church” on X this morning and found that Ahmed’s original false post was the third result. Multiple other posts from verified users all repeating the lie were also promoted at the top of the results, none of which had Community Notes attached to them.

Eliot Higgins, founder of investigative journalist outlet Bellingcat, pointed out that the false information was being shared by a wide variety of accounts, all of which had one thing in common: a subscription to X Premium.

“If Musk hadn't made it so hard to research disinformation on his website, this case would be a good way to show the growing overlap of the pro-Assad, the pro-Putin, and the US alt-right griftospheres,” Higgins wrote on X, adding: “Musk hasn't given the voiceless a voice, he's just dragged us all down into the swamp, and the only people who truly benefit are shameless grifters.”

Elon Musk Is Personally Undermining X’s Efforts to Curb Israel-Hamas War Disinformation

Google is making passkeys, the emerging passwordless login technology, the default option for users as it moves to make passwords “obsolete.”

Less than six months ago, Google announced that it was launching support for the password replacement known as “passkeys” for all personal accounts across its billions of users. Today, the company said it is going a step further and will make passkeys the default login setting for users.

When you log in to your Google account, you’ll get a prompt to create a passkey and start using it for login instead of relying on your Gmail address and password. Google will be turning on the “skip password when possible” option in account settings, which is essentially the passkey green light. Users who don't want to kill their password just yet will still be able to turn that setting off so they don't receive the prompts.

Password-based authentication is so ubiquitous in digital systems that it isn't easy to replace. But passwords have inherent security problems because they can be guessed and stolen. And since it's so difficult to keep track of dozens or hundreds of passwords, users often reuse the same passwords on multiple accounts, making it easier for attackers to unlock all of those accounts in one fell swoop. Passkeys are specifically designed to address these issues and dramatically reduce the risk of phishing attacks by instead relying on a scheme that manages cryptographic keys stored on your devices for account authentication.

Google didn't share statistics on passkey adoption so far, saying instead in a blog post that “people have used passkeys on their favorite apps like YouTube, Search and Maps, and we’re encouraged by the results.” The company points out that passkey support is expanding across other apps and services. Apple and Microsoft both support passkeys. And companies like Uber and eBay recently launched passkeys, and they're coming to WhatsApp soon.

“Passwordless is something we set out to achieve 10-plus years ago, and we’re thrilled to not only see us already on the next step of the journey with passkeys by offering them by default, but also to see the great feedback from users who have made the switch,” Christiaan Brand, identity and security group product manager at Google, tells WIRED.

There's so much inertia on passwords around the world that even a player as big and influential as Google can't force the issue overnight. But the company is clearly using its influence to steer users with gentle pressure that seems likely to continue mounting as passkeys gain broader momentum.

“We’ll keep you updated on where else you can start using passkeys across other online accounts,” the company wrote today. “In the meantime, we’ll continue encouraging the industry to make the pivot to passkeys—making passwords a rarity, and eventually obsolete.”

Google Makes Passkeys Default, Stepping Up Its Push to Kill Passwords

Hacktivism is increasingly a feature of modern kinetic warfare. It’s playing out with particular ferocity in the conflict between Israel and Hamas.

After an attack on Israel by Hamas on Saturday, Israel declared war and fighting escalated throughout the weekend. As the death toll mounts on both sides and the Israeli Defense Force (IDF) prepares an offensive, hacktivists in the region and around the world have joined the fight.

Within hours of Hamas militants and rockets entering Israel, such “hacktivist” attacks started to spring up against both Israeli and Palestinian websites and applications. In the short period since the conflict escalated, hackers have targeted dozens of government websites and media outlets with defacements and DDoS attacks, attempts to overload targets with junk traffic and bring them down. Some groups claim to have stolen data, attacked internet service providers, and hacked the Israeli missile alert service known as Red Alert.

“I saw at least 60 websites get DDoS attacks,” says Will Thomas, a cyber threat intelligence researcher at cybersecurity firm Equinix who has been following the online activity. “Half of those are Israeli government sites. I've seen at least five sites be defaced to show ‘Free Palestine’–related messages.”

Most prominently seen in the war between Russia and Ukraine, it is increasingly common for both ideologically motivated hackers and cybercriminals to remotely join the chaos on either side of an escalating conflict by attacking government systems or other institutions.

Alex Leslie, a threat intelligence analyst at the security firm Recorded Future, says that he and his colleagues have identified three subsets of activity within the digital pandamonium of the Israel-Hamas war so far. The majority of the digital attacks seem to stem from preexisting groups or a broader context of similar activity adjacent to other conflicts. “The scope is international, but rather limited to preexisting ideological blocs within hacktivism,” Leslie says.

The subgroups that Recorded Future has identified so far are “self-proclaimed ‘Islamic’ hacktivists that claim to support Palestine. These groups have historically targeted India and have been around for years” Leslie says. “Pro-Russian hacktivists that are pivoting to target Israel, likely with the intent of sowing chaos and spreading Russian state narratives. And groups that are ‘new,’ in that they were launched within the last \[days\] and have limited activities prior to this weekend.”

Since Russia’s 2022 invasion of Ukraine, some prominent hacktivist groups backing Russian interests have emerged, including gangs known as “Anonymous Sudan” and “Killnet,” both of which appeared to wade into the conflict between Hamas and Israel this weekend. Some groups have also been active in reaction to India’s support of Israel, both in favor of and against this support.

Hackers from the group known as AnonGhost, who are seemingly conducting pro-Palestinian campaigns, have been launching DDoS attacks and attempting to target infrastructure and application programming interfaces (APIs). The group claimed the alleged attack on the Israeli Red Alert missile warning platform. Researchers from the threat intelligence firm Group-IB said on Monday that the hackers exploited bugs in Red Alert’s systems to intercept data, send spam messages to some users, and possibly even send fake missile strike warnings. The app’s developers did not return a request from WIRED for comment. The Red Alert app has been targeted by hacktivists in the past, and Hamas itself has previously been accused of circulating malicious imposter versions of Israeli missile alert apps.

Meanwhile, the hacktivist group ThreatSec, which says it has “attacked Israel” previously, claimed it targeted Alfanet, an internet service provider based in the Gaza Strip. In a post on Telegram, the group claimed to have taken control of servers belonging to the company and impacted its TV station systems.

Doug Madory, director of internet analysis at monitoring firm Kentik, says that Alfanet was inaccessible for around 10 hours on Saturday, October 7—before the hacktivists posted their claim. The ISP’s systems have since been back online and communicating with the wider world. “Some of their services could still be broken,” Madory says, pointing to an Alfanet TV website and a web portal that were inaccessible on Sunday evening.

In response to a request for comment from WIRED via Facebook Messenger, Alfanet shared a statement in Arabic saying that communications were cut off due to “the complete destruction” of its headquarters. “Crews are working with all their might to restore service after the bombing of the headquarters and the main tower, despite the difficult and dangerous circumstances,” the message says via machine translation. The company did not comment on the role of a cyberattack, if any, in the outage.

Internet connectivity in Gaza has also been broadly disrupted by electricity outages as Israel implements what Defense Minister Yoav Gallant called a “complete siege” on Monday, cutting off the region’s electricity and supply lines for water, food, and fuel.

Amid the chaos of any erupting kinetic war, hacktivism often fuels disinformation, misinformation, and panic. This can lead to unintended consequences. For some digital actors, unpredictability itself is the goal.

“The Indian cyber force actually claimed to DDoS hamas.ps and webmail.gov.ps,” Equinix’s Thomas says. Meanwhile, "there's one group called the Cyber Avengers who are claiming to steal documents from Israel's national electricity authority. They claimed they stole documents from Israel's Dorad power plant. \[But\] they are actually known for making up stuff and creating sort of fake infrastructure and screenshotting.”

Victoria Kivilevich, director of threat research at the Israeli cybersecurity firm Kela, says that while hacktivist activity may add to the turmoil, she doesn’t expect that it will significantly impact warfare on the ground.

“We can expect to see more groups and DDoS attacks because of the severity of the conflict and general evolution of hacktivist groups, however, so far we don't expect any significant impact on the overall threat landscape.”

Last week, the International Committee of the Red Cross put forth rules of engagement for “civilian hackers” wading into a conflict. The eight directives, which are based on international human rights law, came primarily in the context of Russia’s war on Ukraine, but they are relevant globally. They emphasize minimizing threats to civilians’ safety and ban cyberattacks on health care facilities. They also ban use of computer worms and require that actors “comply with these rules even if the enemy does not.”

In response to the release, some hacktivist groups active on both sides of Russia’s war in Ukraine said they would attempt to follow the rules when possible, but others said it wasn’t feasible or rejected the premise entirely. In its efforts to gather grassroots support, Ukraine has encouraged a sort of legitimized version of hacktivism by establishing a volunteer “IT Army” for its war effort against Russia. All of this has created a nuanced and unpredictable element in the digital component of kinetic wars.

“What we saw in Ukraine with hacktivism has set a precedent moving forward,” Recorded Future’s Leslie says. “We believe that many of these groups are motivated by attention. That’s why we see so many groups that probably shouldn’t be active in this conflict for geopolitical reasons jumping into the fray. They want people to know that they’re active and capable of reacting to any event—even if the intentions are disingenuous. Hacktivism is intertwined with information and influence operations, and it is here to stay.”

The Israel-Hamas War Erupts in Digital Chaos

People who have turned to X for breaking news about the Israel-Hamas conflict are being hit with old videos, fake photos, and video game footage at a level researchers have never seen.

In the wake of Hamas’ deadly attacks on Israel this weekend—and the Israeli military’s response—journalists, researchers, open source intelligence (OSINT) experts, and fact-checkers rushed to verify the deluge of raw video footage and images being shared online by people on the ground. But users of X (formerly Twitter) seeking information on the conflict faced a flood of disinformation.

While all major world events are now accompanied almost instantly by a deluge of disinformation aimed at controlling the narrative, the scale and speed at which disinformation was being seeded about the Israel-Hamas conflict is unprecedented—particularly on X.

“For many reasons, this is the hardest time I’ve ever had covering a crisis on here,” Justin Peden, an OSINT researcher from Alabama known online as the Intel Crab, posted on X. “Credible links are now photos. On the ground news outlets struggle to reach audiences without an expensive blue check mark. Xenophobic goons are boosted by the platform’s CEO. End times, folks.”

When Peden covered the escalation in Gaza in 2021, the sources he was seeing in his feed were from people on the ground or credible news agencies. This weekend, he says, verified content or primary sources were virtually impossible to find on X.

“It’s getting incredibly hard to find people that actually live in Palestine or in southern Israel,” Peden tells WIRED. “It’s been incredibly hard to find their preliminary information and share their videos and photos. You have this perfect storm where on the ground, preliminary sources are not being amplified, especially those that maybe don’t speak English, which is a large majority of users in that area.”

Boosted by the algorithm that promotes users willing to pay X $8 a month for a premium subscription, posts from those with a blue checkmark shot to the top of news feeds for people seeking information about the conflict.

Rather than being shown verified and fact-checked information, X users were presented with video game footage passed off as footage of a Hamas attack and images of firework celebrations in Algeria presented as Israeli strikes on Hamas. There were faked pictures of soccer superstar Ronaldo holding the Palestinian flag, while a three-year-old video from the Syrian civil war repurposed to look like it was taken this weekend.

As a result, Peden says that he and his fellow OSINT researchers have to spend their time debunking years-old content rather than verifying and sharing real footage from the conflict.

Many of these videos and images racked up hundreds of thousands of views and engagements. While some later featured a note from X’s decimated community fact-checking system, many more remained untouched. And as Elon Musk has repeatedly done in recent incidents, the platform’s CEO made the situation much worse.

“For following the war in real-time, @WarMonitors & @sentdefender are good,” Musk wrote in a post to his 150 million followers on Sunday morning. Both the accounts Musk referenced are well-known spreaders of disinformation. For example, both accounts spread the lie that there had been an explosion near the White House in May, a story that made the US stock market briefly plummet before it was debunked.

Many users also pointed out that the @WarMonitors account had a history of posting antisemitic comments on X. Last year, the account replied to a post from Ye (formerly Kanye West) thanking the rapper and adding: “The overwhelming majority of people in the media and banks are zi0nists” while telling another X user in June to “go worship a jew lil bro.”

Musk deleted his recommendation soon after posting it, but not before it was viewed over 11 million times. Later on Sunday, Musk wrote: “As always, please try to stay as close to the truth as possible, even for stuff you don’t like.”

Experts believe that the proliferation of disinformation on X around the Israel-Hamas conflict this weekend is largely the result of changes Musk has made to the platform over the past year, including his decision to fire most of the people responsible for tackling disinformation.

“Elon Musk’s changes to the platform work entirely to the benefit of terrorists and war propagandists,” Emerson Brooking, a researcher at the Atlantic Council Digital Forensics Research Lab, tells WIRED. “Changes in profit and incentive structure mean that there’s a lot more tendency for people to share at high volume information which may not be true because they are trying to maximize view counts. Anyone can buy one of those little blue checks and change their profile picture to something that’s seemingly a media outlet. It takes quite a bit of work to vet who’s telling the truth and who’s not.”

X, which eliminated its entire PR team last year, responded to WIRED’s request for comment on the proliferation of disinformation on its platform with the automated message: “Busy now, please check back later.”

Peden says the Twitter algorithm has been designed to boost content that gets the most engagement, which incentivizes bad actors to share disinformation.

“The videos and images that you’re seeing of air strikes, they’re very prolific,” Peden says. “They’re very hard-hitting, and unfortunately that means engagement does incredibly, incredibly well. These images are horrible and dramatic, and they perform well. So there is an incentive by others, especially those trying to push a narrative to share an old video from years ago, just because people love looking at the stuff.”

In an echo of what happened when Russia invaded Ukraine in 2022, much of the primary footage emerging from the Israel-Hamas conflict over the weekend was posted first on the encrypted message platform Telegram. From there, it was taken and reshared on other platforms, but in most cases the footage was not fact-checked first or it was taken out of context to suit the narrative being pushed by the poster.

“There’s an immense amount of primary content that was first posted in Telegram groups in one form or another, but there’s essentially no way to vet that information. Then that primary information hits others platforms, notably Twitter, where there’s an immense battle of spin and narrative taking place,” Brooking says. “You have artisans on every side, as well as sympathizers from one group or another, who are also joining this \[battle\].”

The situation is so bad on X right now that even seasoned OSINT researchers are being duped by fake accounts, including one that shared a false claim about Israeli prime minister Benjamin Netanyahu being hospitalized over the weekend.

“Any sort of ground truth, which was always hard to get on Twitter, is now entirely out of reach,” Brooking says.

The Israel-Hamas War Is Drowning X in Disinformation

The same chaotic day FTX declared bankruptcy, someone began stealing hundreds of millions of dollars from its coffers. A WIRED investigation reveals the company’s “very crazy night” trying to stop them.

By the evening of November 11 of last year, FTX’s staff had already endured one of the worst days in the company’s short life. What had recently been one of the world's top cryptocurrency exchanges, valued at $32 billion only 10 months earlier, had just declared bankruptcy. Executives had, after an extended struggle, persuaded the company's CEO, Sam Bankman-Fried, to hand over the reins to John Ray III, a new chief executive now tasked with shepherding the company through a nightmarish thicket of debts, many of which it seemed to have no means to pay.

FTX had, it seemed, hit rock bottom. Until someone—a thief or thieves who have yet to be identified—chose that particular moment to make things far worse. That Friday evening, exhausted FTX staffers began to see mysterious outflows of the company's cryptocurrency, publicly captured on the Etherscan website that tracks the Ethereum blockchain, representing hundreds of millions of dollars worth of crypto being stolen in real time.

“Holy shit,” one former FTX staffer, who asked not to be named because they weren't authorized to speak about internal company matters, remembers thinking. “After all this, we’re being hacked?”

According to its own accounting, FTX would ultimately lose between $415 million and $432 million worth of its cryptocurrency holdings to those unidentified thieves, numbers it has publicly confirmed as part of its bankruptcy process. What FTX hasn't previously revealed is how close it may have come to losing vastly more—how its staff and outside consultants raced to move more than $1 billion worth of crypto to more secure storage before it could be stolen by the malevolent presence on its network—even, at one point, scrambling to send close to half a billion dollars to a physical USB drive in one consultant's office in an effort to keep it out of the thieves' hands.

“Invitation: Urgent”

As the trial of FTX's disgraced founder Sam Bankman-Fried enters its second week, many in the cryptocurrency community are closely watching courtroom events for any hint of how the exchange was so catastrophically looted, just hours after it left his control. The question of who carried out that theft—and whether the thieves were FTX insiders or external hackers—looms largest of all. That mystery remains unsolved, and neither Bankman-Fried nor other top FTX executives have been charged with that theft.

But now, WIRED can reveal the events of FTX’s panicky night working to limit the damage from that theft—and to prevent what might otherwise have been a 10-figure heist. The new FTX leadership under Ray, its new CEO, declined to be interviewed about the incident. But WIRED learned the hour-by-hour details of the crisis response from a detailed invoice submitted by the restructuring firm Alvarez & Marsall for its work on FTX's bankruptcy case, interviews with individuals who participated in the immediate response to the theft, and blockchain analysis provided by the cryptocurrency tracing firm Elliptic.

That response started around 10 pm on the evening of November 11, when Zach Dexter, the chief executive of FTX subsidiary LedgerX, sent a Google Meet invite to a group of more than 20 of FTX’s remaining staff, bankruptcy lawyers, advisers, and consultants. The invitation’s one-word subject line: “urgent.”

A handful of staffers quickly joined that Google Meet video call, which would eventually grow to dozens of participants over the next 12 hours. They could all see FTX wallets being drained in real time on Etherscan. But almost no one on the call had any idea where exactly FTX stored its cryptocurrency or how it managed the secret keys that controlled those wallets. That knowledge was held only by a small group of FTX elite—Bankman-Fried and his inner circle. Bankman-Fried never appeared in the meeting, according to sources who were present, but Gary Wang, the FTX cofounder and CTO, did join the call.

By this point Wang was distrusted by many people close to Ray, sources say. In the midst of FTX’s meltdown, Wang had initially sided with Bankman-Fried and had only distanced himself from the former CEO after days of persuasion from others within the company.

Wang didn't win over any of his critics in the emergency meeting when he initially suggested the ongoing theft could be halted by simply changing the secret keys that protected the wallets that were being emptied. That seemed pointless, the former FTX staffer remembers thinking, given that whoever had gained access to the network could simply grab the new keys and continue their heist. “The fox is in the hen house, and you’re going to change the keys to the hen house?” the former staffer remembers thinking. Wang, who has since pleaded guilty to the same criminal charges Bankman-Fried now faces, did not respond to a request for comment sent to his attorney

Just as the Google Meet call started, however, LedgerX’s Dexter had started exploring a different approach to protecting FTX’s funds. The week before the theft, digital asset trust company BitGo had been negotiating with Sullivan & Cromwell, the law firm overseeing FTX’s bankruptcy process, to take custody of the firm’s remaining cryptocurrency holdings. So Dexter now called BitGo to try to circumvent the long legal contract process Sullivan & Cromwell had begun with the company. Instead, Dexter asked BitGo to immediately create “cold storage” wallets—wallets that would be kept securely offline—that FTX could move all its remaining funds into as a safe haven. Dexter did not respond to a request for comment.

BitGo said it could have the wallets ready in around half an hour. FTX staffers worried that this would still be too slow. The thieves could potentially take hundreds of millions of dollars more worth of crypto out of the company’s wallets by then.

Someone on the Google Meet call asked if anyone had a hardware wallet of their own where the money could be stored until BitGo was ready. Kumanan Ramanathan, an adviser to FTX from Alvarez & Marsall, volunteered. He had a Ledger Nano—a USB drive hardware wallet—in his office that he offered to set up as a temporary refuge for the vulnerable money.

Ramanathan set up a new wallet on his Ledger Nano at around 10:30 pm ET on November 11. The former FTX staffer remembers watching him check and double-check the password that he'd created for that wallet. Wang began sending FTX’s funds to it, and soon Ramanathan was holding between $400 and $500 million in the company’s crypto assets on a USB drive.

A Late-Night 911 Call

Minutes later, BitGo told the FTX staffers that its wallets were ready, and they began transferring hundreds of millions more in crypto to BitGo’s cold storage instead of Ramanathan's Ledger device. For the rest of that sleepless night, the staffers hunted for every wallet where FTX’s money was stored and transferred every coin they could find to BitGo. “They were scrubbing various systems trying to find where various private keys were, where assets were held,” says another person involved in the response, granted anonymity because they weren’t authorized to speak about it publicly. “It was just chaos.”

As FTX's staff focused on getting executives to sign off on those transfers of potentially vulnerable funds, Ramanathan was left holding the crypto that Wang had initially transferred to his Ledger wallet. That created the bizarre situation of an individual physically possessing around half a billion dollars worth of FTX's money, which presented its own unique legal and security risks. That night, Ryne Miller, the general counsel for FTX, rushed to Ramanathan's office to help safeguard it. Ryne Miller declined to comment for this story, and Ramanathan didn’t respond to a request for comment.

Ramanathan's record of billable hours shows that he and Miller spent nearly three and half hours in his office, from around 2 am to 5 am, on November 12. At some point, in fact, Ramanathan called the police to report a theft in progress and explain that he was holding a very large amount of the victim's money, requesting that officers come to his office to help protect it. After all, no one knew then—or now—who had stolen the other funds, and if they might try to physically take the stash that Ramanathan held too.

No such physical threat materialized. In fact, the siphoning of funds from FTX had stopped when the money was moved to Ramanathan's Ledger wallet. “He took a huge fucking risk using his personal Ledger,” says the former FTX staffer. “He’s a total boss. It’s my pretty strong feeling that if we hadn’t pulled this Ledger stunt, we would have lost significantly more money.” The money in Ramanathan's office was finally transferred to BitGo by around 5 am on Saturday, November 12. The company would ultimately hold $1.1 billion of the remaining FTX funds.

Later on Saturday, Bankman-Fried and Wang transferred another $400 million plus to accounts under the control of the Bahamas government for safeguarding, as reported by _Forbes_ and recorded in a court filing. At some points, that movement of funds to the Bahamas appears to have been confused with the theft itself. A week after the theft, some media outlets incorrectly reported that the stolen funds had actually been seized by the Bahamian government. As evidence to the contrary, cryptocurrency tracing firms like Elliptic and Chainalysis have observed portions of the actual stolen funds being sent to “mixing” services often used to launder stolen crypto funds such as THORchain and Railgun, behavior typical of thieves who pull off large-scale crypto heists.

Few Safeguards, No Map

In the months since the desperate rescue effort of November 11, FTX’s new regime, which is handling the company’s bankruptcy process, has publicly alleged glaring security failings that made the theft possible.

An April report released as part of FTX’s bankruptcy proceedings listed examples of that alleged neglect: The previous FTX regime had no independent chief information security officer or actual dedicated security team; it kept virtually all its cryptocurrency in hot wallets—wallets on computers connected to the internet—despite employees being instructed to publicly claim that it stored as little as 10 percent in hot wallets; it left keys to those wallets unencrypted or failed to properly set up security systems where multiple keys are needed to unlock funds; and it lacked the logging systems to even know who was moving funds and when, along with many other issues.

The same report describes the impossible situation that the new FTX regime faced on November 11, when, in its first day in charge, it discovered it had inherited a deeply compromised network. “Due to the FTX Group’s deficient controls to secure crypto assets, the Debtors faced the threat that billions of dollars of additional assets could be lost at any moment,” the report reads, using the term “debtors” to describe the new FTX administration led by Ray. “As the Debtors worked to identify and access crypto assets with no ‘map’ to guide them, the Debtors had to engineer technological pathways to transfer many types of assets they identified to cold storage.”

Given that apparently shambolic security and disorganization, it’s perhaps not a surprise that FTX became the target of one of the costliest crypto heists in history. But if not for a few quick decisions in the midst of that chaos, it now appears that it could have been far worse.

“It was a very, very crazy night,” the former FTX staffer says. “We worked on it, we got it done, and we saved a massive amount of customers’ money.”

Inside FTX’s All-Night Race to Stop a $1 Billion Crypto Heist

Hundreds dead, thousands wounded—Hamas’ surprise attack on Israel shows the limits of even the most advanced and invasive surveillance dragnets as full-scale war erupts.

The Gaza Strip is one of the most densely populated areas on the planet. It’s also one of the most heavily locked down, surveilled, and suppressed. Israel has evolved an entire intelligence apparatus and aggressive digital espionage industry around advancing its geopolitical interests, particularly its interminable conflict in the Gaza Strip and the West Bank. Yet on Saturday, Hamas militants caught Israel unaware with a series of devastating land, air, and sea attacks, killing hundreds of people and leaving thousands wounded. Israel has now declared war.

Hamas’ surprise attack on Saturday is shocking given not only its scale compared to previous attacks, but also the fact that it was planned and carried out without Israel’s knowledge. Hamas’ deadly barrage underscores the limitations of even the most intrusive surveillance dragnets. In fact, experts say the sheer quantity of intelligence that Israel collects on Hamas, as well as the group’s constant activity and organizing, may have played a role in obscuring plans for this particular attack amid the endless barrage of potentially credible threats.

“There's no doubt that the scale and scope of this Hamas attack indicate just a colossal intelligence failure on behalf of the IDF \[Israel Defense Forces\] and in Shin Bet, the internal security agency,” says Raphael Marcus, a visiting research fellow at King’s College London’s Department of War Studies who focuses on the region. “They have such technical prowess and also a legacy of excellent human source capability.”

Israel is known for heavily monitoring Gaza and anyone who could be connected to Hamas using both traditional intelligence-gathering techniques and digital surveillance like facial recognition and spyware. Israel has proved its hacking skills and technical sophistication on the global stage for years, participating in the development of innovative malware for both digital espionage and cyber-physical attacks. The fact that Hamas was able to plan such an unprecedented and complex attack speaks to the limitations and inevitable blind spots of even the most comprehensive surveillance regime.

Jake Williams, a former US National Security Agency hacker and current faculty member at the Institute for Applied Network Security, emphasizes that when you have a firehose of intelligence streaming in from an array of sources, and when the climate is as fraught as that between Israel and Palestine, the challenge is organizing and parsing the information, not gathering it.

“Intelligence in an environment like Israel isn't finding a needle in a haystack—it's finding the needle that will hurt you in a pile of needles,” Williams says. “Given the number of Hamas members involved in the invasion, it's not plausible to me that Israel missed every human intelligence reflection of the planning. But I feel confident that there are always Hamas operatives talking about credible plans to attack the IDF. So Israel can't respond with force to every threat, even every credible one. They'd be at a heightened state of alert or actively engaged all the time, and that's probably actually worse for security.”

Though details of exactly how the attack happened are still emerging, it seems that oversights related to grappling with this signal-and-noise conundrum played a role.

“In retrospect, there was some information, but, like happens in all intelligence failures, it wasn't given sufficient consideration. It was misunderstood,” says Chuck Freilich, a former Israeli deputy national security adviser. “I think in the last days, from my understanding, there were some warning signs. And actually, the intelligence establishment had been warning for the past about half-year that there was going to be a significant conflict with Hamas, that they were bent on escalating the situation. But then they misread the signs.”

Colin Clarke, the director of research at the Soufan Group, an intelligence and security consultancy, says the Hamas attack would have “required months of preparation” and intelligence failures likely happened with both human intelligence and signals intelligence, where electronic and communications data is collected. “I’m still astonished that a breakdown in intelligence occurred at this level,” Clarke says. “I don’t think anybody, including the Israelis, were prepared for an operation this complex and multi-pronged.”

Crucial intelligence oversights could have happened as the result of numerous intersecting failures, says King’s College London’s Marcus. The Israeli intelligence apparatus may have misunderstood Hamas’s intentions, misread the context of crucial leads, been distracted by Israel’s political efforts with Saudi Arabia, or been grappling with domestic challenges. Israeli forces have complained, for example, of a brain drain from the IDF as individuals get pulled toward the private sector.

“I think that this wasn't just a military failure—I think that this was a dramatic failure of national leadership,” says Freilich, who authored _Israel and the Cyber Threat: How the Startup Nation Became a Global Cyber Power_. The ambush calls to mind the outbreak of fighting during Ramadan in October 1973 in which an Arab bloc targeted Israel with a surprise attack on the Jewish holy day Yom Kippur to set off nearly 20 days of fighting.

Palestinians in occupied territories, including the West Bank and Gaza Strip, have faced surveillance and controls for years, with many calling the conditions an apartheid. In September 2021, Israeli forces announced the completion of a 40-mile-long barrier around the Gaza Strip—the sliver of land between Israel, Egypt, and the Mediterranean Sea—that is essentially a “smart wall” equipped with radar, cameras, underground sensors, and an array of other surveillance instruments.

“Palestinians are subjected to multi-layered surveillance,” says Mona Shtaya, a non-resident fellow at the Tahrir Institute for Middle East Policy. “Various surveillance technologies are employed against Palestinians, including drones, mobile bugs (spyware) that have previously been uncovered as being injected into electronic devices prior to entry into the Gaza Strip.”

Shtaya adds that CCTV cameras are placed at entrances to the Gaza Strip, and that there is “continuous” online surveillance of people in the occupied areas. “It would not be an exaggeration to say that Palestinians are under surveillance in nearly every facet of their lives,” she says.

Such persistent surveillance can make people change their behaviors and limits freedom of expression and speech. “We can observe this phenomenon when people communicate with their families over phone calls or when they post content online, as they may alter certain keywords,” Shtaya says.

As Hamas attacked Israel on Saturday, videos emerged of a brute force approach: a bulldozer breaking through portions of the fence as hundreds of militants stormed into Israel using motorbikes, boats, and apparently paragliders. _Haaretz_ reported on Sunday that Hamas was able to gain so much ground because of IDF logistics issues in addition to intelligence failings.

While Israel’s technology industry has helped create many surveillance capabilities and pushed the global industry forward, Hamas, which is sanctioned as a terrorist organization in the US, also uses some digital tools in its operations. The group has leaned heavily on distributing its propaganda through radio and TV to legitimize its rule in Gaza, while it utilizes social media to a lesser extent, according to a review by the Center for Strategic and International Studies earlier this year. Still, Hamas has used fake Facebook accounts to lure Israeli soldiers into downloading data-stealing apps, and has distributed fake dating apps that are really spyware. In 2019, Israeli forces bombed a building they claimed housed a Hamas hacking group.

Multiple sources tell WIRED that they suspect Iran was involved in helping Hamas carry out its assault on Saturday, given the sophistication and intricacy of the attack. Iran has long-standing ties to Hamas, and its officials have praised the recent attacks.

As the conflict ramps up into full-scale war, there is significant concern about the number of civilians impacted, with Amnesty International saying it is “deeply alarmed” by the civilian deaths in Israel, Gaza, and the West Bank. The Hamas assault has killed at least 700 and injured more than 2,000 Israelis on Saturday, according to the latest available figures. Video footage and reports shared online depict Hamas gunmen killing civilians, leaving bloody bodies scattered through the streets, and taking dozens of hostages. In response, Israel is launching large-scale airstrikes against Hamas targets in Gaza, while working to retake militant-controlled areas and preparing for offensive actions, including a possible ground invasion of Gaza. At least 370 Palestinians in Gaza have been killed and more than 2,000 wounded so far.

Israel Defense Forces say women and children have been taken hostage. Israel has also cut power to Gaza and internet monitoring firms say there has been a decrease in connectivity. As the fog of surveillance gives way to the fog of war, the current situation in Israel serves as an important illustration that unrelenting surveillance does not equate to or guarantee security.

_Additional reporting by_ _Morgan Meaker_

Israel's Failure to Stop the Hamas Attack Shows the Danger of Too Much Surveillance

Plus: Sony confirms a breach of its networks, US federal agents get caught illegally using phone location data, and more.

Does the public have a right to see gruesome photos of animal test subjects taken by a public university?

That question underpins an ongoing court battle between UC Davis and the Physicians Committee for Responsible Medicine, an animal welfare group, which is fighting for the release of photos of dead monkeys used in tests of Elon Musk–owned Neuralink’s brain-chip implants. A WIRED investigation this week revealed the extent to which Neuralink and UC Davis have gone to keep images of the tests secret.

Also this week, an investigation by the Markup, copublished with WIRED, analyzed crime predictions by Geolitica (formerly PredPol) in Plainfield, New Jersey, and found that they accurately predicted crime less than 1 percent of the time. As WIRED previously reported, Geolitica is shutting down at the end of this year and being sold for parts to SoundThinking, maker of the gunshot-detection system ShotSpotter.

Earlier this year, the data-extortion gang Clop exploited a vulnerability in the widely used file-transfer service MOVEit, racking up victims around the globe including major corporations and US government agencies. The full number of victim organizations continues to climb into the thousands, with more than 3.4 million people’s data potentially stolen, making it the biggest hack of 2023.

If you own an inexpensive Android TV streaming box, you may want to toss it into the sea—or recycle it responsibly. New research found that at least eight cheap streaming boxes contained a backdoor that connects the devices with servers in China and is used to commit fraud and other cybercrime. Researchers also found dozens of Android, iOS, and TV box apps that were used for fraudulent behavior. While at least some of the apps have been removed from the app stores, more than 120,000 Android devices and 150,000 iOS devices were impacted.

Speaking of phone security, we detailed how to know when your device will stop getting security updates and how to keep Google from using your data in its generative AI tool, Bard. Finally, we profiled the team at a UK-based nonprofit that’s helping women fight back against digital domestic violence.

That’s not all. Each week we round up the security and privacy news that we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.

When WIRED first reported that Apple had sent a letter responding to demands from an anti-child-exploitation group called Heat Initiative, we had one big question: What the hell is Heat Initiative? An investigation by the Intercept now provides some clues.

According to the Intercept, the group is funded by “dark-money donors” linked to billionaire Democrats. Sarah Gardner, who leads the group, refused to comment on Heat Initiative’s funding and said she disagrees with Apple’s “privacy-absolutist” approach. The group, which had virtually no online presence when Apple sent that letter, is now waging a high-profile campaign to force the company to do more to scan for child sexual abuse material (CSAM) on users’ devices and iCloud storage, which would likely mean weakening encryption.

After Apple scrapped plans to scan images on users’ devices for CSAM amid widespread backlash, the company focused instead on tools known as Community Safety features for reporting CSAM. It also rolled out encrypted iCloud options. The company says it cannot meet Heat Initiative demands without compromising user privacy and security.

Sony Interactive Entertainment confirmed this week that it is the latest victim of the aforementioned MOVEit breach. The company says it has informed some 6,800 people, including past and current employees, about the breach, which may have exposed Social Security numbers and personal information. Data-extortion gang Clop has claimed responsibility for the breach, which Sony says it detected on June 2. Sony says it is working with cybersecurity experts and law enforcement as part of its investigation into the intrusion.

Agents working for the US Customs and Border Protection, Immigration and Customs Enforcement, and the US Secret Service broke the law by purchasing commercially available phone location data, according to a new report from the US Department of Homeland Security’s inspector general. Privacy and civil liberty advocates have long argued that the purchase of such data, known in the US government as commercial telemetry data (CTD), circumvents Fourth Amendment protections against unreasonable searches and seizures because agents don’t need to obtain a warrant to buy the information. But the inspector general report says the data was illegally accessed because agents failed to conduct a mandated privacy impact assessment before buying CTD.

The US Department of Justice this week unsealed indictments against eight Chinese firms and 12 of their employees, accusing them of producing and distributing chemicals needed for the production of fentanyl, a deadly opioid, in the United States. The employees and companies were also sanctioned by the US Treasury Department, cutting them off from US financial institutions. According to the DOJ, the companies “tend to use cryptocurrency transactions to conceal their identities and the location and movement of their funds.”

“We have identified and blocked over a dozen virtual currency wallets associated with these actors,” Treasury deputy secretary Wally Adeyemo said during a press conference on October 3. “The blocked wallets, which received millions of USD funds over hundreds of deposits, illustrate the scope and scale of the operation targeted today.”

Apple's Encryption Is Under Attack by a Mysterious Group

A “friendlier” front for racist extremism has spread rapidly across the US in recent months, as active club channels network on Telegram's encrypted messaging app.

On Monday evening, Gabrielle Hanson, a pro-MAGA mayoral candidate in Tennessee, walked through the parking lot of Franklin City Hall, on her way to debate her opponent, incumbent Ken Moore, in what was meant to be little more than a typical campaign stop in the small city of Franklin just south of Nashville.

What made this scene so different was the fact that Hanson was flanked by members of the Tennessee Active Club, an openly neo-Nazi hate group. One of the men escorting Hanson into the building was Sean Kauffmann, the reported leader of the group whom the Southern Poverty Law Center says has been part of the white supremacist movement for years, and was photographed giving a Nazi salute at a Black Lives Matter rally.

The group stood outside the building as the event took place, and they told a local reporter that they were there to provide security for Hanson, claiming that “credible threats” had been made against her. The Franklin Police Department tells WIRED that they have no information about threats against Hanson. Instead, the police department is investigating death threats made against local journalists by Kauffmann’s group in their Telegram channel just hours after the campaign event ended.

The threats, which included anti-Semitic slurs and references to white supremacist literature, featured the image of one reporter’s home after one follower asked: “Who is this person? Where can I find them so I can beat the shit out of them?”

Active clubs are a decentralized network of groups that have recently become the new, so-called friendlier face of the white supremacist movement, by promoting physical fitness and brotherhood while hiding their true nature. The movement has experienced explosive growth in recent months. For researchers who have been tracking the rise of this movement, the use of Telegram to disseminate threats like those in Franklin highlights the crucial role the encrypted messaging app has played in helping these groups recruit, organize, and spread hate speech to a huge following.

“The way that active clubs go about their organizing is resonating with folks on Telegram, where there is a ready-made audience of people who have already written off politics, and they have come to a point in their lives where they think white genocide is real, and they see the active club, in their minds, out there doing something about it,” Jeff Tischauser, senior researcher with the Southern Poverty Law Center, tells WIRED. “I see Telegram as a leading pipeline into the creation of active clubs, because that's just where a lot of the rhetoric and the content and the propaganda of active clubs exist.”

****Got a Tip?****

**Are you a current or former member of an active club? We’d like to hear from you. Using a nonwork phone or computer, contact David Gilbert at** **david.gilbert@wired.com****.**

“You Better Run”

The first threat made by the Tennessee Active Club’s Telegram channel was aimed at Phil Williams, chief investigative reporter for NewsChannel 5 WTVF, who has written extensively about Hanson’s campaign in recent months—including reports on Hanson’s prior arrest for promoting prostitution. (She says she took a plea deal.) Williams has also exposed the hypocrisy of Hanson and her campaign. As an alderman, Hanson attempted to block a permit for a Pride festival in Franklin; Williams reported that she supported her husband’s participation in the 2008 Chicago Pride parade while wearing a pair of Speedos.

After Williams posted pictures of the Tennessee Active Club at the candidate forum on Monday night, the group’s Telegram channel shared a post calling Williams a “lying sack of shit for the international jew media” before warning that the “Day of the Rope is real and it’s approaching quicker than they can prepare for.”

The post concluded: “You better run … run … run.”

“Day of the Rope” is a reference taken from the 1978 white supremacist book, _The Turner Diaries._ The concept in recent years has become shorthand for attacks on journalists, politicians, and others who oppose the white supremacist revolution.

Williams did not respond to WIRED’s request for comment on the threats but did address them on X (formerly Twitter) on Tuesday evening. “This is a story that is important to this community. I will not be deterred from continuing to do my job,” Williams wrote, adding: “Truth will prevail!”

The group also threatened Holly McCall, the editor of the Tennessee Lookout, a nonprofit outlet covering local government, after she posted a comment on X mocking the appearance of some members of the Tennessee Active Club present on Monday night.

The group responded on Telegram writing, “That’s our cyber division Holly.” In a comment under the group’s post, a follower wrote: “Who is this person? Where can I find them so I can beat the shit out of them? So they know I am in fact active and lurking.”

The group then posted a picture of McCall’s house taken from what appears to be her husband’s Facebook account. WIRED confirmed that the picture was McCall’s home.

McCall declined WIRED’s request to comment on the threats. In a post on X on Tuesday evening, she wrote: “I hadn't planned to publicly comment, but yup, I'm the Holly these guys want to beat the shit out of.”

At least some of these threats were flagged to the Franklin Police Department. Milissa Reierson, communications manager for the city of Franklin, told WIRED she cannot comment on specific investigations, but she said they are “monitoring the events from \[Monday\] night,” adding that the city “takes any threat seriously.”

Hanson, an extreme right-wing candidate who spread conspiracy theories about the Covenant School shooting in Nashville in March, did not respond to WIRED’s request for comment. She claimed in a Facebook post that she did not hire or ask the Tennessee Active Club to provide protection for her, adding: “I am not, nor have I ever been associated with any white supremacy or Nazi-affiliated group.”

However, within minutes of posting this statement on Facebook, her Instagram account shared a screenshot taken directly from the Tennessee Active Club Telegram channel. The post makes baseless claims that her opponent was a member of antifa, the loose-knit network of anti-fascist activists, even though he’s a lifelong Republican politician in his 70s. The Telegram posts also said, “You don’t want us showing up” and “remember there is no political solution.”

Hanson is also the listed realtor of the Lewis Country Store, a gas station on the outskirts of Nashville owned by self-described “literal Nazi” Brad Lewis, where the members of the Tennessee Active Club train together with other white supremacist groups.

“A Prepackaged Brand”

Active clubs emerged in late 2020. They’re the brainchild of Robert Rundo, an American white supremacist who is alleged to have cofounded the Rise Above Movement, a combat-ready group with ties to street fighting gangs. Rundo was extradited to the US earlier this year after being arrested in Romania on anti-riot act charges related to violent clashes with anti-fascist protesters in Los Angeles in 2017. (Rundo was charged with the same crime in 2017, but the charges were dismissed before being reinvestigated.)

Rundo was inspired by similar groups he observed while in Europe, and he views the active club movement as part of a “White Supremacy 3.0” strategy, which attempts to move away from the overtly violent and Nazi-infused movements of the past to present a friendlier public face of white supremacy.

Emphasizing physical fitness among active club members, Rundo has stated that his aim is to create a stand-by militia of trained and capable right-wing extremists who can be activated when the need for coordinated violent action on a larger scale arises.

“I definitely do believe that in the future there needs to be a mass movement, a mass organization, but when it comes for that, do you really want a bunch of guys coming strictly from the online world to come join a mass movement without having any experience or skills?” Rundo said in a video posted online just weeks before he was arrested in March. “Active clubs are a great local way to start guys off as they come from the online world into the real world, to learn actual skills.”

While initial takeup of the active club idea was relatively slow, there has been explosive growth in the movement’s numbers this year, research shows. In April 2023, a report from the Accelerationism Research Consortium, a group of researchers, academics, and journalists who track the spread of accelerationism, found that there were 30 active clubs operating in 17 different states. By August, research conducted by Alexander Ritzmann for the Counter Extremism Project (CEP), a nonprofit that tracks extremist groups, found that there were 46 clubs operating in 34 different states—a 50 percent increase in the number of clubs and a 100 percent increase in the geographical spread in the space of just five months.

Because the network is decentralized, with each local group operating relatively independently, it allows anyone who wants to start an active club to do so very quickly. And Telegram is playing a central role in that explosive growth.

"A couple of guys who are motivated by racial animus or anti-Semitic hatred, they can go on Telegram, message a leader or an administrator of an active club channel, and the administrator will help this new group create the branding,” Tischauser says. “It’s basically a template that anybody can access if they have that political ideology. It's like a prepackaged brand that anybody could access.”

Spreading Hate

The number of members who partake in real-world activities with active clubs—everything from mixed martial arts training to handing out flyers and harassing LGBTQ events— is small, with each cell having on average between five and 25 members. But the number of people following these groups on Telegram is many times larger. Some of the groups have thousands of followers, and almost all typically have hundreds of followers.

A number of those followers will be researchers, law enforcement officers, and journalists. But there are also a huge number of people who are monitoring these groups because they already have an interest in the ideas being discussed.

“Telegram is the place where the active clubs are the most active. It is an essential component for the circulation not just of their ideology, but of their marketing,” Tischauser says. He points out that all the groups expect members to purchase branded gear from the Will2Rise website, an activewear brand established by Rundo that _Rolling Stone_ described as “the Lululemon for fascists.”

Telegram is also a hugely powerful recruiting tool, giving this movement a platform free of censorship or restrictions to spread its message to a much larger audience than it would have on other mainstream platforms.

“Alt-tech platforms—and Telegram is really one of the biggest examples of this—provide these hate groups with a ready-made audience of people that already subscribe to this very hateful ideology,” Tischauser says.

The vast majority of the Telegram channels identified as belonging to the clubs listed in the CEP report are public, available for everyone to see. The transparency is part of Rundo’s White Supremacy 3.0 strategy where he urges groups to only post positive content about training of the sense of brotherhood that the clubs claim to inspire, while avoiding violent threats and Nazi symbolism. But some groups do not appear to be subscribing to Rundo’s ideals—chief among them, the Tennessee Active Club.

“I don't think they got that memo,” Tischauser says. “They've always been posting Nazi stuff and glorifying Hitler, being very rabidly anti-Semitic. They showed up to at least two cities in Tennessee and they were flying the swastika, while Sean Kauffman, the leader, is seen giving the Heil Hitler hand gesture.”

Telegram tells WIRED that it is investigating the threats made in the Tennessee Active Club channel. “Telegram is a platform that supports the right to peaceful free speech, but calls to violence are explicitly forbidden on our platform,” Remi Vaughn, a spokesperson for the messaging app, wrote in a statement. “Our moderators proactively monitor public parts of the platform and accept user reports in order to remove content that breaches our terms of service.”

For everything we know about the growth and spread of active clubs on Telegram, there is an entire world that is off-limits to journalists and researchers, where members of these clubs coordinate and network in secret. A local anti-fascist activist in Tennessee, who is closely monitoring some of these nonpublic channels and requested anonymity due to threats to their safety from the groups they are tracking, confirmed to WIRED the existence of the secret chats, which they say are used to coordinate actions both locally and nationally.

While active clubs effectively operate independently—a deliberate decision, taken so that the movement can continue even if one group is deactivated—there still appears to be a level of national coordination happening, even while Rundo is in custody awaiting trial. This coordination was seen in August 2023 when a white nationalist fight club event took place in Southern California featuring members from multiple active clubs across the United States, including the Tennessee club, as well as members of other hate groups like Blood Tribe and Patriot Front.

“There's some national leadership within the active clubs who are talking with each other, maybe it's at the chapter leader level, where they're talking and they're organizing these events and then mobilizing folks to come out, which takes a lot of resources and logistics,” Tischauser says. “So there has to be some kind of structure there.”

Tischauser says he sees little preventing the active club movement from continuing to grow rapidly. He says he has already seen a number of new clubs emerge since the CEP report was published last month—and that’s a real concern because, as Ritzmann bluntly states in his report: “If Active Clubs are allowed to continue to operate and multiply, the likelihood for targeted political violence and terrorism by their members against supposed enemies of the ‘white race’ (e.g., Jews, people of color, Muslims, and LGTBQI+ people) will increase.”

White Supremacist Active Clubs Are Breeding on Telegram

At least a million data points from 23andMe accounts appear to have been exposed on BreachForums. While the scale of the campaign is unknown, 23andMe says it's working to verify the data.

The genetic testing company 23andMe confirmed on Friday that data from a subset of its users has been compromised. The company said its systems were not breached and that attackers gathered the data by guessing the login credentials of a group of users and then scraping more people’s information from a feature known as DNA Relatives. Users opt into sharing their information through DNA Relatives for others to see. 

Hackers posted an initial data sample on the platform BreachForums earlier this week, claiming that it contained 1 million data points exclusively about Ashkenazi Jews. There also seem to be hundreds of thousands of users of Chinese descent impacted by the leak. On Wednesday, the actor began selling what it claims are 23andMe profiles for between $1 and $10 per account, depending on the scale of the purchase. The data includes things like a display name, sex, birth year, and some details about genetic ancestry results, like that someone is, say, of “broadly European” or “broadly Arabian” descent. It may also include some more specific geographic ancestry information. The information does not appear to include actual, raw genetic data.

The company emphasized in a statement that it does not see evidence that its systems have been breached. It also encouraged users to use strong, unique passwords and enable two-factor authentication to keep attackers from compromising their individual accounts using login credentials exposed in other data breaches.

“We were made aware that certain 23andMe customer profile information was compiled through access to individual 23andMe.com accounts,” the company said in a statement. “We believe that the threat actor may have then, in violation of our terms of service, accessed 23andme.com accounts without authorization and obtained information from those accounts.” 

The company has not been clear on whether it has validated the data the threat actor leaked, noting that its investigation is ongoing and that it currently has “preliminary results.” A spokesperson for the company told WIRED that the leaked information is consistent with a situation in which some user accounts were exposed and then leveraged to scrape data visible in DNA Relatives. But when pressed on the details of whether the data has been validated, the spokesperson said that verifying the data is pending and that the company cannot currently confirm whether the leaked information is real.

This point is significant both for everyone whose information may have been compromised and because the data posted by the actor claims to include “celebrities.” Entries for technologists Mark Zuckerberg, Elon Musk, and Sergey Brin are all visible in the sample data, including “Profile ID,” “Account ID,” name, sex, birth year, current location, and fields known as “ydna” and “ndna.” It is unclear if the data for these entries is legitimate or was inserted. For example, Musk and Brin appear to have the same profile and account IDs in the leak.

The technique of using credentials exposed in other data breaches to infiltrate accounts where those logins have been reused is known as “credential stuffing” and is a widely used account compromise technique.

“Credential stuffing never really went away and a lot of it just comes down to the fact that humans reuse their passwords—that's what makes it possible,” says Ronnie Tokazowski, a longtime digital scams researcher. “And the fact that it's claiming to target a Jewish population or celebrities—it’s not shocking. It reflects the underbelly of the internet.”

The full picture of why the data was stolen, how much more the attackers have, and whether it is actually focused entirely on Ashkenazim is still unclear.

“When data is shared relating to ethic, national, political or other groups, sometimes it's because those groups have been specifically targeted, but sometimes it's because the person sharing the data thinks it'll make reputation-boosting headlines,” says Brett Callow, a threat analyst at security firm Emsisoft. 

Callow notes that the situation raises broader questions about keeping sensitive genetic information safe and the risks of making it available in services that are designed like social networks to facilitate sharing. With such platforms come all of the data privacy and security issues that have plagued traditional social networks, including issues related to data centralization and scraping.

“This incident really highlights the risks associated with DNA databases,” Callow says. “The fact that accounts had reportedly opted into the ‘DNA Relatives’ feature is particularly concerning as it could potentially result in extremely sensitive information becoming public.”

_Update 7:00 pm ET, October 6 to note that data from hundreds of thousands of 23andMe users of Chinese descent seems to have also been exposed in the incident._

23andMe User Data Stolen in Targeted Attack on Ashkenazi Jews

Location-enabled tech designed to make our lives easier is often exploited by domestic abusers. Refuge, a UK nonprofit, helps women to leave abusive relationships, secure their devices, and stay safe.

Pick up any piece of tech and Emma Pickering knows how it can be used to abuse, harass, and stalk women. Amazon’s Ring home doorbell cameras can monitor when someone leaves the house and who is visiting them. Until recently, Netflix showed the IP addresses where users were logged in, allowing their location to be tracked. Workout apps and websites such as Strava show where and when people are exercising. And abusers often slip small GPS trackers or audio recorders into women’s belongings or attach them to their cars.

“Perpetrators buy them in bulk, and they’ll buy probably 60 very cheaply; they’re very small and discrete,” says Pickering, who works at Refuge, the UK’s largest domestic abuse organization, where she heads a team that helps women secure their devices. Pickering says that in one case “over 200” recording devices were found in a woman’s home.

Refuge launched its Technology-Facilitated Abuse and Economic Empowerment Team in 2017, amid a surge of abusers weaponizing apps, devices, and online services to harm women. The charity helps women and their children leave abusive relationships, providing emergency accommodation, legal help, financial aid, and more. Almost every case now involves technology in some form, Pickering says, and the issue is so serious that every person the organization places into a refuge goes through a tech assessment to secure their accounts. The tech abuse team, which is made up of 11 people, is the only one of its kind in the UK and just one of a handful of similar organizations around the world.

Technology-facilitated abuse can range from harassment via phone call or text message to logging into someone’s social media and email accounts without their permission, which allows abusers to read, delete or send messages. In more extreme cases, they might install “stalkerware” on victims’ phones to monitor every tap and scroll. Nonconsensual image-sharing, commonly known as “revenge porn,” and economic abuse, where money and banking apps may be controlled by an abuser, are also frequent. In August, a report from MPs in the UK concluded that tech abuse is becoming “increasingly common.”

Pickering says her team primarily focuses on helping people in the more severe cases. “Firstly, we need to establish if it’s safe to speak to them on their device,” she says. If it isn’t, Refuge will send women a burner phone and then set them up with a new email address, using the encrypted email service Proton Mail, before sending them extra information. It’s the start of a meticulous process—known as an “attack assessment” by the team—to secure accounts and devices.

“We go through everything,” Pickering says. Refuge will ask the person they are helping to list every device and online account they and any children have. These can easily number into the hundreds. “Within the home, if they’ve fled the relationship, we also need to check anything they’ve left behind to unsync from any devices or accounts that they could still be using back home.” This will include products like Google Home Hubs, and Amazon’s Ring doorbells and Alexa, and it requires checking who set up the devices and is the administrator of the accounts, as well as which names phone contracts are in. From there, a safety plan is created, Pickering says. This can include going through the accounts and checking settings for who has access to them, removing devices connected to accounts, using secure passwords, and setting up measures such as two-factor authentication. On average, Pickering says, it can take three weeks to get through the entire process, although more complex cases take much longer.

“I don’t think people realize how serious it is, the consequences for perpetrators to have access to this information, to see that there’s evidence in someone’s phone that they’re planning to leave a relationship, read emails about financial settlements, child contact orders—it puts someone at really significant risk,” Pickering says. Even for those in nonabusive relationships, the charity has created a digital breakup tool with cybersecurity firm Avast to detail the process of separating everything from delivery apps to gaming accounts from former partners.

While the technology itself isn’t usually the problem—it’s how abusers use it to harass their victims that creates the issues—Pickering says tech companies don’t put enough thought into how their services can be used maliciously. They also don’t put enough effort into preventing such abuses. They’re not “considering having features built in that can mitigate these risks,” she says.

For instance, Apple launched its small AirTag GPS tracker without many safety features, and dozens of people have subsequently reported being tracked by the devices. (The company has made some improvements and is now working with other tracker manufacturers to make it easier to identify trackers someone has placed on your belongings). One of the biggest issues currently, Pickering says, is satellite navigation systems within cars. “My car, for instance, if I drive it somewhere, it’s connected to an app, and I don’t know how many people are on my app, it doesn’t give me notifications,” she says. There are also boundary settings that can alert a vehicle’s owner if it travels beyond a specific set of locations.

Aside from designing products better, tech companies need to make it easier for people to understand the settings on their phone and digital accounts. “Many people come to us and their confidence around tech is very limited,” Pickering says. “We have to do a lot of work with them initially to make them feel comfortable.”

While tech abuse is rising, Pickering aims to increase understanding around the problem and tackle some of the issues at its roots. “We’ve got a really big ambition to train the police,” she says, adding that officers often don’t know what to look for in cases of tech abuse and may not take issues seriously. The Refuge team has already worked with one tech company, which she says she cannot name due to an NDA, to advise on safety. “Amazon and Google could work with us,” Pickering says. “And we could help make sure that their products are developed with safety in mind.”

_This article first appeared in the November/December 2023 issue of WIRED UK._

Source

Wired